Written Saturday November 4, 2019
Specifically, this guide is for Manjaro ARM on a Raspberry Pi 4. I don't see why this wouldn't work for other ARM Linux operating systems, however.
- Install the dependencies to support encryption
- Update
/boot
other config files to mount an encrypted drive - Backup existing root directory entirely
- Delete existing root partition and create a new encrypted one
- Restore the backup onto the new encrypted root
- Profit
This guide is based on another guide, with some changes made to support Arch ARM (Manjaro) instead.
Raspberry Pi Encrypt Root Partition Tutorial · NicoHood/NicoHood.github.io Wiki · GitHub
Assumptions: This is a fresh install of Manjaro ARM on your raspberry pi.
sudo pamac update
sudo pamac install cryptsetup lvm2 busybox
# You MUST reboot after installation!
sudo shutdown -r now
# update config.txt -----
# backup config to be safe
sudo cp /boot/config.txt /boot/config.txt.bak
# Open config file
sudo nano /boot/config.txt
# Add this line if it isn't already in the file:
initramfs initramfs-linux.img followkernel
# Update cmdline.txt ------
# backup first
sudo cp /boot/cmdline.txt /boot/cmdline.test.bak
# open cmdline.txt
sudo nano /boot/cmdline.txt
# replace `root=/dec/mmcblk0p2` with:
root=/dev/mapper/crypt cryptdevice=/dev/mmcblk0p2:crypt
# Update fstab -----
# backup first
sudo cp /etc/fstab /etc/fstab.bak
# open fstab
sudo nano /etc/fstab
# Add this line under BOOT line
/dev/mapper/crypt / ext4 defaults,noatime 0 1
# Update crypttab -----
# backup first
sudo cp /etc/crypttab /etc/crypttab.bak
# open crypttab
sudo nano /etc/crypttab
# Add this line (use tabs, not spaces!)
crypt /dev/mmcblk0p2 none luks
# Create fake luks filesystem to include cryptsetup into initramfs
dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
cryptsetup luksFormat /tmp/fakeroot.img
# When prompted, answer YES and supply an easy password, like `password`
# mount the fake drive and give it an ext4 filesystem
sudo cryptsetup luksOpen /tmp/fakeroot.img crypt
sudo mkfs.ext4 /dev/mapper/crypt
# update mkinitcpio.conf to include encryption
# backup first
sudo cp /etc/mkinitcpio.conf /etc/mkinitcpio.conf.bak
# Add `encrypt` to the HOOKS array, right after `block`. ORDER IS IMPORTANT.
# The array will look like this:
# HOOKS=(base udev autodetect modconf block filesystem keyboard fsck)
# Add `encrypt` to it like this:
HOOKS=(base udev autodetect modconf block encrypt filesystem keyboard fsck)
# Create initramfs. Check for warnings and also make sure cryptsetup is included.
# Dry run creation of the initramfs file:
sudo mkinitcpio
# verify that `encrypt` hook is added. It is okay if you see an error saying that dm_integrity is missing.
# backup previous initramfs file
sudo cp /boot/initramfs-linux.img /boot/initramfs-linux.img.bak
# create the new initramfs and replace the old one. Ignore the error about dm_integrity missing.
sudo mkinitcpio -g /boot/initramfs-linux.img
# Double check that cryptsetup is included. If it's in there, you're good to go.
lsinitcpio /boot/initramfs-linux.img | grep cryptsetup
# Shutdown the machine, take the SD card out and put it in another linux machine to continue.
sudo shutdown -h now
Take the SD card out of your raspberry pi and put it in another linux machine. The work in this system is to be done on this other machine.
Mount the 2nd partition of the SD card with your PC and backup the data.
# To find the drive:
sudo fdisk -l
# The partition will look something like /dev/sdb2
# Mount the partition
sudo mkdir /mnt/myroot && sudo mount /dev/sdb2 /mnt/myroot
# Backup the entire drive. This will take a while.
sudo tar -czpf rpibackup.tar.gz --one-file-system -C /mnt/myroot/ .
# You can verify the backup is successful by inspecting the tar file, or you can list the files using this:
sudo tar -tvf rpibackup.tar.gz
Optional For extra security, you may also want to zero out the existing partition to prevent any recovery tools from extracting bits of your old filesystem. WARNING: THIS WILL DESTROY THE PARTITION
# zero out old (backed up) root partition
sudo umount /dev/sdb2
sudo dd if=/dev/zero of=/dev/sdb2
After backup, unmount the drive (myroot) and delete the partition using something like gparted
. If you used dd
to overwrite the partition with zeros, this is already done.
Once the partition is deleted, create a new partition that fills the space of the old one. (parted
or gparted
) I gave mine the label crypt
.
Find the path to that partition. It will probably be /dev/sdb2
again.
Format the partition for encryption and give the new encrypted drive an ext4
filesystem
sudo cryptsetup luksFormat /dev/sdb2
# Give this drive a strong password and make sure you remember it!
# mount the encrypted partition
sudo cryptsetup luksOpen /dev/sdb2 crypt
# give it an ext4 filesystem
sudo mkfs.ext4 /dev/mapper/crypt
# mount the crypt drive
sudo mkdir /mnt/newdrive && sudo mount /dev/mapper/crypt /mnt/newdrive
# restore
sudo tar -xpf rpibackup.tar.gz -C /mnt/newdrive/
# To be safe, ensure all writes are complete
sync