Le 13/01/2019 à 23:27, Eli Schwartz via arch-general a écrit : > The more complex method would be to copy the initramfs encrypt hook and >>> modify it to support an additional encrypted device with a different >>> password. >> I want full disk encryption. There is nothing controversial about FDE, >> it is already covered in the Wiki, except that I want FDE without LVM. > You can have FDE without LVM today, using the suggestion I just provided > and you ignored. > > Unless you mean that it's not really FDE if attackers can read the > partition table layout, in which case LVM is not valid as FDE and you'd > better buy yourself some proprietary hardware-encrypted solution. Readable partition table layout is exactly the issue (and you answered yourself about your LVM mistake). > But I still do not understand what practical benefits you are seeking > that are not solved by having multiple encrypted partitions on an > unencrypted partition table. Well, unencrypted partition table. What he wants is an encrypted partition table, and more generally no metadata available (so the disk just looks like plain garbage, not x nice labelled partitions with LUKS headers). They are not a lot of choices for that: you need a plain dm-crypt container on the whole disk, and then being able to partition inside that. Which leaves LVM2 (too big tool for OP), filesystems with such a feature (ZFS, Btfrs; but that is then fs-dependent), or tools like kpartx. So kpartx is the right tool for what he wants. Regards, Bruno
Attachment:
signature.asc
Description: OpenPGP digital signature
