When I installed Debian Buster (with a stock 4.19 kernel) on my device, I opted for guided partitioning with full disk encryption.
So the current setup is LVM on LUKS, and /boot is unencrypted:
user@HOST:~$ lsblk -f
NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
sda
├sda1 ext2 a81YDwjp-q50N-nbZH-JLwr-Djhhe0aDxI6 94,4M 55% /boot
├sda2
└sda5 crypto_LUKS E5ZYjKug-zrNW-yW4Q-jwFD-MdgSY08zqKo
└sda5_crypt LVM2_member aJTjWXcR-Nxth-LcnV-5tzp-iBzbCU0zy8d
├HOST--vg-root ext4 PHVJaGjc-46vv-u5co-fXxd-NCZJUkzK21Q 129,1G 5% /
└HOST--vg-swap_1 swap 1XZehc8C-2yKA-Y8Qr-eCc1-EI3ezAgVNBo [SWAP]
Now it would be nice to evolve this setup and encrypt the swap volume with a temporary key. But why this? After all swap is encrypted already, as it resides on an encrypted hard drive. BTW, I do not use Hibernation.
What I would like is drawing as much benefit as possible from additional layers of encryption on my system. For example, I encrypt some data locally before backing it up in a remote location. This encryption could also serve as a second line of defense if full hard disk encryption was defeated... but only if swap is not readable in this scenario.
Starting from the default Debian configuration (i.e. without having to loop through re-installation), is there a way to encrypt swap with temporary keys?