Raspberry Pi 4 Full Disk Encryption on Manjaro XFCE ARM

I'm trying to do what this Kali Raspberry Pi Encryption Guide does on my Manjaro Raspberry Pi 4 XFCE 19.12.1 ARM installation but I'm not getting very far with it at all.

Has anyone done this that can give me some pointers or point me to a Manjaro specific guide?

Also I don't want to have to enter a decryption password, it needs to be done automatically on boot.

I am sorry, but that seems to circumvent the entire purpose of having encryption on disk....
If it's automatically decrypted during boot, then why encrypt it at all?

I need to distribute cards in a way that content can't be looked at by simply putting them in a card reader so they need to be encrypted but they also need to not require interactive decryption and I thought this was possible with LUKS by having a key file created within the file system, which I read about on an Ubuntu forum.

Ok the purpose of the encryption is probably obfuscation. If you have the encryption key on the card then anybody motivated enough will be able to find it and decrypt the disk. This defeats the purpose of encryption. Encryption is strong only if nobody knows the encryption key. Just wanted to point out that this might be easy to circumvent.

What if it's done using a hash of the combined Pi 4 serial number + the MicroSD card's serial (CID) number? The goal is to tie the memory card and the physical device together.

Perhaps a script run from the running system can obtain the two serials, create the hash / keyfile then create a new image that gets written to another USB device.

Then write the image back to the original memory card.

Ethernet / wifi mac - addresses should be unique too.

The challenge is how to obfuscate the decryption code / script on the sd-card so that it is not easy to see how it builds the encryption key. If the user can log in when the os is running then he can read the unencrypted card.

This is a hard problem and I'm no expert in this. DVD and BluRay has been cracked even though they are pretty well encrypted. Maybe just give the user a license file and check for it's presence when your software runs ? You can tie the license to the hardware with encryption using those unique values found on the hardware of the Pi. Maybe better not tie the license to the SD - card, since those break often.

1 Like

Good points, I think I'll just end up tying the Pi 4 serial/mac address to a customer ID server side and leave it at that and a license agreement instead.

Forum kindly sponsored by