On 1/13/19 4:22 PM, Neven Sajko wrote:
If you do need hibernation support, the simple method would be to use a swap file residing on the encrypted /
Simple as in "already well supported", but not optimal, as swap depends on a filesystem.
Linux also depends on a filesystem. I'm not sure what you mean to imply.
The more complex method would be to copy the initramfs encrypt hook and modify it to support an additional encrypted device with a different password.
I want full disk encryption. There is nothing controversial about FDE, it is already covered in the Wiki, except that I want FDE without LVM.
You can have FDE without LVM today, using the suggestion I just provided and you ignored. Unless you mean that it's not really FDE if attackers can read the partition table layout, in which case LVM is not valid as FDE and you'd better buy yourself some proprietary hardware-encrypted solution.
None of this needs kpartx.> Thank you for input, indeed all your suggestions would work, but I am going for the optimal solution here, and kpartx (or an equivalent devmapper program) seems to be a requirement for that.
The optimal solution according to what metric? If you really want kpartx, nothing stops you from going right here and installing it yourself: https://aur.archlinux.org/packages/multipath-tools/ Since you observed that losetup could be used on the ISO, I guess you could install using supported kernel interfaces, then switch to kpartx on your installed system. For bonus points, you could build the kpartx binary on the ISO and use it in the installation process, since it is not critical infrastructure for connecting to the internet. It would be work, but not a lot of work. The software does not seem to have a lot of dependencies... ... But I still do not understand what practical benefits you are seeking that are not solved by having multiple encrypted partitions on an unencrypted partition table. -- Eli Schwartz Bug Wrangler and Trusted User