{{tag>[hardware raspberry encrypted luks]}}
=====Raspberry Pi 3 - Arch Linux / encrypted root fs=====
This how-to helps you to install Arch Linux on a Raspberry Pi, using an encrypted root filesystem. You will need to enter the passphrase every time you boot the device. Write speed will be slower, we got around 6-8MB/sec sequential write throughput.

====Prerequisites====
  * Linux host computer, we're using Fedora 25 here.
  * Raspberry Pi 3.
  * SD Card

====Install Arch Linux onto the SD card====
  * The steps in this section were taken from: [[https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3]]
  * Partition the SD card:<code>
p1 = 200M    # /boot, set bootable flag, FAT32 (LBA)
p2 = 4G      # /, Linux

Example fdisk output:
/dev/mmcblk0p1        2048  411647  409600  200M  c W95 FAT32 (LBA)
/dev/mmcblk0p2      411648 8800255 8388608    4G 83 Linux
</code>
  * Create the /boot filesystem.<code>mkfs.vfat /dev/mmcblk0p1</code>
  * Create an encrypted block device for the ''/'' (root) filesystem:<code>cryptsetup luksFormat /dev/mmcblk0p2

WARNING!
========
This will overwrite data on /dev/mmcblk0p2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: </code>
  * Open the encrypted block device:<code>cryptsetup open /dev/mmcblk0p2 sdroot</code>
  * Create an EXT4 filesystem on the encrypted block device:<code>mkfs.ext4 /dev/mapper/sdroot
</code>
  * Mount the ''/boot'' and ''/'' (root) filesystems:<code>cd /mnt
mkdir boot root
mount /dev/mmcblk0p1 /mnt/boot
mount /dev/mapper/sdroot /mnt/root</code>
  * Download Arch Linux, and copy it to the SD card.<code>wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-2-latest.tar.gz
bsdtar -xpf ArchLinuxARM-rpi-2-latest.tar.gz -C root
sync

mv root/boot/* boot

umount /mnt/boot
mount /dev/mmcblk0p1 /mnt/root/boot</code>

====Configure Arch Linux, using a QEMU chroot====
The next steps will modify the Arch Linux install on the SD card. So it can use the encrypted root filesystem.
  * Install QEMU.<code>dnf install qemu</code>
  * Enter the chroot:<code>cd /mnt/root
systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root

# exit when finished with 'poweroff'</code>
  * Log in with ''root:root'' or ''alarm:alarm''.
  * You might need to configure ''/etc/resolv.conf'' manually.<code>rm /etc/resolv.conf #symlink
vi /etc/resolv.conf</code>
  * Update Arch Linux:<code>pacman -Suy
poweroff</code>
  * Enter the chroot again:<code>systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root</code>
  * Install LVM and cryptsetup:<code>pacman -S lvm2 cryptsetup</code>
  * Add lvm2 and encrypt to HOOKS in ''/etc/mkinitcpio.conf'':<code>HOOKS="base udev autodetect modconf block lvm2 encrypt filesystems keyboard fsck"</code>
  * Generate a new initramfs, you can find the current kernel version in ''/usr/lib/modules/'':<code>mkinitcpio -k 4.9.28-2-ARCH -g /boot/initramfs-linux.img</code>
  * Modify the /boot/cmdline.txt file:<code>
Add:
root=/dev/mapper/crypt_sdcard cryptdevice=/dev/mmcblk0p2:crypt_sdcard rootfstype=ext4

Example:
root=/dev/mapper/sdroot cryptdevice=/dev/mmcblk0p2:sdroot rootfstype=ext4 rw rootwait console
=ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_en
able=0 kgdboc=ttyAMA0,115200 elevator=noop</code>
  * Poweroff the chroot and unmount the SD card:<code>poweroff
umount /mnt/root/boot
umount /mnt/root</code>


====Configure Arch Linux====
Insert the SD card in the Raspberry Pi, power on and configure it!

  * Change the default hostname:<code>hostnamectl set-hostname archpi</code>
  * Configure the time zome:<code>timedatectl set-timezone Europe/Amsterdam</code>
  * Configure the locale:<code>vi /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8</code>
  * Add, delete users and change passwords.
  * Configure WiFi:<code>wpa_passphrase SSID PASSPHRASE  > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf</code>
  * Prepend the new file with:<code>ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1
country=NL</code>
  * Modify rights and enable WiFi:<code>chmod 600 wpa_supplicant-wlan0.conf
systemctl enable wpa_supplicant@wlan0
systemctl enable dhcpcd@wlan0</code>
  * Configure time synchronisation:<code>pacman -S chrony
vi /etc/chrony.conf
systemctl start chrony
systemctl enable chrony
chronyc sources</code>
  * Configure a firewall:<code>pacman -S ufw
ufw default deny
ufw allow SSH

ufw enable
systemctl enable ufw
ufw status</code>
  * Now is a good time to test if everything works after reboot. You need to enter the passphrase during reboot.
====Troubleshooting====
  * If you want to test from the initramfs shell add ''break=premount'' to /boot/cmdline.txt. You can resume booting by exiting the shell.