1 |
Am 18.04.2015 um 14:12 schrieb Ralf: |
2 |
|
3 |
> No. Could you please explain why you think so? |
4 |
> Even if your root partition is encrypted, your ramdisk could load the |
5 |
> modules. |
6 |
|
7 |
Are you sure about that? Are you sure that the necessary modules are |
8 |
definitely put into the initrd and that the kernel will be able to load |
9 |
them soon enough at boot time? |
10 |
|
11 |
Compiling those modules into the kernel is definitely more secure (in |
12 |
terms of being sure that they are always available) and doesn't do any |
13 |
harm, because they need to be loaded anyway. |
14 |
|
15 |
Btw., several dm-crypt/LUKS documentation (all that I've read) say that |
16 |
those modules have to be compiled into the kernel directly. |
17 |
|
18 |
> After loading the modules you can see that they are available by cat |
19 |
> /proc/crypto. |
20 |
|
21 |
You won't be able to run this command when the kernel tries to unlock |
22 |
the LUKS container at boot time. |
23 |
|
24 |
> The modules can be loaded _after_ bootup as well. |
25 |
|
26 |
If you want to unlock the LUKS container at boot time (particularly if |
27 |
your root partition is encrypted), loading the modules after bootup is |
28 |
too late. |
29 |
|
30 |
So I wouldn't risk it. |