archlinux-raspberry-encrypted
Table of Contents
Raspberry Pi 3 - Arch Linux / encrypted root fs
This how-to helps you to install Arch Linux on a Raspberry Pi, using an encrypted root filesystem. You will need to enter the passphrase every time you boot the device. Write speed will be slower, we got around 6-8MB/sec sequential write throughput.
Prerequisites
- Linux host computer, we're using Fedora 25 here.
- Raspberry Pi 3.
- SD Card
Install Arch Linux onto the SD card
- The steps in this section were taken from: https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3
- Partition the SD card:
p1 = 200M # /boot, set bootable flag, FAT32 (LBA) p2 = 4G # /, Linux Example fdisk output: /dev/mmcblk0p1 2048 411647 409600 200M c W95 FAT32 (LBA) /dev/mmcblk0p2 411648 8800255 8388608 4G 83 Linux
- Create the /boot filesystem.
mkfs.vfat /dev/mmcblk0p1
- Create an encrypted block device for the
/
(root) filesystem:cryptsetup luksFormat /dev/mmcblk0p2 WARNING! ======== This will overwrite data on /dev/mmcblk0p2 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase:
- Open the encrypted block device:
cryptsetup open /dev/mmcblk0p2 sdroot
- Create an EXT4 filesystem on the encrypted block device:
mkfs.ext4 /dev/mapper/sdroot
- Mount the
/boot
and/
(root) filesystems:cd /mnt mkdir boot root mount /dev/mmcblk0p1 /mnt/boot mount /dev/mapper/sdroot /mnt/root
- Download Arch Linux, and copy it to the SD card.
wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-2-latest.tar.gz bsdtar -xpf ArchLinuxARM-rpi-2-latest.tar.gz -C root sync mv root/boot/* boot umount /mnt/boot mount /dev/mmcblk0p1 /mnt/root/boot
Configure Arch Linux, using a QEMU chroot
The next steps will modify the Arch Linux install on the SD card. So it can use the encrypted root filesystem.
- Install QEMU.
dnf install qemu
- Enter the chroot:
cd /mnt/root systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root # exit when finished with 'poweroff'
- Log in with
root:root
oralarm:alarm
. - You might need to configure
/etc/resolv.conf
manually.rm /etc/resolv.conf #symlink vi /etc/resolv.conf
- Update Arch Linux:
pacman -Suy poweroff
- Enter the chroot again:
systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root
- Install LVM and cryptsetup:
pacman -S lvm2 cryptsetup
- Add lvm2 and encrypt to HOOKS in
/etc/mkinitcpio.conf
:HOOKS="base udev autodetect modconf block lvm2 encrypt filesystems keyboard fsck"
- Generate a new initramfs, you can find the current kernel version in
/usr/lib/modules/
:mkinitcpio -k 4.9.28-2-ARCH -g /boot/initramfs-linux.img
- Modify the /boot/cmdline.txt file:
Add: root=/dev/mapper/crypt_sdcard cryptdevice=/dev/mmcblk0p2:crypt_sdcard rootfstype=ext4 Example: root=/dev/mapper/sdroot cryptdevice=/dev/mmcblk0p2:sdroot rootfstype=ext4 rw rootwait console =ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_en able=0 kgdboc=ttyAMA0,115200 elevator=noop
- Poweroff the chroot and unmount the SD card:
poweroff umount /mnt/root/boot umount /mnt/root
Configure Arch Linux
Insert the SD card in the Raspberry Pi, power on and configure it!
- Change the default hostname:
hostnamectl set-hostname archpi
- Configure the time zome:
timedatectl set-timezone Europe/Amsterdam
- Configure the locale:
vi /etc/locale.gen locale-gen localectl set-locale LANG=en_US.UTF-8
- Add, delete users and change passwords.
- Configure WiFi:
wpa_passphrase SSID PASSPHRASE > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
- Prepend the new file with:
ctrl_interface=/run/wpa_supplicant ctrl_interface_group=wheel update_config=1 country=NL
- Modify rights and enable WiFi:
chmod 600 wpa_supplicant-wlan0.conf systemctl enable wpa_supplicant@wlan0 systemctl enable dhcpcd@wlan0
- Configure time synchronisation:
pacman -S chrony vi /etc/chrony.conf systemctl start chrony systemctl enable chrony chronyc sources
- Configure a firewall:
pacman -S ufw ufw default deny ufw allow SSH ufw enable systemctl enable ufw ufw status
- Now is a good time to test if everything works after reboot. You need to enter the passphrase during reboot.
Troubleshooting
- If you want to test from the initramfs shell add
break=premount
to /boot/cmdline.txt. You can resume booting by exiting the shell.
archlinux-raspberry-encrypted.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1