Just some FYI, to get started:
- I'm using a 16 GB Sandisk SD card.
- I have a model B Pi, 512 MB RAM (not really relevant, thought I'd mention it).
- Monitor and keyboard connected to the Pi itself, for now.
- Network working, internet access.
We will run no swap, like the default image, and leave the initial install on the 1.8 GB partition as a potential rescue disk. Trust me, you need to be able to run ARM binaries if you ever need to recover.
Having a rescue partition that you can boot into will be invaluable and would have saved me from my last screw-up.
Download and dd the Arch ARM image, as per normal.
At the time of writing this (4 April, 2013) it is:
sudo dd if=archlinux-hf-2013-02-11.img of=/dev/mmcblk0 bs=1M
You know this bit, now put the card into your Pi.
Boot, update everything (pacman -Syu). Based on the current image, you'll have to fix a few pacnew files.
- Install rsync if it isn't already (a must, but I do think it's installed by default with the alarm image).
- Install vim :)
Reboot and make sure everything is cool.
Your kernel should be (as of updating on 4 April, 2013) from uname -a:
Do any normal tasks now as you would otherwise when setting up a system.
All of this is optional:
- Set your root password.
- Set an IP, hostname etc (all the stuff systemd wants, e.g. vconsole etc).
- Add users, your favourite shell, configure any services, etc.
- Setup whatever else you don't want to setup later or don't mind having in a rescue environment.
We will be rsyncing this setup to the encrypted partition.
Reboot again, make sure everything is good.
Create a new partition of at least 2 GB, I normally just fill the rest of the SD card, it's up to you though.
Use fdisk on /dev/mmcblk0 and create a new primary partition.
I would show you output, but I can't be bothered re-typing stuff I can't copy and paste.
Nevertheless, you should have an mmcblk0p1, p2 and p3.
- p1 being the vfat boot partition - do not mess with it.
- p2 being our current 1.8 GB root.
- p3 being the new partition.
dd /dev/zero over the new partition (p3), just to add a minimal amount of safety:
dd if=/dev/zero of=/dev/mmcblk0p3 bs=1M
This will take a long time. You can use if=/dev/urandom if you like, but it will take even longer.
You'll get several kernel IO hung timeout messages while this runs, but it will finish.
When dd finishes, create a LUKS volume on /dev/mmcblk0p3
cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/mmcblk0p3
Do what the command says, choose a passphrase etc.
Open the LUKS volume and put a filesystem on it:
cryptsetup luksOpen /dev/mmcblk0p3 root
Mount the new filesystem:
mount /dev/mapper/root /mnt
Rsync the current system over:
rsync --progress -axv / /mnt/
Don't forget the trailing / on /mnt/
This will take a long time.
Run the rsync again, just to make sure you have everything, this will be much quicker.
We're not ready to do our "over SSH" unlock just yet, let's make sure we can at least boot the encrypted root.
Edit /etc/mkinitcpio.conf and make sure this line has:
HOOKS="base udev autodetect modconf block keyboard encrypt filesystems fsck"
Now generate an initrd:
mkinitcpio -k $(uname -r) -g /boot/initrd
Edit /boot/config.txt and add to the end:
initramfs initrd 0x00f00000
Edit the kernel command line, leave whatever is there alone, add or modify the following (file is /boot/cmdline.txt):
cryptdevice=/dev/mmcblk0p3:root:allow-discards root=/dev/mapper/root initrd=0x00f00000
Up to you if you want allow-discards or not, your choice.
Be sure to leave the "ro" option there.
Now add the following to fstab, edit /mnt/etc/fstab and ensure:
/dev/mmcblk0p1 /boot vfat defaults 0 0 /dev/mapper/root / ext4 defaults,discard,commit=120 0 1
Change options to what you want.
Reboot and hope it works!
From the console, you should now be able to enter your passphrase and boot off the encrypted root.
Your root filesystem is now the LUKS encrypted mmcblk0p3 and not p2.
Make sure the HOOKS line in /etc/mkinitcpio.conf on p3 matches what you edited before on p2.
Make sure /etc/fstab on this partition is correct (you did it right if it booted and you can do touch foo and write a file).
If you make any changes, reboot and ensure you can boot without any problems (if you are going to reboot, rebuild the initrd before you do -- just to be on the safe side).
Install base-devel (hit enter to select all).
pacman -S base-devel
For thoroughness run:
Install an AUR helper.
pacman -S yaourt
Handy tip, add the following to /etc/yaourtrc to disable architecture checks.
yaourt -S dropbear_initrd_encrypt
Change the /etc/mkinitcpio.conf HOOKS line to say:
HOOKS="base udev autodetect modconf block keyboard dropbear encryptssh filesystems fsck"
Remove anything you feel you don't need, but this is what I use. Also, order is important so make sure dropbear is before encryptssh which is before filesystems.
By default, sshd is enabled and started, so you should have host keys generated without doing anything.
Generate dropbear keys based off your OpenSSH host keys:
[root@pi ~]# cd /etc/dropbear [root@pi ~]# dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key dropbear_rsa_host_key Key is a RSA key Wrote key to '/etc/dropbear/dropbear_rsa_host_key' [root@pi ~]# dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key Key is a DSS key Wrote key to '/etc/dropbear/dropbear_dss_host_key'
THIS IS VERY IMPORTANT
Put your own public ssh key into /etc/dropbear/root_key (i.e. the public key you normally put onto hosts so you can ssh in without a password).
Edit /boot/cmdline.txt and add:
Edit this to suit your setup. Replace the IP address with the address of your Pi, its gateway and its node name (pi in my case).
Now rebuild the initrd.
mkinitcpio -k $(uname -r) -g /boot/initrd
Reboot, and ssh in from another box:
Enter the passphrase and...
Any errors or omissions are due to the fact that I've been drinkin'...
You must rebuild the initrd after every kernel update. Archlinux ARM kernel packages do not run mkinitcpio automatically after kernel update like regular x86_64 Arch does.
When rebuilding the initrd after an update, you must provide the correct string appropriate to the new kernel.
The easiest way to recover, in my opinion, would be to:
Leave the p2 partition in tact.
When something goes wrong, put the SD card into another system and edit cmdline.txt to boot off p2.
Use the system on p2 to unlock the LUKS volume etc, and chroot into it, whatever you need to do to fix the system.