Full disk encryption with LUKS in manjaro-arm-installer

Hi folks,
FDE with LUKS is a must for me, so I've started to stop complaining and trying to collaborate instead :slight_smile:
I'm using a Manjaro x86_64 VM and I've been able to 'install' it in a virtual disk but there are still things to do, like the mkinitrd, boot and fstab stuff. Is anyone else interested?
Thanks!

2 Likes

I got it working \o/
What would be the best way to submit a PR to the manjaro-arm-installer repo?
Thanks.

Edit: FWIW here is the patch https://gist.github.com/e-minguez/5287bc266df29d418d8b2b21248b8405

3 Likes

Meanwhile it is being merged (or not), here is a quick howto:

  • a manjaro x86_64 VM with X (see https://gitlab.manjaro.org/man...jaro-arm-installer/-/issues/10 for the reason behind the X requirement) with an extra disk (in my case, I've used a 8gb qcow2 empty file mapped as sata, so it is /dev/sda in the VM)

  • ssh into it

  • clone the https://gitlab.manjaro.org/man...ications/manjaro-arm-installer repo

  • install the required packages (dialog and manjaro-arm-qemu-static in my case)

  • apply the patch (git apply)

  • run export CRYPT=y, then the installer. It will ask you user/pass/software selection/keyboard/etc. then the luks password twice (first one to create the device, the second one to mount it)

Then, power off the manjaro VM, plug a microsd into your computer and convert the qcow2 image into a raw one, then flash it to your microsd (or do it at once as qemu-img convert -f qcow2 -O raw manjaro-usb.qcow2 /dev/mmcblkX)

Plug it into your pbp and profit!

In order to resize the luks partition:

  • parted /dev/mmcblkX, then resizepart NUMBER END (in my case, partition = 2, end = 125GB)
  • cryptsetup resize /dev/mapper/ROOT_MNJRO
  • resize2fs /dev/mapper/ROOT_MNJRO

HTH!

2 Likes

It's been merged! https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer

Any volunteers to give it a try (besides myself)? It only works for pinebook pro but can be extended easily for other devices I guess, you only need to find out which kernels modules are required to be added to initrd to show the screen and support the keyboard input.

4 Likes

Hey @eminguez and thank you so much for making this!

I am wondering at which point it should ask me for the drive encryption password, I've now tried several combinations and I have never been asked for a drive encryption password.

I tried Manjaro in a VM and a qcow-disk as you described, once with CRYPT=y and once with CRYPT="y" (well aware that this should not make a difference and it did not) and also once with the repo version of manjaro-arm-installer and once with the cloned git version.

When I tried using the git version I checked to make sure that the crypto-merge-commit was in fact there and it was. I still had no luck getting it to ask me for an encryption key.

Do you have any tips?

In case anyone else runs into this problem: A temporary workaround is replacing all instances of $CRYPT (case-sensitive) with y or any non-zero string in the git-cloned version. This will force the selection of all crypto-relevant procedures.

1 Like

Try with export CRYPT=y then running the script with sh -x to see what is happening under the hood

Hey, I've also been scratching my head regarding the encryption password. I tried the workaround and it works. Thanks for that @athena.

My installation I had before was really simple and I've been waiting for encrypting my eMMC with LUKS for some time now (super happy).

Only differences I can see so far is that tap to click is not working by default and when I run my macchanger systemd service file the kernel tells me:

ieee80211 phy0: brcmf_netdev_set_mac_address: Setting cur_etheraddr failed, -52

The service file is working fine when using the regular Pinebook Pro Xfce Manjaro.img. Also thanks to @eminguez I've seen your posts regarding the LUKS support for eMMC, good job!

1 Like

It should work without any workarounds, just:

git clone https://gitlab.manjaro.org/manjaro-arm/applications/manjaro-arm-installer.git
export CRYPT="y"
bash -x manjaro-arm-installer/manjaro-arm-installer

The wizard will ask you the 'regular Manjaro' stuff, then, cryptsetup will ask you twice the LUKS password.

The export CRYPT="y" part is all mentioned in the README on the gitlab page for the project:

Running the unmodified latest script pulled from git using bash -x yields the following relevant results (sh is not compatible with this script, therefore I used bash).

The if-statements seem to believe that $CRYPT is empty, even though I definitely ran export CRYPT=y before and checked its value by running echo $CRYPT which returned y both before and after running the script.

Relevant Results:

==> Getting /dev/sdb ready for pbpro...
+ umount /dev/sdb1
+ umount /dev/sdb2
+ dd if=/dev/zero of=/dev/sdb bs=1M count=32
+ parted -s /dev/sdb mklabel msdos
+ parted -s /dev/sdb mkpart primary fat32 32M 256M
++ cat /sys/block/sdb/sdb1/start
+ START=62500
++ cat /sys/block/sdb/sdb1/size
+ SIZE=437501
++ expr 62500 + 437501
+ END_SECTOR=500001
+ parted -s /dev/sdb mkpart primary ext4 500001s 100%
+ partprobe /dev/sdb
+ mkfs.vfat /dev/sdb1 -n BOOT_MNJRO
+ '[' -z '' ']'
+ mkfs.ext4 -O '^metadata_csum,^64bit' /dev/sdb2 -L ROOT_MNJRO
+ mkdir -p /var/tmp/manjaro-arm-installer/root
+ mkdir -p /var/tmp/manjaro-arm-installer/boot
+ mount /dev/sdb1 /var/tmp/manjaro-arm-installer/boot
+ '[' -z '' ']'
+ mount /dev/sdb2 /var/tmp/manjaro-arm-installer/root
+ create_install
+ msg 'Creating install for pbpro...'
+ ALL_OFF='\e[1;0m'
+ BOLD='\e[1;1m'
+ GREEN='\e[1;1m\e[1;32m'
+ local 'mesg=Creating install for pbpro...'
+ shift
+ printf '\e[1;1m\e[1;32m==>\e[1;0m\e[1;1m Creating install for pbpro...\e[1;0m\n'

As you can see, the lines with the if-statements are checking an empty string. Just as a sanity check I made sure the script actually checks $CRYPT in these places and it does (as expected, since I freshly pulled it from git into a new folder).

What's going on here? Is it perhaps related to running the script with sudo bash -x ./manjaro-arm-installer and therefore spawning a new instance of bash which does not have the previously exported $CRYPT value? How could I check or circumvent this and then use this information to make the instructions work more consistently?

It’s because of the sudo... AFAIR you have to use the flag -E with sudo to preserve the actual environment variables of your non-root session: https://linux.die.net/man/8/sudo.

sudo -E ./manjaro-arm-installer

1 Like

Maybe we should just incoorporate a dialog box that asks if users want to encrypt their install, and if yes set the CRYPT variable.

4 Likes

This topic was automatically closed after 90 days. New replies are no longer allowed.

Forum kindly sponsored by