Skip to content

Instantly share code, notes, and snippets.

@austinhappel

austinhappel/manjaro-encrypted-root-how-to.md

Created February 8, 2020 22:46
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save austinhappel/b2dd6ced956806ce2bf0ab66b68f9230 to your computer and use it in GitHub Desktop.
Save austinhappel/b2dd6ced956806ce2bf0ab66b68f9230 to your computer and use it in GitHub Desktop.
Download ZIP
How to create a bootable encrypted root drive for Manjaro ARM
Raw
manjaro-encrypted-root-how-to.md

How to create a bootable encrypted root drive for Manjaro ARM

Written Saturday November 4, 2019

Specifically, this guide is for Manjaro ARM on a Raspberry Pi 4. I don't see why this wouldn't work for other ARM Linux operating systems, however.

General steps

  1. Install the dependencies to support encryption
  2. Update /boot other config files to mount an encrypted drive
  3. Backup existing root directory entirely
  4. Delete existing root partition and create a new encrypted one
  5. Restore the backup onto the new encrypted root
  6. Profit

Notes

This guide is based on another guide, with some changes made to support Arch ARM (Manjaro) instead.

Raspberry Pi Encrypt Root Partition Tutorial · NicoHood/NicoHood.github.io Wiki · GitHub

Assumptions: This is a fresh install of Manjaro ARM on your raspberry pi.

Install dependencies

sudo pamac update
sudo pamac install cryptsetup lvm2 busybox
# You MUST reboot after installation!
sudo shutdown -r now

Update config files to support an encrypted root

# update config.txt -----

# backup config to be safe
sudo cp /boot/config.txt /boot/config.txt.bak

# Open config file
sudo nano /boot/config.txt

# Add this line if it isn't already in the file:
initramfs initramfs-linux.img followkernel

# Update cmdline.txt ------

# backup first
sudo cp /boot/cmdline.txt /boot/cmdline.test.bak

# open cmdline.txt
sudo nano /boot/cmdline.txt

# replace `root=/dec/mmcblk0p2` with:
root=/dev/mapper/crypt cryptdevice=/dev/mmcblk0p2:crypt

# Update fstab -----

# backup first
sudo cp /etc/fstab /etc/fstab.bak

# open fstab
sudo nano /etc/fstab

# Add this line under BOOT line
/dev/mapper/crypt  /               ext4    defaults,noatime  0       1

# Update crypttab -----

# backup first
sudo cp /etc/crypttab /etc/crypttab.bak

# open crypttab
sudo nano /etc/crypttab

# Add this line (use tabs, not spaces!)
crypt   /dev/mmcblk0p2   none   luks

# Create fake luks filesystem to include cryptsetup into initramfs

dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
cryptsetup luksFormat /tmp/fakeroot.img

# When prompted, answer YES and supply an easy password, like `password`

# mount the fake drive and give it an ext4 filesystem
sudo cryptsetup luksOpen /tmp/fakeroot.img crypt
sudo mkfs.ext4 /dev/mapper/crypt

# update mkinitcpio.conf to include encryption

# backup first
sudo cp /etc/mkinitcpio.conf /etc/mkinitcpio.conf.bak

# Add `encrypt` to the HOOKS array, right after `block`. ORDER IS IMPORTANT.
# The array will look like this:
# HOOKS=(base udev autodetect modconf block filesystem keyboard fsck)
# Add `encrypt` to it like this:
HOOKS=(base udev autodetect modconf block encrypt filesystem keyboard fsck)

# Create initramfs. Check for warnings and also make sure cryptsetup is included.

# Dry run creation of the initramfs file:
sudo mkinitcpio

# verify that `encrypt` hook is added. It is okay if you see an error saying that dm_integrity is missing.

# backup previous initramfs file
sudo cp /boot/initramfs-linux.img /boot/initramfs-linux.img.bak

# create the new initramfs and replace the old one. Ignore the error about dm_integrity missing.
sudo mkinitcpio -g /boot/initramfs-linux.img

# Double check that cryptsetup is included. If it's in there, you're good to go.
lsinitcpio /boot/initramfs-linux.img | grep cryptsetup

# Shutdown the machine, take the SD card out and put it in another linux machine to continue.
sudo shutdown -h now

Back up the root directory of the system

Take the SD card out of your raspberry pi and put it in another linux machine. The work in this system is to be done on this other machine.

Mount the 2nd partition of the SD card with your PC and backup the data.

# To find the drive:
sudo fdisk -l

# The partition will look something like /dev/sdb2

# Mount the partition
sudo mkdir /mnt/myroot && sudo mount /dev/sdb2 /mnt/myroot

# Backup the entire drive. This will take a while.
sudo tar -czpf rpibackup.tar.gz --one-file-system -C /mnt/myroot/ .

# You can verify the backup is successful by inspecting the tar file, or you can list the files using this:

sudo tar -tvf rpibackup.tar.gz

Delete the old partition and replace with a new LUKS encrypted one.

Optional For extra security, you may also want to zero out the existing partition to prevent any recovery tools from extracting bits of your old filesystem. WARNING: THIS WILL DESTROY THE PARTITION

# zero out old (backed up) root partition
sudo umount /dev/sdb2
sudo dd if=/dev/zero of=/dev/sdb2

After backup, unmount the drive (myroot) and delete the partition using something like gparted. If you used dd to overwrite the partition with zeros, this is already done.

Once the partition is deleted, create a new partition that fills the space of the old one. (parted or gparted) I gave mine the label crypt.

Find the path to that partition. It will probably be /dev/sdb2 again.

Format the partition for encryption and give the new encrypted drive an ext4 filesystem

sudo cryptsetup luksFormat /dev/sdb2

# Give this drive a strong password and make sure you remember it!

# mount the encrypted partition
sudo cryptsetup luksOpen /dev/sdb2 crypt

# give it an ext4 filesystem
sudo mkfs.ext4 /dev/mapper/crypt

Restore your backup to the new encrypted partition

# mount the crypt drive
sudo mkdir /mnt/newdrive && sudo mount /dev/mapper/crypt /mnt/newdrive

# restore
sudo tar -xpf rpibackup.tar.gz -C /mnt/newdrive/

# To be safe, ensure all writes are complete
sync
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment