Re: [dm-crypt] FAQ 2.2 Scenario (1) - clarification concerning "encrypted root"

[Arno Wagner <arno@wagner.name>]

On Fri, Jun 19, 2020 at 22:45:51 CEST, d.eltzner@gmx.de wrote:
>    Hello there,
> 
>    first, thanks a lot for the exemplary FAQ and, I guess, for the great
>    software, although I must admit I have yet to actually use it.
> 
>    My entry point for learning about dm-crypt was the Arch Wiki and
>    sections like the one here -
>    [1]https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_s
>    ystem#LVM_on_LUKS
>    - seemed (to me) to suggest that having the (logical) root partition in
>    a LUKS container is at least no security risk in itself.
>    I actually also cannot think of a reason why it should be, but then
>    again my knowledge of all things crypto is negligible.
> 
>    So I was wondering about the following section *2.2 LUKS on partitions
>    or raw disks* of the FAQ:
> 
>    "(1) Encrypted partition: Just make a partition to your liking, and put
>    LUKS on top of it and a filesystem into the LUKS container. [...]
> 
>    Note that you cannot do this for encrypted root, that requires an
>    initrd. 

You can. You need to use the traditional set-up where the initrd
resides on a separate partition mounted under /boot.
Or put the initrd on an USB stick. Or some other place.

But I will add a comment to that effect, as it seems more
and more distros just place the initrd on the root partition.

>    On the other hand, an initrd is about as vulnerable to a
>    competent attacker as a non-encrypted root, so there really is no
>    security advantage to doing it that way. An attacker that wants to
>    compromise your system will just compromise the initrd or the kernel
>    itself."

I have a scenario: Put the initrd on USB-stick, remove it after
boot and secure the USB-stick physically (safe) when not in use.
I actually did that set-up for somebody. This is not perfect either, 
but makes attacks that rely on manipulating the disk directly a lot 
harder.

>    Obviously, it only states there is no advantage to it, but it made me
>    doubtful whether there was an actual disadvantage.
>    To me that's relevant since, as of now, encrypting my entire disk and
>    unlocking it at boot seemed to be the easiest setup.

But what do you use to unlock it? Something needs to run 
cryptsetup for that unlocking action.
 
>    Best Wishes, and apologies in advance for the probably somewhat silly
>    question,

Actually, thanks for the comment. Allows me to make the FAQ a bit 
clearer.

Regards,
Arno

>    Elso
> 
> References
> 
>    1. https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> https://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier