Full Disk Encryption
#1
So I got FDE mostly working, according to https://wiki.mobian-project.org/doku.php?id=security that guide. It's rather involved and the guide isn't complete.

edit - apparently I'm super late to the party - this script is a more complete version of what I've been doing.
https://gitlab.com/-/snippets/2027389

A small addendum follows, since the guide is incomplete. It assumes a debian laptop with the target image mounted at /mnt/target. G

If you're running this on your x86(_64) computer, you will need qemu-user-mode emulation, but don't fret. It's super easy. Use your package manager to install 'binfmt-support' and 'qemu-user-static' (or whatever your distro calls it - check pkgs.org). You should have a binary in /usr/bin/ called qemu-aarch64-static or something like that. Copy it to your target, i.e. /mnt/target/.

Copy your /etc/resolv.conf into the target as well. Then bind mounts to get things like update-initramfs working:
  • mount --types proc /proc /mnt/target/proc
  • mount --rbind /dev /mnt/target/dev
  • mount --rbind /sys /mnt/target/sys
Next, you'll need to download a file - the 'osk-sdl' keyboard package - from this releases page. It's a precompiled .deb for arm64. Since you're now root inside your image, you can just wget the latest release and then run apt install ./osk-sdk_arm64.deb -y to install the package. You WILL need to remove the cryptsetup-initramfs package, if the , so 'apt remove' it.

Run update-initramfs -u, and then edit /etc/default/u-boot with an editor (vim/nano). You will need to replace the U_BOOT_PARAMETERS with this line:

U_BOOT_PARAMETERS="osk-sdl-root=/dev/mmcblk0p2 osk-sdl-root-name=pine root=/dev/mapper/pine console=ttyS0,115200 consoleblank=0 loglevel=7 rw plymouth.ignore-serial-consoles vt.global_cursor_default=0"

This will instruct the bootloader, u-boot, to use osk-sdl during the boot process. Next run u-boot-update for u-boot to regenerate its config file from the one you just edited. The config file lives in /boot/extlinux/extlinux.conf for mobian.

Make sure you also edit this file and ensure that the 'append' line does not begin with 'root=UUID....'. If so, just that section, and make sure osk-sdl's entries are first. Mine looks like this:
append osk-sdl-root=/dev/mmcblk0p2 osk-sdl-root-name=pine root=/dev/mapper/pine console=ttyS0,115200 consoleblank=0 loglevel=7 rw plymouth.ignore-serial-consoles vt.global_cursor_default=0


I've noticed every time u-boot-update runs it will add 'root=UUID=.....' to the append line. I just go into the /boot/extlinux/extlinux.conf and delete it, and it seems to now work fine.

If you're flashing to the emmc, replace /dev/mmcblk0p2 with /dev/mmcblk2p2.


Some quirks compared to PostmarketOS: If you enter your LUKS passphrase wrong, you have to reboot and try again. The keyboard behaves very weirdly after a failure.

Let me know if FDE on Mobian works for you?


Possibly Related Threads…
Thread Author Replies Views Last Post
  Enter disk decryption passphrase error healthyliving101 3 251 09-07-2021, 12:21 PM
Last Post: Fenellakw
  Keyboard stopped working on disk encryption screen on Mobian after update cowsay 2 349 08-16-2021, 08:31 AM
Last Post: Zebulon Walton
  "Low Disk Space on Filesystem root" after installing Axolotl and Podcasts Anna 11 1,630 03-05-2021, 02:33 AM
Last Post: Anna
  Full disk encryption is coming a-wai 15 5,711 02-05-2021, 07:07 AM
Last Post: arno_nuehm
  Is there an encryption package missing from mobian? rp3 0 601 01-27-2021, 05:16 AM
Last Post: rp3
  Encryption is great rp3 0 576 01-07-2021, 05:16 AM
Last Post: rp3

Forum Jump:


Users browsing this thread: 1 Guest(s)