full disk encryption with luks on manjaro xfce

limxr · (This post was last modified: 02-17-2020, 06:19 PM by limxr.)

This recipe is for a manjaro xfce pinebook pro image installed to an sdcard. This recipe may work with other manjaro pinebook pro images.
First I created a separate partition for /boot that remained unencrypted. Second, I encrypted the existing root / installation using luks.
I used debian os installed to emmc of pinebook pro, any os that supports luks should work (the default os on pinebook pro does not support luks). You may want to make sure to have a good backup first in case something goes wrong.

Code:
===================================

separate partitions for boot & root

===================================

boot to debian on emmc

create new partition layout using gparted 

 (boot will be on 1st partition & root on 2nd partition)

 resize mmcblk1p1 partition to smallest size to create free space 

 (don't touch ~31m unallocated space at start of sdcard)

    copy mmcblk1p1 & paste into remaining free space

   format mmcblk1p1 ext4 to delete files

   resize mmclk1p1 to your desired size, for me ~800mb

    (don't touch ~31m unallocated space at start of sdcard)

  label mmcblk1p1 BOOT

 resize/move mmcblk1p2 to fill all remaining free space

move files to /boot

 sudo mkdir /mnt/boot; sudo mount /dev/mmcblk1p1 /mnt/boot

    sudo mkdir /mnt/root; sudo mount /dev/mmcblk1p2 /mnt/root

    cd /mnt/boot

    sudo mv /mnt/root/boot/* /mnt/boot

set automount for boot partition

    sudo nano /mnt/root/etc/fstab

        /dev/mmcblk1p1 /boot ext4 defaults 0 2

configure bootloader

    get PARTUUID, for me its 781b2cf9-02

        sudo blkid|grep mmcblk1p2

    add PARTUUID for root and remove /boot/ folder from 3 lines

        cd /mnt/boot/

        sudo nano boot.txt

            #setenv bootargs console=ttyS2,1500000n8 root=PARTUUID=${uuid} rw rootwait bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash append video=eDP-1:1920x1080@60

            setenv bootargs console=ttyS2,1500000n8 root=PARTUUID=781b2cf9-02 rw rootwait bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash append video=eDP-1:1920x1080@60

            #if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} /boot/Image; then

            if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} Image; then

               #if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} /boot/dtbs/${fdtfile}; then

               if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} dtbs/${fdtfile}; then

                  #if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} /boot/initramfs-linux.img; then

                  if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} initramfs-linux.img; then

    sudo apt install u-boot-tools

    sudo ./mkscr

boot to manjaro on sdcard

============

encrypt root

============

boot to manjaro on sdcard

add modules & hooks to initram

 (the order the modules and hooks are loaded is important)

    sudo nano /etc/mkinitcpio.conf

        MODULES=(panfrost rockchipdrm drm_kms_helper hantro_vpu analogix_dp rockchip_rga panel_simple arc_uart cw2015_battery i2c-hid iscsi_boot_sysfs jsm pwm_bl uhid)

        BINARIES=()

        FILES=()

        HOOKS=(base udev keyboard autodetect keymap modconf block encrypt filesystems fsck)

        COMPRESSION="cat"        

    sudo mkinitcpio -P

boot to debian on emmc

encrypt existing partition in place with luks

    make sure mmcblk1p2 is not mounted

    sudo e2fsck -f /dev/mmcblk1p2

    sudo resize2fs -M /dev/mmcblk1p2

    sudo cryptsetup-reencrypt /dev/mmcblk1p2 --new --reduce-device-size 16M

    sudo cryptsetup open /dev/mmcblk1p2 cryptroot

    sudo resize2fs /dev/mapper/cryptroot

    sudo mount /dev/mapper/cryptroot /mnt/root

configure bootloader

    get UUID for mmcblk1p2

    sudo blkid|grep mmcblk1p2

        get UUID root, for me its 6d1c2895-f2c2-477f-8415-b04f7a4641da

    change kernel parameters for encrypted root including display to console & disable splash

        sudo mount /dev/mmcblk1p1 /mnt/boot

        cd /mnt/boot

        sudo nano boot.txt

            # setenv bootargs console=ttyS2,1500000n8 root=PARTUUID=781b2cf9-02 rw rootwait bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash append video=eDP-1:1920x1080@60

            setenv bootargs console=tty1 root=/dev/mapper/cryptroot cryptdevice=UUID=0d739f2d-92af-40ec-bd8b-c8f241e6a2ce:cryptroot:allow-discards rw rootwait quiet append video=eDP-1:1920x1080@60

            #booti ${kernel_addr_r} - ${fdt_addr_r};

            booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};

        sudo ./mkscr

reboot to manjaro on sdcard

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Building PPSSPP with Manjaro AUR	LivingLinux	0	1,153	06-11-2022, 05:07 PM Last Post: LivingLinux
	How to update Manjaro to 20.10	pineitup	8	13,510	07-31-2021, 04:44 AM Last Post: jiyong
	Make your own Manjaro image	flatulent_piney	0	3,229	11-07-2020, 03:30 AM Last Post: flatulent_piney
	Manjaro ARM, Cryptomator, and MEGA Sync	dp1kinobe	3	7,111	10-24-2020, 06:38 AM Last Post: pineitup
	Downgrading packages on Manjaro ARM (on the example of boinc)	wrzomar	0	3,421	10-02-2020, 12:20 PM Last Post: wrzomar
	Freepascal FPC3.20 and Lazarus IDE on Manjaro KDE	dieselnutjob	0	2,899	08-02-2020, 06:57 AM Last Post: dieselnutjob
	Installing WPS Office on Manjaro	brent.thierens	5	9,710	07-13-2020, 03:13 AM Last Post: brent.thierens
	kernel build script for latest mainline manjaro kernel	xmixahlx	42	58,226	07-11-2020, 09:01 PM Last Post: xmixahlx
	Is there a MMC upgrade instruction from debian-mate to manjaro factory (20.06)?	pljanson	4	7,923	06-23-2020, 12:41 AM Last Post: pljanson
	How to boot Manjaro from NVME with uboot on eMMC	as400	47	56,603	06-07-2020, 02:37 AM Last Post: as400

Login




Remember me Lost Password?

About Us