+- PINE64 (https://forum.pine64.org)
+-- Forum: Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=111)
+--- Forum: Pinebook Pro Tutorials (https://forum.pine64.org/forumdisplay.php?fid=117)
+--- Thread: full disk encryption with luks on manjaro xfce (/showthread.php?tid=9052)
RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-15-2020
(05-15-2020, 12:28 PM)Der Geist der Maschine Wrote:I guess I would need to be extra careful with updates... But in any case, you can always boot with an SD card and fix it (or plugging the SD card into another PC and fix it)(05-15-2020, 12:42 AM)e-minguez Wrote: Plug it into your pbp and profit!
I just wonder if you will continue profiting beyond kernel updates? What if a manjaro kernel update comes with a new version of extlinux.conf overwriting your custom one?
Enviado desde mi ONEPLUS A5010 mediante Tapatalk
RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-18-2020
(05-15-2020, 12:47 PM)e-minguez Wrote:(05-15-2020, 12:28 PM)Der Geist der Maschine Wrote:I guess I would need to be extra careful with updates... But in any case, you can always boot with an SD card and fix it (or plugging the SD card into another PC and fix it)(05-15-2020, 12:42 AM)e-minguez Wrote: Plug it into your pbp and profit!
I just wonder if you will continue profiting beyond kernel updates? What if a manjaro kernel update comes with a new version of extlinux.conf overwriting your custom one?
Enviado desde mi ONEPLUS A5010 mediante Tapatalk
TBH it's been a while since I used arch seriously and I'm used to Fedora/CentOS/RHEL, where rpmnew/rpmsave is the way to do the updates so I searched about the same stuff for Arch and I've found this https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave which I guess if any updates to mkinitcpio or extlinux are performed, the changes won't be overwritten.
RE: full disk encryption with luks on manjaro xfce - as400 - 05-18-2020
(05-15-2020, 12:28 PM)Der Geist der Maschine Wrote: I just wonder if you will continue profiting beyond kernel updates? What if a manjaro kernel update comes with a new version of extlinux.conf overwriting your custom one?
Don't worry, it will be saved as extlinux.conf.pacnew.
RE: full disk encryption with luks on manjaro xfce - Der Geist der Maschine - 05-18-2020
(05-18-2020, 05:37 AM)as400 Wrote:(05-15-2020, 12:28 PM)Der Geist der Maschine Wrote: I just wonder if you will continue profiting beyond kernel updates? What if a manjaro kernel update comes with a new version of extlinux.conf overwriting your custom one?
Don't worry, it will be saved as extlinux.conf.pacnew.
So, you may miss a potentially important update to extlinux.conf if you don't notice that pacnew file and manually merge it into your custom extlinux.conf file?
RE: full disk encryption with luks on manjaro xfce - as400 - 05-19-2020
(05-18-2020, 10:27 AM)Der Geist der Maschine Wrote: So, you may miss a potentially important update to extlinux.conf if you don't notice that pacnew file and manually merge it into your custom extlinux.conf file?
Like what exactly ?
The same way you also miss potential important update to uboot since its not automatically updated.
RE: full disk encryption with luks on manjaro xfce - FutureBucket - 05-19-2020
(05-15-2020, 12:42 AM)e-minguez Wrote: The howto is very simple, you just need:
* a manjaro x86_64 VM with X (see https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer/-/issues/10 for the reason behind the X requirement) with an extra disk (in my case, I've used a 8gb qcow2 empty file mapped as sata, so it is /dev/sda in the VM)
* ssh into it
* clone the https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer repo
* install the required packages (dialog and manjaro-arm-qemu-static in my case)
* apply the patch (git apply)
* run export CRYPT=y, then the installer. It will ask you user/pass/software selection/keyboard/etc. then the luks password twice (first one to create the device, the second one to mount it)
Then, power off the manjaro VM, plug a microsd into your computer and convert the qcow2 image into a raw one, then flash it to your microsd (or do it at once as qemu-img convert -f qcow2 -O raw manjaro-usb.qcow2 /dev/mmcblkX)
Plug it into your pbp and profit!
In order to resize the luks partition:
* `parted /dev/mmcblkX`, then `resizepart NUMBER END` (in my case, partition = 2, end = 125GB)
* `cryptsetup resize /dev/mapper/ROOT_MNJRO`
* `resize2fs /dev/mapper/ROOT_MNJRO`
HTH!
Edit: I've tested with the console parameter as suggested and it doesn't work, so I'll keep it that way.
Amazing, Thank you!
sidenote - If you put a bad password in, the script will happily continue. (yes, I know, I was going to change it later)
Enter passphrase for /dev/sda2:
Password quality check failed:
The password fails the dictionary check - it is based on a dictionary word
Device /dev/sda2 is not a valid LUKS device.
Device /dev/sda2 is not a valid LUKS device.
mount: /var/tmp/manjaro-arm-installer/root: special device /dev/mapper/ROOT_MNJRO does not exist.
