Edit: 2018-05-09 corrected the dependencies of cryptsetup, lvm2 (more exact libdevmapper) is needed and therefor only mdadm as pkg is optional
I like all my systems cold secure, that means all data are fully encrypted. The one exception are my kodi boxes. I did try to get all the infos away from the kodi box, but at least the Textures13.db is on the box, when i mounted .kodi/temp as tmpfs and redirected Thumbnail to the server.
So i build a community version (my latest) LE 8.2.5 with UHD 630 / Coffee Lake support and luks, lvm2, dm-raid and since the end of last year i also shared it in the forum.
- truecrypt with "cryptsetup open --type tcrypt /dev/sda6 tcrypt-sda6 ; mount /dev/mapper/tcrypt-sda6 <your mountpoint>" created on OE 5.0 with truecrypt
- veracrypt with "cryptsetup open --veracrypt --type tcrypt /dev/sdb6 vcrypt-sdb6 ; mount.exfat /dev/mapper/vcrypt-sdb6 <your mountpoint>" created on Windows 10 with veracypt and formated as exfat
- cryptsetup luks i used to create and mount encrypted userdata
I striped down all my changes to the minimum to have cryptsetup luks usable and for Generic enabled AES-NI to have it hardware accelerated. The lvm2 package is needed by cryptsetup. The kernel config also contains all to use mdadm.
All what is needed is in cryptsetup-lvm2-dm-raid.zip and the RPi2 kernel patch should apply to other architerures without so much trouble. There are only kernel config patches for Generic and RPi2 build for 8.2.5 with a kernel 4.14 (like the LE git master at the moment).
Sadly my script tools to mount userdata encrypted are not yet ready for the public, but i would love to see all what is needed in LE so that only a addon is needed or i patch the init to support it at boot time. For curious persons here are my scripts without any support for it from /storage/.cryptluks scripts-cryptluks.zip and it uses a backend webserver and gets all the parameter from the kernel command line.
For boot time support i have a plan to use nework bound disc encryption (NBDE) with tang and clevis to make it totaly unattended bootup with encryption.
Thanks for reading my proposal.