raspberry-pi icon indicating copy to clipboard operation
raspberry-pi copied to clipboard
verified publisher icon AlmaLinux

How to enable LUKS / Encryption?

Open Deadarius opened this issue 1 year ago • 1 comments

I have copied the contents of the image to nvme drive. As there is no installer per se, there was no option to enable LUKS on install. I do now want to enable LUKS (or whichever other way to encrypt full drive), how can I go about it? Thanks in advance.

Deadarius avatar Nov 21 '24 15:11 Deadarius

It's not possible for an image that has already been baked; luks encryption is created before the image is baked and data is written to the partition.

Possible solution.

  1. Recreate the image with the changed kickstart -> example https://github.com/AlmaLinux/raspberry-pi/blob/master/AlmaLinux-9-RaspberryPi-console.aarch64.ks

Original

part / --asprimary --fstype=ext4 --size=2400 --label=rootfs --ondisk=sda

Changed to something like this

part / --asprimary --fstype=ext4 --size=2400 --label=rootfs --ondisk=sda --encrypted --passphrase=My$ecre1Pa$$

TAKE the information below with a grain of salt. I'm not 100% sure 👍🏻.

One of the reasons the luks images are not provided is that the encryption key is shared between images after installation. So even though you change your LUKS password with something like:

sudo cryptsetup luksChangeKey /dev/sda1 -S 0

The encryption key (volume key) is accessible only with a different password, but it's the same key!!!

Actually, I checked the specification -> https://gitlab.com/cryptsetup/LUKS2-docs/blob/main/luks2_doc_wip.pdf

And there is section 4.9 reencryption.

It should be possible to have a common password for images and then inform the user that it is necessary to re-encrypt the device after changing the password.

Something like

sudo cryptsetup luksChangeKey /dev/XXX -S 0
sudo cryptsetup reencrypt /dev/XXX

I'm sorry, but I do not have an ARM64 builder ATM to check it. However, this should give you a rough idea of how you can safely achieve full encryption.

AlexBaranowski avatar Nov 25 '24 11:11 AlexBaranowski

I was able to get this working using the kickstart method above. This even includes using Clevis for Network Bound Disk Encryption.

The main gotcha is for some reason the Kernel rpmspec was modified to not regenerate the initramfs, which is a requirement to properly manage FDE with Clevis. I'm not sure who the correct person is to contact about this, regenerating the initramfs should be enabled by some configuration parameter or maybe a meta-package of some description.

BlamKiwi avatar Mar 27 '25 00:03 BlamKiwi