The DHD has enough horsepower to run on-the-fly encryption.
You can achieve this quite easily:
What you need to do, is basically build static copies of lvm, device-mapper and cryptsetup.
Add vgchange -ay, and cryptsetup luksOpen to initrd just before mount.
An easy way to realise key reading is to save your key on your microsd card (this of course implies that your sdcard is mounted earlier), and make cryptsetup read from it:
cryptsetup luksOpen /dev/your_vol/your_lab some_id < /mnt/sdcard/my_key.txt
it only makes sense to encrypt /data/data, /data/misc and /data/system, of course.
You can always encrypt the whole /data if you want.
The only problem would be to fit the static binaries into your initrd (you can build some of them with busybox and integrate it).
That's it.
QUOTE]
Yup - what he said.