PINE64
How to install arch with FDE - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone (https://forum.pine64.org/forumdisplay.php?fid=120)
+--- Forum: PinePhone Software (https://forum.pine64.org/forumdisplay.php?fid=121)
+---- Forum: Arch Linux on PinePhone (https://forum.pine64.org/forumdisplay.php?fid=159)
+---- Thread: How to install arch with FDE (/showthread.php?tid=18737)

How to install arch with FDE - user641 - 09-23-2023

Hello, is there a way to install arch with FDE?

RE: How to install arch with FDE - SchizoPinePhone225 - 01-11-2024

Full Disk Encryption?

RE: How to install arch with FDE - user641 - 01-11-2024

(01-11-2024, 06:05 AM)SchizoPinePhone225 Wrote: Full Disk Encryption?

Yes, do you know how?

RE: How to install arch with FDE - Kevin Kofler - 01-11-2024

I believe it is is not officially supported. What is sure is that simply dd'ing the image onto microSD or eMMC storage (which is the recommended installation method) will not encrypt anything.

What should probably work is:
1. Install (dd) the image to a microSD card.
2. Copy a second copy of the image into the file system on the microSD card (an image inside the image, think Russian matryoshka dolls or Chinese boxes). The reason you want a second copy of the image is because it is a bad idea to copy a running system.
3. Boot the microSD card (i.e., the outer image) and use that to partition the eMMC with encrypted partitions. I guess you probably need an unencrypted /boot (because I do not think U-Boot can boot from LUKS partitions), but everything else can (or at least ought to be able to) be encrypted.
4. Mount the inner image on the microSD card:
Code:
sudo -i
xz -d -k $IMG.img.xz
mkdir -p /mnt/image
mount -o loop,offset=512000512 $IMG.img /mnt/image
mount -o loop,offset=32000000 $IMG.img /mnt/image/boot
5. Mount the encrypted (and unencrypted) partitions on the eMMC.
6. rsync the microSD contents to the eMMC. (The exact rsync command depends on how exactly it is partitioned, but you probably want at least the flags -aHAXr.)
7. Edit the system configuration on the eMMC (fstab, crypttab, etc.) to match how you partitioned it.
8. Remove the microSD, reboot, and hope that it works.

Someone somewhere might have script(s) to help you with that very manual procedure.