Howto Full disk encryption manjaro and detached header (with keyboard) - Printable Version

+- PINE64 (
+-- Forum: PinePhone Pro (
+--- Forum: PinePhone Pro Software (
+--- Thread: Howto Full disk encryption manjaro and detached header (with keyboard) (/showthread.php?tid=16272)

Howto Full disk encryption manjaro and detached header (with keyboard) - robocone - 03-09-2022

This is a howto, from following the arch wiki, on how to encrypt the root partition with LUKS.

I'm using a Pinephone Pro with a keyboard, but you could probably explorer other methods if a keyboard is not available.

The SD card will contain the boot partition and the LUKS header. If it is removed, then there should be no way to access the phone or see what kind of data is present.

The internal eMMC will contain the encrypted LUKS volume.

Boot the phone from Manjaro SD and then fill the eMMC disk with random encrypted data
cryptsetup open --type plain -d /dev/urandom /dev/mmcblk2 to_be_wiped
dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress

Format the eMMC as an encrypted disk and save our header file
cryptsetup luksFormat /dev/mmcblk2 --header /boot/header.img

I was not able to get LVM to work from the Manjaro SD (2022-03-09). Creating an lvm volume group and volume worked, but after the disk was closed, the LVM volume group would not be detected when it was re-opened. I created a single partition instead.
cryptsetup open /dev/mmcblk2 crypt --header /boot/header.img
mkfs.ext4 /dev/mapper/crypt

Update our initramfs image
Follow the step in to copy and modify the 'encrypt' hook to a custom 'encrypt2' hook to support our detached header and then modify mkinitcpio.conf
HOOKS=(base udev keyboard autodetect keymap modconf block encrypt2 shell filesystems fsck)
Make sure to remove the bootspash-manjaro hook, so that we can see the password prompt.

Copy the system on the sd card to the encrypted partition and resize it to fit the remaining space
dd if=/dev/mmcblk1p2 of=/dev/mapper/crypt bs=4096
resize2fs /dev/mapper/crypt

Update the bootloader to boot our new system.
setenv bootargs loglevel=4 console=tty0 console=${console} earlycon=uart8250,mmio32,0xff1a0000 consoleblank=0 boot=PARTUUID=${uuid_boot} root=/dev/mapper/crypt cryptdevice=/dev/mmcblk2:crypt:header rw rootwait quiet audit=0

Finally build the initramfs and boot.scr
mkinitcpio -P

After reboot, we should have a password prompt and boot into our encrypted system.

The /dev/mmcblk1p2 partition can be wiped and used for something else.