[arch-general] Kpartx should be in the repos and archiso for enabling encrypted GPT install

[Neven Sajko]

> >> If you do need hibernation support, the simple method would be to use a
> >> swap file residing on the encrypted /
> >
> > Simple as in "already well supported", but not optimal, as swap
> > depends on a filesystem.
>
> Linux also depends on a filesystem. I'm not sure what you mean to imply.

I just prefer a swap partition to a swap file.

> >> The more complex method would be to copy the initramfs encrypt hook and
> >> modify it to support an additional encrypted device with a different
> >> password.
> >
> > I want full disk encryption. There is nothing controversial about FDE,
> > it is already covered in the Wiki, except that I want FDE without LVM.
>
> You can have FDE without LVM today, using the suggestion I just provided
> and you ignored.
>
> Unless you mean that it's not really FDE if attackers can read the
> partition table layout, in which case LVM is not valid as FDE and you'd
> better buy yourself some proprietary hardware-encrypted solution.

No, it is not Full Disk Encryption if the disk is not fully encrypted.

Also, I think you misunderstood something about that example of FDE
with LVM, as in that case the LVM header is, in fact, encrypted (along
with the rest of the disk), and a hypothetical attacker can not read
it. What do you mean by "proprietary hardware-encrypted solution"?

> >> None of this needs kpartx.>
> > Thank you for input, indeed all your suggestions would work, but I am
> > going for the optimal solution here, and kpartx (or an equivalent
> > devmapper program) seems to be a requirement for that.
>
> The optimal solution according to what metric? If you really want
> kpartx, nothing stops you from going right ... ... ...

Yes, but I am sure you can see it would be preferable to have the
kpartx executable on the iso, as less work is better.

Regards,
Neven Sajko