So, as the title suggests I'd be looking for a convenient way of protecting my data while achieving plausible deniability. I've read the archwiki on the subject. I'd rather not encrypt the whole root system if I can avoid to do so, BUT I'd need to encrypt /var .
dm-crypt offers two options for plausible deniability: plain mode and detached LUKS header, but both are very unconvenient since they require long and difficult to remember cryptopen command typing. I also don't like the idea of storing a LUKS header in an non-encrypted usb drive, since if that is revealed then the whole purpose is defeated.
VeraCrypt (TrueCrypt's successor) on the other hand is very convenient since it can be used to create a hidden encrypted partition inside an outer encrypted volume (which acts as a decoy). One could write a veracrypt mount script, which once launched only asks for a password, and two different passwords can be used to mount two different partitions (either the decoy or the hidden one).
For Windows, it also exists a veracrypt bootloader that can be used to boot a fully encrypted system. In my case, I don't necessarily want to encrypt the whole system, but I want to encrypt /var, then I still need some way to mount the encrypted /var when it is needed at boot time. To your knowledge, might there be some (convenient / quick) way in Linux to run veracrypt at boot time in order to mount /var before it is needed?
Alternatively, can you think of some other way to achieve the same result with dm-crypt ? Result should be: encrypted /var and /home + plausible deniability + quick&easy mount at boot time .
Thanks for the help