{{tag>[hardware raspberry encrypted luks]}}
=====Raspberry Pi 3 - Arch Linux / encrypted root fs=====
This how-to helps you to install Arch Linux on a Raspberry Pi, using an encrypted root filesystem. You will need to enter the passphrase every time you boot the device. Write speed will be slower, we got around 6-8MB/sec sequential write throughput.
====Prerequisites====
* Linux host computer, we're using Fedora 25 here.
* Raspberry Pi 3.
* SD Card
====Install Arch Linux onto the SD card====
* The steps in this section were taken from: [[https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3]]
* Partition the SD card:
p1 = 200M # /boot, set bootable flag, FAT32 (LBA)
p2 = 4G # /, Linux
Example fdisk output:
/dev/mmcblk0p1 2048 411647 409600 200M c W95 FAT32 (LBA)
/dev/mmcblk0p2 411648 8800255 8388608 4G 83 Linux
* Create the /boot filesystem.mkfs.vfat /dev/mmcblk0p1
* Create an encrypted block device for the ''/'' (root) filesystem:cryptsetup luksFormat /dev/mmcblk0p2
WARNING!
========
This will overwrite data on /dev/mmcblk0p2 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
* Open the encrypted block device:cryptsetup open /dev/mmcblk0p2 sdroot
* Create an EXT4 filesystem on the encrypted block device:mkfs.ext4 /dev/mapper/sdroot
* Mount the ''/boot'' and ''/'' (root) filesystems:cd /mnt
mkdir boot root
mount /dev/mmcblk0p1 /mnt/boot
mount /dev/mapper/sdroot /mnt/root
* Download Arch Linux, and copy it to the SD card.wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-2-latest.tar.gz
bsdtar -xpf ArchLinuxARM-rpi-2-latest.tar.gz -C root
sync
mv root/boot/* boot
umount /mnt/boot
mount /dev/mmcblk0p1 /mnt/root/boot
====Configure Arch Linux, using a QEMU chroot====
The next steps will modify the Arch Linux install on the SD card. So it can use the encrypted root filesystem.
* Install QEMU.dnf install qemu
* Enter the chroot:cd /mnt/root
systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root
# exit when finished with 'poweroff'
* Log in with ''root:root'' or ''alarm:alarm''.
* You might need to configure ''/etc/resolv.conf'' manually.rm /etc/resolv.conf #symlink
vi /etc/resolv.conf
* Update Arch Linux:pacman -Suy
poweroff
* Enter the chroot again:systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root
* Install LVM and cryptsetup:pacman -S lvm2 cryptsetup
* Add lvm2 and encrypt to HOOKS in ''/etc/mkinitcpio.conf'':HOOKS="base udev autodetect modconf block lvm2 encrypt filesystems keyboard fsck"
* Generate a new initramfs, you can find the current kernel version in ''/usr/lib/modules/'':mkinitcpio -k 4.9.28-2-ARCH -g /boot/initramfs-linux.img
* Modify the /boot/cmdline.txt file:
Add:
root=/dev/mapper/crypt_sdcard cryptdevice=/dev/mmcblk0p2:crypt_sdcard rootfstype=ext4
Example:
root=/dev/mapper/sdroot cryptdevice=/dev/mmcblk0p2:sdroot rootfstype=ext4 rw rootwait console
=ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_en
able=0 kgdboc=ttyAMA0,115200 elevator=noop
* Poweroff the chroot and unmount the SD card:poweroff
umount /mnt/root/boot
umount /mnt/root
====Configure Arch Linux====
Insert the SD card in the Raspberry Pi, power on and configure it!
* Change the default hostname:hostnamectl set-hostname archpi
* Configure the time zome:timedatectl set-timezone Europe/Amsterdam
* Configure the locale:vi /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8
* Add, delete users and change passwords.
* Configure WiFi:wpa_passphrase SSID PASSPHRASE > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
* Prepend the new file with:ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1
country=NL
* Modify rights and enable WiFi:chmod 600 wpa_supplicant-wlan0.conf
systemctl enable wpa_supplicant@wlan0
systemctl enable dhcpcd@wlan0
* Configure time synchronisation:pacman -S chrony
vi /etc/chrony.conf
systemctl start chrony
systemctl enable chrony
chronyc sources
* Configure a firewall:pacman -S ufw
ufw default deny
ufw allow SSH
ufw enable
systemctl enable ufw
ufw status
* Now is a good time to test if everything works after reboot. You need to enter the passphrase during reboot.
====Troubleshooting====
* If you want to test from the initramfs shell add ''break=premount'' to /boot/cmdline.txt. You can resume booting by exiting the shell.