RE: full disk encryption with luks on manjaro xfce - e-minguez - 05-19-2020
(05-19-2020, 02:31 PM)FutureBucket Wrote:Yes, the script is not super robust but I don't wanted to overengineer it without knowing if it is going to be merged or just rejected.(05-15-2020, 12:42 AM)e-minguez Wrote: The howto is very simple, you just need:
* a manjaro x86_64 VM with X (see https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer/-/issues/10 for the reason behind the X requirement) with an extra disk (in my case, I've used a 8gb qcow2 empty file mapped as sata, so it is /dev/sda in the VM)
* ssh into it
* clone the https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer repo
* install the required packages (dialog and manjaro-arm-qemu-static in my case)
* apply the patch (git apply)
* run export CRYPT=y, then the installer. It will ask you user/pass/software selection/keyboard/etc. then the luks password twice (first one to create the device, the second one to mount it)
Then, power off the manjaro VM, plug a microsd into your computer and convert the qcow2 image into a raw one, then flash it to your microsd (or do it at once as qemu-img convert -f qcow2 -O raw manjaro-usb.qcow2 /dev/mmcblkX)
Plug it into your pbp and profit!
In order to resize the luks partition:
* `parted /dev/mmcblkX`, then `resizepart NUMBER END` (in my case, partition = 2, end = 125GB)
* `cryptsetup resize /dev/mapper/ROOT_MNJRO`
* `resize2fs /dev/mapper/ROOT_MNJRO`
HTH!
Edit: I've tested with the console parameter as suggested and it doesn't work, so I'll keep it that way.
Amazing, Thank you!
sidenote - If you put a bad password in, the script will happily continue. (yes, I know, I was going to change it later)
Enter passphrase for /dev/sda2:
Password quality check failed:
The password fails the dictionary check - it is based on a dictionary word
Device /dev/sda2 is not a valid LUKS device.
Device /dev/sda2 is not a valid LUKS device.
mount: /var/tmp/manjaro-arm-installer/root: special device /dev/mapper/ROOT_MNJRO does not exist.
Enviado desde mi ONEPLUS A5010 mediante Tapatalk
full disk encryption with luks on manjaro xfce - e-minguez - 05-21-2020
It's been merged! https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer
Any volunteers to give it a try (besides myself)?
Enviado desde mi ONEPLUS A5010 mediante Tapatalk
RE: full disk encryption with luks on manjaro xfce - FutureBucket - 05-23-2020
(05-21-2020, 12:57 AM)e-minguez Wrote: It's been merged! https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer
Any volunteers to give it a try (besides myself)?
Enviado desde mi ONEPLUS A5010 mediante Tapatalk
k, I'll give it a go. Here's what I did.
I used kvm/virsh to install a fresh manjaro-xfce-20.0.1, Added an SD card as the second disk (directly passed /dev/sdb though).
started ssh and sshed into it.
pacman -S git vim
pacman -S dialog manjaro-arm-qemu-static
git clone https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer.git
vim ./manjaro-arm-installer/manjaro-arm-installer
Line 491 was changed. my disk is /dev/vdb and the script didn't support it.
Code:
if [[ "$SDTYP" = "vd" ]]; then
SDDEV=""
elif [[ "$SDTYP" = "mm" ]]; then
SDDEV="p"
else
clear
exit 1
fiexport CRYPT=y ; ./manjaro-arm-installer/manjaro-arm-installer
pbpro, xfce, etc, etc, etc,. It prompts for luks password twice. Downloads aarch64 stuff. etc.
I kind of watched it. it took about an hour or so and got the following errors (that I noticed)
Quote:==> Starting build: 5.6.0-2-MANJARO-ARM
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [keyboard]
-> Running build hook: [autodetect]
-> Running build hook: [keymap]
-> Running build hook: [modconf]
-> Running build hook: [block]
-> Running build hook: [encrypt]
-> Running build hook: [lvm2]
-> Running build hook: [filesystems]
-> Running build hook: [fsck]
==> ERROR: module not found: `icp'
==> ERROR: module not found: `spl'
==> Generating module dependencies
==> Creating uncompressed initcpio image: /boot/initramfs-linux.img
==> WARNING: errors were encountered during the build. The image may not be complete.
error: command failed to execute correctly
-> Cleaning install for unwanted files...
==> pbpro xfce install complete
==> Writing bootloader and cleaning up after install...
powered off the VM, put the SD card into my PBP and.... it used the SD boot partition to load the eMMC root partition.Cool but not what I wanted.
so I zeroed the first ~1G of my eMMC, rebooted and très bien!! it worked!
You're the best! thanks!
full disk encryption with luks on manjaro xfce - e-minguez - 05-24-2020
Those errors are harmless, it cannot find some modules but that's ok.
Glad to hear it worked!
Enviado desde mi ONEPLUS A5010 mediante Tapatalk