Checkout my dm-crypt ebuild submission for more details http://bugs.gentoo.org/show_bug.cgi?id=43146 but the basic idea is this: dm-crypt has no userspace util at the moment, it uses dmsetup. but setting up an encrypted map with dmsetup is insecure UNLESS your swap space is encrypted, because the dmsetup tool does not lock its pages (prevent from being written out to disk). Because the pages are unlocked, they are free to be written to disk, making it possible for your key for one or more of your encrypted block devices to be exposed in the clear in your swapspace. the solution is either 1) write a userspace dm-crypt utility that locks its pages or 2) make dmsetup lock its pages, and make the path between key entry and dmsetup secure. here is an ebuild tarball that patches dmsetup to lock its pages, thus making it possible to use dm-crypt to encrypt your block devices without encrypting your swapspace.
Created attachment 26499 [details, diff] patches device-mapper/* to -r1 which includes patch for dmsetup this patches device-mapper/* for a 1.00.07-r1.ebuild which includes a patch that makes dmsetup lock its pages.
please put this on hold for now and ignore.
