[arch-general] Kpartx should be in the repos and archiso for enabling encrypted GPT install

Eli Schwartz eschwartz at archlinux.org
Sun Jan 13 22:27:14 UTC 2019 

On 1/13/19 4:22 PM, Neven Sajko wrote:
>> If you do need hibernation support, the simple method would be to use a
>> swap file residing on the encrypted /
> 
> Simple as in "already well supported", but not optimal, as swap
> depends on a filesystem.

Linux also depends on a filesystem. I'm not sure what you mean to imply.

>> The more complex method would be to copy the initramfs encrypt hook and
>> modify it to support an additional encrypted device with a different
>> password.
> 
> I want full disk encryption. There is nothing controversial about FDE,
> it is already covered in the Wiki, except that I want FDE without LVM.

You can have FDE without LVM today, using the suggestion I just provided
and you ignored.

Unless you mean that it's not really FDE if attackers can read the
partition table layout, in which case LVM is not valid as FDE and you'd
better buy yourself some proprietary hardware-encrypted solution.

>> None of this needs kpartx.>
> Thank you for input, indeed all your suggestions would work, but I am
> going for the optimal solution here, and kpartx (or an equivalent
> devmapper program) seems to be a requirement for that.

The optimal solution according to what metric? If you really want
kpartx, nothing stops you from going right here and installing it
yourself: https://aur.archlinux.org/packages/multipath-tools/

Since you observed that losetup could be used on the ISO, I guess you
could install using supported kernel interfaces, then switch to kpartx
on your installed system. For bonus points, you could build the kpartx
binary on the ISO and use it in the installation process, since it is
not critical infrastructure for connecting to the internet. It would be
work, but not a lot of work. The software does not seem to have a lot of
dependencies...

...

But I still do not understand what practical benefits you are seeking
that are not solved by having multiple encrypted partitions on an
unencrypted partition table.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190113/22a13be0/attachment.asc>

More information about the arch-general mailing list