PineBook Pro LUKS encryption

Hey guys,

I'm just wondering if anyone has had any luck with encrypting the Manjaro ARM install on a PBP. I've found a lot of resources online but I'm not familiar with ARM and have not had much success.

This is where I've started and it seems like it has most of the information I need. However, somethings are a little different (like step9 with /boot/config.txt) and I don't have enough experience to figure it out on my own. I've started over probably 8+ different times now and spend hours trying to rescue the system just to see whats wrong but No bueno.

Basically, I just want to have your typical LUKS encryped install. /boot being unencrypted and everything else stuffed under one LUKS encrypted partition.

On my desktop I run CentOS7 and I have a detached LUKS header and a keyfile on a USB stick to unlock the disk. This mean I just plug in my USB, boot my desktop and after a bit of waiting I'm at the login screen. I'd love to get to this point on the PineBook Pro too but I cant even get it to boot with a LUKS encrypted disk.

You are right. ARM is much different in this way.

Specifically for the Pinebook Pro, we only use 1 partition, so you can't really have an unencrypted /boot, unless you change the partition layout yourself.
Also, the Pinebook Pro does not have a /boot/config.txt. That's a file specific to the Raspberry Pi devices.

I don't have any experience setting up encryption on ARM devices.

Also not sure that the USB device would be detected during the bootloader stage, since that depends on the bootloaders support for USB's, which varies alot.

1 Like

Hey,

I'm also after encryption on PBP. For me this is absolutely crucial thing.
As for now I haven't tried this yet but I think it should be possible considering fact that crypt modules are present in /usr/lib/modules.

Take a look at that howto --> https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system

Most important thing would be configuring mkinitcpio so it includes all the needed modules. And you would probably have to type a password on boot. The key on USB is not possible on PBP as for now.

1 Like

Thanks @Strit. Not just for the reply but for everything! I plan to use Manjaro ARM on both my phone and laptop. :slight_smile:

...

I have no problems with partitions/setting up the disks, rebuilding the initramfs to have the encryption modules, Creating a LUKS Volume, resizing it, etc, etc... on CentOS. I've even reinstalled my x86_64 laptop with Manjaro without a problem, Encrypting the disk exactly like I want on the PBP.

For whatever reason the PBP is completely different and I cant seem to figure it out, which is why I'm hopeful someone has. Last night I flashed a new SD card, Made a second partition on the SD card, Then I booted into Manjaro and set it up. I left ~5GB for it to expand into and set up (so I could do updates and get vim on there). This is all fine.

While booted into Manjaro on the SD card I set up p2 (on the same SD). Just a simple ext4 partition. I added the /etc/fstab using the UUID and mount -a to test it. No problem. So I rebooted and now it doesn't boot... So I'm just doing something completely wrong... I set up the Console cable last night before I went to bed and I'll try again from the console after work. Hopefully It's something simple.

If I get it I'll write a quick wiki for everyone else but it doesn't seem like I'm making much progress.

Maybe the problem is that you change partition numbers ?
If it's the case you have to modify /boot/boot.txt and then run /boot/mkscr script to generate new /boot/boot.scr. Uboot searches for that file during boot sequence.

No, It should have stayed the same. Regardless I was using the UUID and that was the same across reboots.

In any case, I later commented out the fstab entry and it still would not work. I got the boot screen (the Manjaro logo) and it just kept loading. I was unable to find the logs or anything to point out a problem and even after I commented the fstab entry it still wouldn't boot. Which means it has to be the partitions?!? but it worked before I added the line to fstab....

I then reflashed the eMMC, set it up, did nothing but formatted an SD card. rebooted and had no problem so I added the UUID to FSTAB, tested it (with mount -a) it worked so I reboot and it still would not boot. Again, I removed the fstab entry (booted from a different SD card) and tried again but no good... I also couldn't find any logs to say what the problem is. I'm sure it's me I just cant figure it out. I've been a Linux system administrator for 5+ years now and I've never expected this to be so hard.

I shouldn't have to generate a new boot.src when I edit the fstab, should I??

...so, I've given up for now. Hopefully someone will see this and let me know what process they took to get Monjaro arm luks encryped on the PBP. I've started using the PBP for the purpose I bought it. It's just everything is under / and not encrypted. not ideal but it's no problem.

