Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


archlinux-raspberry-encrypted

Raspberry Pi 3 - Arch Linux / encrypted root fs

This how-to helps you to install Arch Linux on a Raspberry Pi, using an encrypted root filesystem. You will need to enter the passphrase every time you boot the device. Write speed will be slower, we got around 6-8MB/sec sequential write throughput.

Prerequisites

  • Linux host computer, we're using Fedora 25 here.
  • Raspberry Pi 3.
  • SD Card

Install Arch Linux onto the SD card

  • The steps in this section were taken from: https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3
  • Partition the SD card:
    p1 = 200M    # /boot, set bootable flag, FAT32 (LBA)
    p2 = 4G      # /, Linux
    
    Example fdisk output:
    /dev/mmcblk0p1        2048  411647  409600  200M  c W95 FAT32 (LBA)
    /dev/mmcblk0p2      411648 8800255 8388608    4G 83 Linux
  • Create the /boot filesystem.
    mkfs.vfat /dev/mmcblk0p1
  • Create an encrypted block device for the / (root) filesystem:
    cryptsetup luksFormat /dev/mmcblk0p2
    
    WARNING!
    ========
    This will overwrite data on /dev/mmcblk0p2 irrevocably.
    
    Are you sure? (Type uppercase yes): YES
    Enter passphrase: 
    Verify passphrase: 
  • Open the encrypted block device:
    cryptsetup open /dev/mmcblk0p2 sdroot
  • Create an EXT4 filesystem on the encrypted block device:
    mkfs.ext4 /dev/mapper/sdroot
  • Mount the /boot and / (root) filesystems:
    cd /mnt
    mkdir boot root
    mount /dev/mmcblk0p1 /mnt/boot
    mount /dev/mapper/sdroot /mnt/root
  • Download Arch Linux, and copy it to the SD card.
    wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-2-latest.tar.gz
    bsdtar -xpf ArchLinuxARM-rpi-2-latest.tar.gz -C root
    sync
    
    mv root/boot/* boot
    
    umount /mnt/boot
    mount /dev/mmcblk0p1 /mnt/root/boot

Configure Arch Linux, using a QEMU chroot

The next steps will modify the Arch Linux install on the SD card. So it can use the encrypted root filesystem.

  • Install QEMU.
    dnf install qemu
  • Enter the chroot:
    cd /mnt/root
    systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root
    
    # exit when finished with 'poweroff'
  • Log in with root:root or alarm:alarm.
  • You might need to configure /etc/resolv.conf manually.
    rm /etc/resolv.conf #symlink
    vi /etc/resolv.conf
  • Update Arch Linux:
    pacman -Suy
    poweroff
  • Enter the chroot again:
    systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root
  • Install LVM and cryptsetup:
    pacman -S lvm2 cryptsetup
  • Add lvm2 and encrypt to HOOKS in /etc/mkinitcpio.conf:
    HOOKS="base udev autodetect modconf block lvm2 encrypt filesystems keyboard fsck"
  • Generate a new initramfs, you can find the current kernel version in /usr/lib/modules/:
    mkinitcpio -k 4.9.28-2-ARCH -g /boot/initramfs-linux.img
  • Modify the /boot/cmdline.txt file:
    Add:
    root=/dev/mapper/crypt_sdcard cryptdevice=/dev/mmcblk0p2:crypt_sdcard rootfstype=ext4
    
    Example:
    root=/dev/mapper/sdroot cryptdevice=/dev/mmcblk0p2:sdroot rootfstype=ext4 rw rootwait console
    =ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_en
    able=0 kgdboc=ttyAMA0,115200 elevator=noop
  • Poweroff the chroot and unmount the SD card:
    poweroff
    umount /mnt/root/boot
    umount /mnt/root

Configure Arch Linux

Insert the SD card in the Raspberry Pi, power on and configure it!

  • Change the default hostname:
    hostnamectl set-hostname archpi
  • Configure the time zome:
    timedatectl set-timezone Europe/Amsterdam
  • Configure the locale:
    vi /etc/locale.gen
    locale-gen
    localectl set-locale LANG=en_US.UTF-8
  • Add, delete users and change passwords.
  • Configure WiFi:
    wpa_passphrase SSID PASSPHRASE  > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
  • Prepend the new file with:
    ctrl_interface=/run/wpa_supplicant
    ctrl_interface_group=wheel
    update_config=1
    country=NL
  • Modify rights and enable WiFi:
    chmod 600 wpa_supplicant-wlan0.conf
    systemctl enable wpa_supplicant@wlan0
    systemctl enable dhcpcd@wlan0
  • Configure time synchronisation:
    pacman -S chrony
    vi /etc/chrony.conf
    systemctl start chrony
    systemctl enable chrony
    chronyc sources
  • Configure a firewall:
    pacman -S ufw
    ufw default deny
    ufw allow SSH
    
    ufw enable
    systemctl enable ufw
    ufw status
  • Now is a good time to test if everything works after reboot. You need to enter the passphrase during reboot.

Troubleshooting

  • If you want to test from the initramfs shell add break=premount to /boot/cmdline.txt. You can resume booting by exiting the shell.
archlinux-raspberry-encrypted.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1