Am 18.04.2015 um 14:12 schrieb Ralf: > No. Could you please explain why you think so? > Even if your root partition is encrypted, your ramdisk could load the > modules.
Are you sure about that? Are you sure that the necessary modules are definitely put into the initrd and that the kernel will be able to load them soon enough at boot time? Compiling those modules into the kernel is definitely more secure (in terms of being sure that they are always available) and doesn't do any harm, because they need to be loaded anyway. Btw., several dm-crypt/LUKS documentation (all that I've read) say that those modules have to be compiled into the kernel directly. > After loading the modules you can see that they are available by cat > /proc/crypto. You won't be able to run this command when the kernel tries to unlock the LUKS container at boot time. > The modules can be loaded _after_ bootup as well. If you want to unlock the LUKS container at boot time (particularly if your root partition is encrypted), loading the modules after bootup is too late. So I wouldn't risk it.