On Fri, Oct 18, 2024 at 01:44:19AM -0400, Adrian Vovk wrote: > > So just run a target on each partition. > > > That has different semantics. If I encrypt each virtual partition there's > nothing encrypting the metadata around the virtual partitions. Of course, > this is a rather contrived example but point stands, the semantics are > different. Then you set up an dm-crype device mapper table for the partition table as well. > > This is the prime example of why allowing higher layers to skip > > encryption is a no-go. > > > > In what way does that break the file system's security model? Could you > elaborate on what's objectionable about the behavior here? Because you are now bypassing encryption for certainl LBA ranges in the file system based on hints/flags for something sitting way above in the stack.