Skip to content

Instantly share code, notes, and snippets.

Last active April 22, 2022 20:18
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save morgner/82105e8ce053b22b284eac86ce89555d to your computer and use it in GitHub Desktop.
Save morgner/82105e8ce053b22b284eac86ce89555d to your computer and use it in GitHub Desktop.
Archlinux ARM (Raspberry PI 3) encrypt root (revised)

Original by Simon Perry:

Step 1

Install Arch Linux to your PI3:

Backup /boot/boot.*

cp -p /boot/boot.scr /boot/boot.scr.woEnc

cp -p /boot/boot.txt /boot/boot.txt.woEnc

Step 2

Boot, update everything

pacman -Syu

Install necessary tools:

pacman -S rsync vim uboot-tools

Reboot and make sure everything is cool.

Step 3

Create a new partition of at least 2 GB, I normally just fill the rest of the SD card, it's up to you though. Use:

fdisk /dev/mmcblk0

and create a new primary partition. You may use gparted on a PC. You should have:

  • p1 100MB being the vfat boot partition - do not mess with it.
  • p2 1.8GB being our current 1.8 GB root.
  • p3 being the new partition, sized as you wish, at least as p2.

Step 4

dd /dev/zero over the new partition (p3), just to add a minimal amount of safety:

dd if=/dev/zero of=/dev/mmcblk0p3 bs=1M


dd if=/dev/urandom of=/dev/mmcblk0p3 bs=1M

This will take a long time. If you use /dev/urandom it will take even longer. You'll get several kernel IO hung timeout messages while this runs, but it will finish. Be patient!

Create a LUKS volume on /dev/mmcblk0p3

cryptsetup luksFormat -c aes-xts-plain -y -s 512 /dev/mmcblk0p3


cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 30000 /dev/mmcblk0p3

Do what the command says, choose a passphrase etc.

Step 5

Open the LUKS volume and put a filesystem on it:

cryptsetup luksOpen /dev/mmcblk0p3 root

mkfs.ext4 /dev/mapper/root

Step 6

Mount the new filesystem:

mount /dev/mapper/root /mnt

Step 7

rsync the current system over:

rsync --progress -axv / /mnt/

Don't forget the trailing / on /mnt/ ! This will take a long time. Run the rsync again, just to make sure you have everything, this will be much quicker.

Step 8

Edit /etc/mkinitcpio.conf and make sure this line has:

HOOKS=(base udev autodetect modconf block keyboard encrypt filesystems fsck)

Now generate an initrd:

mkinitcpio -P

Step 9

Edit /boot/config.txt and add to the end:

initramfs initrd 0x00f00000


initramfs initrd followkernel

Step 10

Edit /boot/boot.txt, the kernel command line, leave whatever is there alone, add or modify:

cryptdevice=/dev/mmcblk0p3:root:allow-discards root=/dev/mapper/root initrd=0x00f00000

For example by replacing "root=PARTUUID=${uuid}" with the former line (don't add linebreaks). Afterwards call


Now add the following line to /mnt/etc/fstab:

/dev/mapper/root / ext4 defaults,discard,commit=120 0 1

Change options to what you want.

Reboot and hope it works!

Step 11

From the console, you should now be able to enter your passphrase and boot off the encrypted root. Your root filesystem is now the LUKS encrypted mmcblk0p3 and not p2.

Make sure the HOOKS line in /etc/mkinitcpio.conf on p3 matches what you edited before on p2.

Make sure /etc/fstab on this partition is correct (you did it right if it booted and you can do touch foo and write a file).

If you make any changes, reboot and ensure you can boot without any problems (if you are going to reboot, rebuild the initrd before you do - mkinitcpio -P - just to be on the safe side).

----------- new 1 ----------- to integrate


sudo pacman -S --needed mkinitcpio rsync

shrink partition with gparted (on another pc), create a new partition on the end

sudo cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 30000 /dev/mmcblk0p3

sudo cryptsetup luksOpen /dev/mmcblk0p3 root sudo mkfs.ext4 /dev/mapper/root

sudo mount /dev/mapper/root /mnt

sudo rsync --progress -axv / /mnt/

sudo nano /etc/mkinitcpio.conf HOOKS="base udev autodetect modconf block keymap encrypt filesystems keyboard fsck"

sudo mkinitcpio -P

sudo nano /boot/config.txt initramfs initrd followkernel

sudo nano /boot/cmdline.txt cryptdevice=/dev/mmcblk0p3:root root=/dev/mapper/root

sudo nano /mnt/etc/fstab /dev/mapper/root / ext4 defaults,noatime 0 1

sudo nano /mnt/etc/crypttab root /dev/mmcblk0p3 none luks

----------- new 2 ----------- to check

Copy link

gea0 commented Nov 17, 2018

Thanks for the writeup, it greatly helped me.
Although the advice to overwrite with /dev/zero is pretty moot, it is pointless to do so, and gives a false sense on security. Use /dev/urandom instead!

Also, i made a new, complete, up-to-date tutorial!
It installs the newer 64-bit Arch Linux ARM (armv8 architecture), using the AchlinuxARM-rpi-3-latest.tar.gz image.
It also includes the option to unlock the encrypted system over SSH!

If you spot any issues, please contact me!

Arch Linux ARM 64 on Raspberry Pi 3 B+ With Full Disk Encryption And SSH Unlock: 2018 Edition

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment