[arch-general] Kpartx should be in the repos and archiso for enabling encrypted GPT install
Bruno Pagani
bruno.n.pagani at gmail.com
Sun Jan 13 22:43:18 UTC 2019
Le 13/01/2019 à 23:27, Eli Schwartz via arch-general a écrit :
> The more complex method would be to copy the initramfs encrypt hook and
>>> modify it to support an additional encrypted device with a different
>>> password.
>> I want full disk encryption. There is nothing controversial about FDE,
>> it is already covered in the Wiki, except that I want FDE without LVM.
> You can have FDE without LVM today, using the suggestion I just provided
> and you ignored.
>
> Unless you mean that it's not really FDE if attackers can read the
> partition table layout, in which case LVM is not valid as FDE and you'd
> better buy yourself some proprietary hardware-encrypted solution.
Readable partition table layout is exactly the issue (and you answered
yourself about your LVM mistake).
> But I still do not understand what practical benefits you are seeking
> that are not solved by having multiple encrypted partitions on an
> unencrypted partition table.
Well, unencrypted partition table. What he wants is an encrypted
partition table, and more generally no metadata available (so the disk
just looks like plain garbage, not x nice labelled partitions with LUKS
headers).
They are not a lot of choices for that: you need a plain dm-crypt
container on the whole disk, and then being able to partition inside
that. Which leaves LVM2 (too big tool for OP), filesystems with such a
feature (ZFS, Btfrs; but that is then fs-dependent), or tools like kpartx.
So kpartx is the right tool for what he wants.
Regards,
Bruno
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190113/31302234/attachment-0001.asc>
More information about the arch-general
mailing list