Howto Full disk encryption manjaro and detached header (with keyboard)
#1
This is a howto, from following the arch wiki, on how to encrypt the root partition with LUKS.

I'm using a Pinephone Pro with a keyboard, but you could probably explorer other methods if a keyboard is not available.

The SD card will contain the boot partition and the LUKS header. If it is removed, then there should be no way to access the phone or see what kind of data is present.

The internal eMMC will contain the encrypted LUKS volume.


Boot the phone from Manjaro SD and then fill the eMMC disk with random encrypted data
Code:
cryptsetup open --type plain -d /dev/urandom /dev/mmcblk2 to_be_wiped
dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress
(https://wiki.archlinux.org/title/Dm-cryp..._partition)


Format the eMMC as an encrypted disk and save our header file
Code:
cryptsetup luksFormat /dev/mmcblk2 --header /boot/header.img
(https://wiki.archlinux.org/title/Dm-cryp...UKS_header)


I was not able to get LVM to work from the Manjaro SD (2022-03-09). Creating an lvm volume group and volume worked, but after the disk was closed, the LVM volume group would not be detected when it was re-opened. I created a single partition instead.
Code:
cryptsetup open /dev/mmcblk2 crypt --header /boot/header.img
mkfs.ext4 /dev/mapper/crypt


Update our initramfs image
Follow the step in https://wiki.archlinux.org/title/Dm-cryp...crypt_hook to copy and modify the 'encrypt' hook to a custom 'encrypt2' hook to support our detached header and then modify mkinitcpio.conf
Code:
/etc/mkinitcpio.conf
...
FILES=(/boot/header.img)
...
HOOKS=(base udev keyboard autodetect keymap modconf block encrypt2 shell filesystems fsck)
Make sure to remove the bootspash-manjaro hook, so that we can see the password prompt.

Copy the system on the sd card to the encrypted partition and resize it to fit the remaining space
Code:
dd if=/dev/mmcblk1p2 of=/dev/mapper/crypt bs=4096
resize2fs /dev/mapper/crypt


Update the bootloader to boot our new system.
Code:
/boot/boot.txt
...
setenv bootargs loglevel=4 console=tty0 console=${console} earlycon=uart8250,mmio32,0xff1a0000 consoleblank=0 boot=PARTUUID=${uuid_boot} root=/dev/mapper/crypt cryptdevice=/dev/mmcblk2:crypt:header rw rootwait quiet audit=0


Finally build the initramfs and boot.scr
Code:
mkinitcpio -P
ppp-uboot-mkscr


After reboot, we should have a password prompt and boot into our encrypted system.

The /dev/mmcblk1p2 partition can be wiped and used for something else.
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Manjaro Plasma unstable branch glitch mburns 2 994 06-21-2023, 08:03 AM
Last Post: mburns
  Manjaro as shipped & camera? hambonius 1 849 06-20-2023, 02:26 PM
Last Post: fxc
  Manjaro Phosh - Tiny Blue Indicator Light - Blinking ArchiMark 2 873 06-11-2023, 04:12 PM
Last Post: ArchiMark
  Is Manjaro Plasma stable for anyone? projectcato 120 51,382 04-18-2023, 08:26 PM
Last Post: mburns
  Netfilter not working on latest manjaro kernel robocone 1 1,129 12-29-2022, 09:11 PM
Last Post: robocone
  Battery meter slowly reducing under keyboard charger robocone 1 1,312 12-26-2022, 09:37 AM
Last Post: robocone
  using dreemurrs distro; callee cannot hear me after full upgrade. james8880 10 3,575 12-09-2022, 12:19 AM
Last Post: apink
  root password for manjaro Pine pro explorer edition HK order? Piotr 1 1,388 12-02-2022, 02:45 PM
Last Post: fxc
  PinePhone Pro Manjaro Plasma Mobile Beta 13 & No Audio with Phone Calls X0X0X0X0X0 0 1,050 11-02-2022, 02:09 PM
Last Post: X0X0X0X0X0
  manjaro or arch fox95 1 1,243 10-19-2022, 07:22 AM
Last Post: mikehenson

Forum Jump:


Users browsing this thread: 1 Guest(s)