Raspberry Pi Encrypted Btrfs Root

Nico edited this page Jun 3, 2017 · 5 revisions

Install ArchLinux for ARM with encrypted btrfs root

1. Setup

Install a normal ArchLinux on another SD card. This makes it simpler to use chroot for the new installation and does not require any qemu on x64.

The actual target system will be installed with the Raspi on another SD card via an USB adapter. You can also transfer an existing (not running) installation.

Installation instructions for a clean normal installation can be found here: https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3

2. Preparation

Boot your existing ArchLinux installation on your Raspberry Pi. Now install a fresh system with ArchLinux for ARM. You can also transfer an old system if you do not want to do a fresh install. Make sure that kodi is not running while you are installing the system as it causes mount problems.

# Update existing installation, make sure to run the newest kernel and reboot
sudo pacman -Syu
sudo pacman -S btrfs-progs dosfstools
sudo reboot

# Find usb stick/sd card (assuming /dev/sda for this tutorial)
lsblk

# Start fdisk to partition the SD card:
# Type o. This will clear out any partitions on the drive.
# Type p to list partitions. There should be no partitions left.
# Type n, then p for primary, 1 for the first partition on the drive, press
# ENTER to accept the default first sector, then type +100M for the last sector.
# Type t, then c to set the first partition to type W95 FAT32 (LBA).
# Type n, then p for primary, 2 for the second partition on the drive, and then
# press ENTER twice to accept the default first and last sector.
# Write the partition table and exit by typing w.
sudo fdisk /dev/sda

# Create luks encrypted root partition. Use -i 3000 for higher security.
sudo cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 30000 /dev/sda2
sudo cryptsetup luksOpen /dev/sda2 cryptarch

# Mount btrfs and create subvolumes
sudo mkfs.btrfs /dev/mapper/cryptarch
sudo mount /dev/mapper/cryptarch /mnt
sudo btrfs subvolume create /mnt/@
sudo btrfs subvolume create /mnt/@home
sudo btrfs subvolume create /mnt/@snapshots
sudo btrfs subvolume create /mnt/@data
sudo btrfs subvolume create /mnt/@pkg
sudo btrfs subvolume create /mnt/@abs
sudo btrfs subvolume create /mnt/@tmp
sudo btrfs subvolume create /mnt/@log
sudo btrfs subvolume create /mnt/@srv

# Remount with proper subvolumes
sudo umount /mnt
sudo mount -o subvol=@ /dev/mapper/cryptarch /mnt

# Create mount points for subvolumes
sudo mkdir -p /mnt/home
sudo mkdir -p /mnt/.snapshots
sudo mkdir -p /mnt/data
sudo mkdir -p /mnt/var/cache/pacman/pkg
sudo mkdir -p /mnt/var/abs
sudo mkdir -p /mnt/var/tmp
sudo mkdir -p /mnt/var/log
sudo mkdir -p /mnt/srv

# Mount subvolumes which should get excluded from snapper backups
sudo mount -o subvol=@home /dev/mapper/cryptarch /mnt/home
sudo mount -o subvol=@snapshots /dev/mapper/cryptarch /mnt/.snapshots
sudo mount -o subvol=@data /dev/mapper/cryptarch /mnt/data
sudo mount -o subvol=@pkg /dev/mapper/cryptarch /mnt/var/cache/pacman/pkg
sudo mount -o subvol=@abs /dev/mapper/cryptarch /mnt/var/abs
sudo mount -o subvol=@tmp /dev/mapper/cryptarch /mnt/var/tmp
sudo mount -o subvol=@log /dev/mapper/cryptarch /mnt/var/log
sudo mount -o subvol=@srv /dev/mapper/cryptarch /mnt/srv

# Create and mount the FAT filesystem
sudo mkfs.vfat /dev/sda1
sudo mkdir -p /mnt/boot
sudo mount /dev/sda1 /mnt/boot

Installation

To install the new system you have 3 choices:

  • Use the preconfigured Image
  • Transfer an existing installation
  • Manually install the system via pacstrap (not recommended)
# Download and extract the root filesystem image from archlinuxarm.org
cd /tmp
wget http://archlinuxarm.org/os/ArchLinuxARM-rpi-2-latest.tar.gz
sudo bsdtar -xpf ArchLinuxARM-rpi-2-latest.tar.gz -C /mnt
sync

# As an alternative transfer an existing system mounted at /source
sudo pacman -S rsync
sudo rsync -axAXH --info=progress2 --numeric-ids /source/ /mnt
sync

# Install packages from source (same packages as in the preconfigured image)
# Warning: Installation via pacstrap will not work properly as some special
# settings are missing. Kodi for example will crash with this installation.
# You also need to add a user, enable dhcpcd, set hostname, locale and timezone.
#sudo pacman -S arch-install-scripts
#sudo pacstrap /mnt base crda dialog haveged linux-raspberrypi net-tools \
#openssh raspberrypi-firmware wireless_tools wpa_supplicant
#sync

Configuration

The configuration assumes that you've mounted the sd card root subvolumes /@ to /mnt and its boot partition to /mnt/boot as described above.

# Safe new fstab entries, no need to edit crypttab
sudo pacman -S arch-install-scripts
genfstab -U /mnt | sudo tee /mnt/etc/fstab

# Chroot into the new system. Attention! You are now root!
sudo arch-chroot /mnt /bin/bash
pacman -Syu
pacman -S mkinitcpio btrfs-progs sudo bash-completion

# Add mkinitcpio configs and generate initramfs
sed -i 's/^HOOKS=".*block/\0 keymap encrypt/g' /etc/mkinitcpio.conf
sed -i "s#^BINARIES=\"#\0/usr/bin/btrfs#g" /etc/mkinitcpio.conf
mkinitcpio -k $(uname -r) -g /boot/initrd -c /etc/mkinitcpio.conf

# Configure boot parameters to load the encrypted root
# Uboot users need to write to /boot/boot.txt and update their boot.scr by executing ./mkscr
echo "initramfs initrd followkernel" >> /boot/config.txt
sed -i "s#root=[^ ]*#cryptdevice=UUID=$(blkid /dev/sda2 -o value -s UUID):cryptarch root=/dev/mapper/cryptarch rootflags=subvol=/@#g" /boot/cmdline.txt

# Enable sudo for group wheel and disable root login
sed -i '/%wheel.ALL=(ALL) ALL/s/^# //g' /etc/sudoers
usermod -a -G users alarm
passwd -l root

# Exit and unmount. Now try the new installation.
# On kernel updates the system will now automatically regenerate the initramfs!
exit
sudo umount -R /mnt
sudo shutdown -h now

Applications

You might want to configure or install some basic software now. See ArchLinux-Applications for more software tipps.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.