Warning: session_start(): open(/tmp/sess_9fc91d6709bc92419766584e556e0623, O_RDWR) failed: No space left on device (28) in /var/www/html/inc/init.php on line 265

Warning: session_start(): Failed to read session data: files (path: ) in /var/www/html/inc/init.php on line 265
Writing /var/www/html/data/log/error/2024-06-17.log failed

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/inc/init.php:265) in /var/www/html/inc/auth.php on line 432
Writing /var/www/html/data/log/error/2024-06-17.log failed

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/inc/init.php:265) in /var/www/html/inc/actions.php on line 38
archlinux-raspberry-encrypted [Ben's notes]

Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


Raspberry Pi 3 - Arch Linux / encrypted root fs

This how-to helps you to install Arch Linux on a Raspberry Pi, using an encrypted root filesystem. You will need to enter the passphrase every time you boot the device. Write speed will be slower, we got around 6-8MB/sec sequential write throughput.


  • Linux host computer, we're using Fedora 25 here.
  • Raspberry Pi 3.
  • SD Card

Install Arch Linux onto the SD card

  • The steps in this section were taken from: https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3
  • Partition the SD card:
    p1 = 200M    # /boot, set bootable flag, FAT32 (LBA)
    p2 = 4G      # /, Linux
    Example fdisk output:
    /dev/mmcblk0p1        2048  411647  409600  200M  c W95 FAT32 (LBA)
    /dev/mmcblk0p2      411648 8800255 8388608    4G 83 Linux
  • Create the /boot filesystem.
    mkfs.vfat /dev/mmcblk0p1
  • Create an encrypted block device for the / (root) filesystem:
    cryptsetup luksFormat /dev/mmcblk0p2
    This will overwrite data on /dev/mmcblk0p2 irrevocably.
    Are you sure? (Type uppercase yes): YES
    Enter passphrase: 
    Verify passphrase: 
  • Open the encrypted block device:
    cryptsetup open /dev/mmcblk0p2 sdroot
  • Create an EXT4 filesystem on the encrypted block device:
    mkfs.ext4 /dev/mapper/sdroot
  • Mount the /boot and / (root) filesystems:
    cd /mnt
    mkdir boot root
    mount /dev/mmcblk0p1 /mnt/boot
    mount /dev/mapper/sdroot /mnt/root
  • Download Arch Linux, and copy it to the SD card.
    wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-2-latest.tar.gz
    bsdtar -xpf ArchLinuxARM-rpi-2-latest.tar.gz -C root
    mv root/boot/* boot
    umount /mnt/boot
    mount /dev/mmcblk0p1 /mnt/root/boot

Configure Arch Linux, using a QEMU chroot

The next steps will modify the Arch Linux install on the SD card. So it can use the encrypted root filesystem.

  • Install QEMU.
    dnf install qemu
  • Enter the chroot:
    cd /mnt/root
    systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root
    # exit when finished with 'poweroff'
  • Log in with root:root or alarm:alarm.
  • You might need to configure /etc/resolv.conf manually.
    rm /etc/resolv.conf #symlink
    vi /etc/resolv.conf
  • Update Arch Linux:
    pacman -Suy
  • Enter the chroot again:
    systemd-nspawn --bind /usr/bin/qemu-arm-static -b -D /mnt/root
  • Install LVM and cryptsetup:
    pacman -S lvm2 cryptsetup
  • Add lvm2 and encrypt to HOOKS in /etc/mkinitcpio.conf:
    HOOKS="base udev autodetect modconf block lvm2 encrypt filesystems keyboard fsck"
  • Generate a new initramfs, you can find the current kernel version in /usr/lib/modules/:
    mkinitcpio -k 4.9.28-2-ARCH -g /boot/initramfs-linux.img
  • Modify the /boot/cmdline.txt file:
    root=/dev/mapper/crypt_sdcard cryptdevice=/dev/mmcblk0p2:crypt_sdcard rootfstype=ext4
    root=/dev/mapper/sdroot cryptdevice=/dev/mmcblk0p2:sdroot rootfstype=ext4 rw rootwait console
    =ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_en
    able=0 kgdboc=ttyAMA0,115200 elevator=noop
  • Poweroff the chroot and unmount the SD card:
    umount /mnt/root/boot
    umount /mnt/root

Configure Arch Linux

Insert the SD card in the Raspberry Pi, power on and configure it!

  • Change the default hostname:
    hostnamectl set-hostname archpi
  • Configure the time zome:
    timedatectl set-timezone Europe/Amsterdam
  • Configure the locale:
    vi /etc/locale.gen
    localectl set-locale LANG=en_US.UTF-8
  • Add, delete users and change passwords.
  • Configure WiFi:
    wpa_passphrase SSID PASSPHRASE  > /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
  • Prepend the new file with:
  • Modify rights and enable WiFi:
    chmod 600 wpa_supplicant-wlan0.conf
    systemctl enable wpa_supplicant@wlan0
    systemctl enable dhcpcd@wlan0
  • Configure time synchronisation:
    pacman -S chrony
    vi /etc/chrony.conf
    systemctl start chrony
    systemctl enable chrony
    chronyc sources
  • Configure a firewall:
    pacman -S ufw
    ufw default deny
    ufw allow SSH
    ufw enable
    systemctl enable ufw
    ufw status
  • Now is a good time to test if everything works after reboot. You need to enter the passphrase during reboot.


  • If you want to test from the initramfs shell add break=premount to /boot/cmdline.txt. You can resume booting by exiting the shell.
archlinux-raspberry-encrypted.txt · Last modified: 2021/10/09 15:14 by