Howto Full disk encryption manjaro and detached header (with keyboard)

Howto Full disk encryption manjaro and detached header (with keyboard) - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone Pro (https://forum.pine64.org/forumdisplay.php?fid=177)
+--- Forum: PinePhone Pro Software (https://forum.pine64.org/forumdisplay.php?fid=179)
+--- Thread: Howto Full disk encryption manjaro and detached header (with keyboard) (/showthread.php?tid=16272)

Howto Full disk encryption manjaro and detached header (with keyboard) - robocone - 03-09-2022

This is a howto, from following the arch wiki, on how to encrypt the root partition with LUKS.

I'm using a Pinephone Pro with a keyboard, but you could probably explorer other methods if a keyboard is not available.

The SD card will contain the boot partition and the LUKS header. If it is removed, then there should be no way to access the phone or see what kind of data is present.

The internal eMMC will contain the encrypted LUKS volume.

Boot the phone from Manjaro SD and then fill the eMMC disk with random encrypted data

Code:
cryptsetup open --type plain -d /dev/urandom /dev/mmcblk2 to_be_wiped

dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress

(https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation#dm-crypt_wipe_on_an_empty_disk_or_partition)

Format the eMMC as an encrypted disk and save our header file

Code:
cryptsetup luksFormat /dev/mmcblk2 --header /boot/header.img

(https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header)

I was not able to get LVM to work from the Manjaro SD (2022-03-09). Creating an lvm volume group and volume worked, but after the disk was closed, the LVM volume group would not be detected when it was re-opened. I created a single partition instead.

Code:
cryptsetup open /dev/mmcblk2 crypt --header /boot/header.img

mkfs.ext4 /dev/mapper/crypt

Update our initramfs image
Follow the step in https://wiki.archlinux.org/title/Dm-crypt/Specialties#Modifying_encrypt_hook to copy and modify the 'encrypt' hook to a custom 'encrypt2' hook to support our detached header and then modify mkinitcpio.conf

Code:
/etc/mkinitcpio.conf

...

FILES=(/boot/header.img)

...

HOOKS=(base udev keyboard autodetect keymap modconf block encrypt2 shell filesystems fsck)

Make sure to remove the bootspash-manjaro hook, so that we can see the password prompt.

Copy the system on the sd card to the encrypted partition and resize it to fit the remaining space

Code:
dd if=/dev/mmcblk1p2 of=/dev/mapper/crypt bs=4096

resize2fs /dev/mapper/crypt

Update the bootloader to boot our new system.

Code:
/boot/boot.txt

...

setenv bootargs loglevel=4 console=tty0 console=${console} earlycon=uart8250,mmio32,0xff1a0000 consoleblank=0 boot=PARTUUID=${uuid_boot} root=/dev/mapper/crypt cryptdevice=/dev/mmcblk2:crypt:header rw rootwait quiet audit=0

Finally build the initramfs and boot.scr

Code:
mkinitcpio -P

ppp-uboot-mkscr

After reboot, we should have a password prompt and boot into our encrypted system.

The /dev/mmcblk1p2 partition can be wiped and used for something else.