Le 13/01/2019 à 23:27, Eli Schwartz via arch-general a écrit :
The more complex method would be to copy the initramfs encrypt hook and
modify it to support an additional encrypted device with a different password. I want full disk encryption. There is nothing controversial about FDE, it is already covered in the Wiki, except that I want FDE without LVM. You can have FDE without LVM today, using the suggestion I just provided and you ignored.
Unless you mean that it's not really FDE if attackers can read the partition table layout, in which case LVM is not valid as FDE and you'd better buy yourself some proprietary hardware-encrypted solution.
Readable partition table layout is exactly the issue (and you answered yourself about your LVM mistake).
But I still do not understand what practical benefits you are seeking that are not solved by having multiple encrypted partitions on an unencrypted partition table.
Well, unencrypted partition table. What he wants is an encrypted partition table, and more generally no metadata available (so the disk just looks like plain garbage, not x nice labelled partitions with LUKS headers). They are not a lot of choices for that: you need a plain dm-crypt container on the whole disk, and then being able to partition inside that. Which leaves LVM2 (too big tool for OP), filesystems with such a feature (ZFS, Btfrs; but that is then fs-dependent), or tools like kpartx. So kpartx is the right tool for what he wants. Regards, Bruno