LUKS is fairly easy to setup on its own. Everything is done through the cryptsetup tool.
format a device with cryptsetup luksFormat /dev/sdX
open with cryptsetup luksOpen /dev/sdX myContainer
new device is available under /dev/mapper/myContainer
Linux will treat the opened container as a new disk so you can give it a file system or create a lvm device out of it. You can even have an LVM volume contain a LUKS container which contains another LVM volume group, etc.
The hard part about LUKS is getting your system to open it on boot. For that refer to the archwiki.
Right, that makes sense. I've managed to avoid building an initramfs by only using LVM for /home and leaving / as a regular btrfs partition, but you certainly do enter the "keys are locked inside the car" situation when you're trying to load the modules for encrypted filesystems from an encrypted filesystem.
LUKS is fairly easy to setup on its own. Everything is done through the
cryptsetup
tool.cryptsetup luksFormat /dev/sdX
cryptsetup luksOpen /dev/sdX myContainer
/dev/mapper/myContainer
Linux will treat the opened container as a new disk so you can give it a file system or create a lvm device out of it. You can even have an LVM volume contain a LUKS container which contains another LVM volume group, etc.
The hard part about LUKS is getting your system to open it on boot. For that refer to the archwiki.
Right, that makes sense. I've managed to avoid building an initramfs by only using LVM for /home and leaving / as a regular btrfs partition, but you certainly do enter the "keys are locked inside the car" situation when you're trying to load the modules for encrypted filesystems from an encrypted filesystem.
Changes to the initramfs are easy and well documented. Just edit
/etc/mikincpio.conf
and runsudo mkinitcpio -p linux
.The hard part is telling your bootloader to use the luks module you added to the initramfs. It changes depending on your bootloader.