I played with encryption a bit today. And I got only to the point where I had:

/dev/nvme0n1p1 /boot - ext4 partition
/dev/nvme0n1p2 / - ext4 partition
/dev/nvme0n1p3 /testluks - luks partition

I could mount testluks on boot without problems but mounting rootfs on luks wasn't successful. I think mounting root by the kernel is too early to even display password prompt.

Just in case, the pinebook pro debian unofficial installer does support FDE with LUKS, see https://github.com/daniel-thompson/pinebook-pro-debian-installer
Probably it is just a matter of translating the procedure to Manjaro.
HTH

I have already managed to get encrypted rootfs working on Manjaro.
Bottom line is to use syslinux/extlinux for boot and dracut to create initrd image. With mkinitcpio I couldn't get display working soon enough.
The only caveat is slow booting because of big cores not being brought online with their proper frequency.
I might write some small howto soon.

Cool! WRT the slow booting, see also here https://github.com/daniel-thompson/pinebook-pro-debian-installer#hacks and https://github.com/daniel-thompson/pinebook-pro-debian-installer/blob/master/etc/tmpfiles.d/00-enable-big-cores.conf as it is being done there.

I managed to get encrypted home folder with luks on manjaro but not the whole filesystem. Of course you could also use a stacked filesystem encryption for home with something like ecryptfs or encfs but I prefer block level.

Here are rough steps I performed on pinebook pro with default debian mate on emmc and a 256gb sdcard with a manjaro xfce image. I booted once to manjaro on sdcard setup user first.

boot to debian on emmc
use gparted
    for me, resizing root partition with fdisk made sdcard unbootable
shrink root partition & add 2nd partition for home
   for example I did, p1 root  = 48g; p2 home = 191g
boot to manjaro on sdcard 
create crypt on 2nd partition
    sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/mmcblk1p2
    sudo cryptsetup luksOpen /dev/mmcblk1p2 homecrypt
    sudo mkfs.ext4 -m 0 /dev/mapper/homecrypt
copy home files to crypt
    sudo mkdir /mnt/newhome
    sudo mount /dev/mapper/homecrypt /mnt/newhome
    sudo rsync -avzH /home/<username>/ /mnt/newhome
set up auto mount at login
    sudo nano /etc/fstab
        /dev/mmcblk1p1 / ext4 defaults 0 1
        /dev/mapper/homecrypt /home/<username> ext4 rw,noatime,noauto 0 2
    sudo nano /etc/pam.d/system-login
        add below line "auth include system-auth"
             auth  optional  pam_exec.so expose_authtok /etc/pam_cryptsetup.sh
        add below line "session  include system-auth"
             session  optional  pam_exec.so /etc/pam_cryptsetup.sh
        create script, substitute your actual username
        sudo nano /etc/pam_cryptsetup.sh
        #!/bin/sh
        CRYPT_USER="<username>"
        MAPPER="/dev/mapper/homecrypt"
        if [ "$PAM_USER" == "$CRYPT_USER" ] && [ ! -e $MAPPER ]
        then
          tr '\0' '\n' | /usr/bin/cryptsetup open /dev/mmcblk1p2 homecrypt
        fi
    sudo chmod +x /etc/pam_cryptsetup.sh
    reboot

@eminguez I've seen and tried it. Machine boots much faster but after boot refuses to bring online the big cores. Whether from /etc/tmpfiles.d or manually...
I think I can live with slow boot as long as my files are encrypted :wink:

I think it must have something to do with uboot I'm using (the one with nvme patch). This doesn't happen when I use boot.scr - but this way it's impossible to get display soon enough to enter password. So I switched to syslinux/extlinux and I have slow boot now.

Just came upon this discussion and thought maybe the following gist could be useful for some:

It's pretty much a quickly cobbled together extract from a few weeks ago from my configs to get LUKS FDE working with u-boot on the PBP. Mostly the issue was that mkinitramfs didn't include some of the modules required for the display and that the default manjaro boot.txt doesn't seem to actually load the initramfs at all.

This is a configuration using unencrypted /boot and one large encrypted partition with lvm management once decrypted (for a swap partition etc.).

Boot's quickly :smiley:

Thanks @fff!
Your configuration helped me get luks fde working with manjaro xfce image on pinebook pro. I posted my recipe over on the pine64 forums in the section for pinebook pro tutorials.

https://forum.pine64.org/showthread.php?tid=9052

Forum kindly sponsored by