Full disk encryption with LUKS in manjaro-arm-installer

Hi folks,
FDE with LUKS is a must for me, so I've started to stop complaining and trying to collaborate instead :slight_smile:
I'm using a Manjaro x86_64 VM and I've been able to 'install' it in a virtual disk but there are still things to do, like the mkinitrd, boot and fstab stuff. Is anyone else interested?


I got it working \o/
What would be the best way to submit a PR to the manjaro-arm-installer repo?

Edit: FWIW here is the patch https://gist.github.com/e-minguez/5287bc266df29d418d8b2b21248b8405


Meanwhile it is being merged (or not), here is a quick howto:

  • a manjaro x86_64 VM with X (see https://gitlab.manjaro.org/man...jaro-arm-installer/-/issues/10 for the reason behind the X requirement) with an extra disk (in my case, I've used a 8gb qcow2 empty file mapped as sata, so it is /dev/sda in the VM)

  • ssh into it

  • clone the https://gitlab.manjaro.org/man...ications/manjaro-arm-installer repo

  • install the required packages (dialog and manjaro-arm-qemu-static in my case)

  • apply the patch (git apply)

  • run export CRYPT=y, then the installer. It will ask you user/pass/software selection/keyboard/etc. then the luks password twice (first one to create the device, the second one to mount it)

Then, power off the manjaro VM, plug a microsd into your computer and convert the qcow2 image into a raw one, then flash it to your microsd (or do it at once as qemu-img convert -f qcow2 -O raw manjaro-usb.qcow2 /dev/mmcblkX)

Plug it into your pbp and profit!

In order to resize the luks partition:

  • parted /dev/mmcblkX, then resizepart NUMBER END (in my case, partition = 2, end = 125GB)
  • cryptsetup resize /dev/mapper/ROOT_MNJRO
  • resize2fs /dev/mapper/ROOT_MNJRO



It's been merged! https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer

Any volunteers to give it a try (besides myself)? It only works for pinebook pro but can be extended easily for other devices I guess, you only need to find out which kernels modules are required to be added to initrd to show the screen and support the keyboard input.


Hey @eminguez and thank you so much for making this!

I am wondering at which point it should ask me for the drive encryption password, I've now tried several combinations and I have never been asked for a drive encryption password.

I tried Manjaro in a VM and a qcow-disk as you described, once with CRYPT=y and once with CRYPT="y" (well aware that this should not make a difference and it did not) and also once with the repo version of manjaro-arm-installer and once with the cloned git version.

When I tried using the git version I checked to make sure that the crypto-merge-commit was in fact there and it was. I still had no luck getting it to ask me for an encryption key.

Do you have any tips?

In case anyone else runs into this problem: A temporary workaround is replacing all instances of $CRYPT (case-sensitive) with y or any non-zero string in the git-cloned version. This will force the selection of all crypto-relevant procedures.

1 Like

Try with export CRYPT=y then running the script with sh -x to see what is happening under the hood

Hey, I've also been scratching my head regarding the encryption password. I tried the workaround and it works. Thanks for that @athena.

My installation I had before was really simple and I've been waiting for encrypting my eMMC with LUKS for some time now (super happy).

Only differences I can see so far is that tap to click is not working by default and when I run my macchanger systemd service file the kernel tells me:

ieee80211 phy0: brcmf_netdev_set_mac_address: Setting cur_etheraddr failed, -52

The service file is working fine when using the regular Pinebook Pro Xfce Manjaro.img. Also thanks to @eminguez I've seen your posts regarding the LUKS support for eMMC, good job!

1 Like

It should work without any workarounds, just:

git clone https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer.git
export CRYPT="y"
bash -x manjaro-arm-installer/manjaro-arm-installer

The wizard will ask you the 'regular Manjaro' stuff, then, cryptsetup will ask you twice the LUKS password.

The export CRYPT="y" part is all mentioned in the README on the gitlab page for the project:

Running the unmodified latest script pulled from git using bash -x yields the following relevant results (sh is not compatible with this script, therefore I used bash).

The if-statements seem to believe that $CRYPT is empty, even though I definitely ran export CRYPT=y before and checked its value by running echo $CRYPT which returned y both before and after running the script.

Relevant Results:

==> Getting /dev/sdb ready for pbpro...
+ umount /dev/sdb1
+ umount /dev/sdb2
+ dd if=/dev/zero of=/dev/sdb bs=1M count=32
+ parted -s /dev/sdb mklabel msdos
+ parted -s /dev/sdb mkpart primary fat32 32M 256M
++ cat /sys/block/sdb/sdb1/start
+ START=62500
++ cat /sys/block/sdb/sdb1/size
+ SIZE=437501
++ expr 62500 + 437501
+ END_SECTOR=500001
+ parted -s /dev/sdb mkpart primary ext4 500001s 100%
+ partprobe /dev/sdb
+ mkfs.vfat /dev/sdb1 -n BOOT_MNJRO
+ '[' -z '' ']'
+ mkfs.ext4 -O '^metadata_csum,^64bit' /dev/sdb2 -L ROOT_MNJRO
+ mkdir -p /var/tmp/manjaro-arm-installer/root
+ mkdir -p /var/tmp/manjaro-arm-installer/boot
+ mount /dev/sdb1 /var/tmp/manjaro-arm-installer/boot
+ '[' -z '' ']'
+ mount /dev/sdb2 /var/tmp/manjaro-arm-installer/root
+ create_install
+ msg 'Creating install for pbpro...'
+ ALL_OFF='\e[1;0m'
+ BOLD='\e[1;1m'
+ GREEN='\e[1;1m\e[1;32m'
+ local 'mesg=Creating install for pbpro...'
+ shift
+ printf '\e[1;1m\e[1;32m==>\e[1;0m\e[1;1m Creating install for pbpro...\e[1;0m\n'

As you can see, the lines with the if-statements are checking an empty string. Just as a sanity check I made sure the script actually checks $CRYPT in these places and it does (as expected, since I freshly pulled it from git into a new folder).

What's going on here? Is it perhaps related to running the script with sudo bash -x ./manjaro-arm-installer and therefore spawning a new instance of bash which does not have the previously exported $CRYPT value? How could I check or circumvent this and then use this information to make the instructions work more consistently?

It’s because of the sudo... AFAIR you have to use the flag -E with sudo to preserve the actual environment variables of your non-root session: https://linux.die.net/man/8/sudo.

sudo -E ./manjaro-arm-installer

1 Like

Maybe we should just incoorporate a dialog box that asks if users want to encrypt their install, and if yes set the CRYPT variable.


This topic was automatically closed after 90 days. New replies are no longer allowed.

Forum kindly sponsored by