Do you need the swap to be persistent across reboots in order to support hibernation? If not, it is sufficient to have the swap mounted with a randomized key.
I would like to be able to resume from hibernation, yes.
If you do need hibernation support, the simple method would be to use a swap file residing on the encrypted /
Simple as in "already well supported", but not optimal, as swap depends on a filesystem.
The more complex method would be to copy the initramfs encrypt hook and modify it to support an additional encrypted device with a different password.
I want full disk encryption. There is nothing controversial about FDE, it is already covered in the Wiki, except that I want FDE without LVM.
None of this needs kpartx.
-- Eli Schwartz Bug Wrangler and Trusted User
Thank you for input, indeed all your suggestions would work, but I am going for the optimal solution here, and kpartx (or an equivalent devmapper program) seems to be a requirement for that. Regards, Neven Sajko