Slackware Aarch64: Disk Encryption

I prefer to encrypt the storage on all of my mobile devices. This post applies only to the Pinebook Pro running Slackware.

An official document discussing disk encryption has been added to the Slackware documentation project.

It is an easy step to implement while installing Slackware x86_64, and the Aarch64 port is no exception. At the time of this writing, there are only a few steps that deviate from the README_CRYPT.TXT, which is available on every SlackwareAarch64-current mirror. I will be encrypting the root partition and the swap partition using LUKS + LVM. The boot partition will remain on the SD Card unencrypted, where it is necessary that these files remain clear text. I will only document the parts of this procedure that deviate from the Slackware documentation.

Step 1: Partition your disks

This step is covered thoroughly in many places online. Just be sure you are running “cryptsetup” on a storage device that does not contain important files. It will be irrevocably erased.

The partition layout I used on my Pinebook Pro was pretty simple. I took the internal Kingston NVMe drive, and added a partition to fill the whole disk. The disk was identified by the Slackware installer as /dev/nvme0n1, using partition “p1”, so /dev/nvme0n1p1. I formatted it with cryptsetup using a key size of 256. Be aware that /dev/nvme0n1p1 could be different on your system. Make sure you check the output of the “lsblk” command.

cryptsetup -s 256 -y luksFormat /dev/nvme0n1p1

Step 2: After Formatting

Open the disk and type in the password you entered during the previous step.

cryptsetup luksOpen /dev/nvme0n1p1 luksnvme0n1p1

Step 3: Initialize and create the logical volumes

These commands are borrowed from the README_CRYPT.TXT directions. Read that document if you require an explanation. The README_CRYPT.TXT can be found on your installation medium or on a Slackware mirror as a reference. More information about Slackware mirrors or to find the mirror geographically closest to you is listed here.

pvcreate /dev/mapper/luksnvme0n1p1

vgcreate cryptvg /dev/mapper/luksnvme0n1p1

lvcreate -L 4G -n swap cryptvg

lvcreate -l 100%FREE -n root cryptvg

Step 4: Format Swap and Launch Installer

mkswap /dev/cryptvg/swap

setup

This part should be the same as the README_CRYPT.TXT document. Be certain you select the correct root disk (/dev/cryptvg/root) and the swap partition (/dev/cryptvg/swap) and you should be golden until the installer is finished.

DO NOT REBOOT YET!

Exit the installer and choose the option to be dropped to a shell.

Step 5: Post Installation

Previously this step outlined some post install directions. There is no need to do anything to the initrd or to create a load_kernel_modules.post at this point. Support for full disk encryption has been tested and will work with Slackware Aarch64 . From the ChangeLog.txt in SlackwareAarch64-current:

Mon Feb 14 08:08:08 UTC 2022
a/kernel_armv8-5.15.23-aarch64-1.txz:  Upgraded.
 /boot/initrd-armv8:
 Added cryptsetup and dependencies required for LUKS.

Follow the next step to modify the boot loader configuration to enable the right partition, and LUKS block device. Make sure you run os-initrd-mgr if you happen to make any other changes related to kernel modules or firmware.

Step 6: Edit the boot loader

Do not power off or reboot your system. Enter a chroot shell (if you haven’t already) so we can update the boot loader configuration.

chroot /mnt

In the chroot shell, edit the boot loader configuration file to point to your encrypted root disk. At the time of this writing this step is manual. It’s possible in the future that the Slackware ARM installer will do this for you.

Edit: /boot/extlinux/extlinux.conf with vim or nano.

APPEND rootfs=ext4 root=/dev/cryptvg/root luksdev=/dev/nvme0n1p1

You need to edit the “root” variable and the “luksdev” variable to the above line. Point luksdev to your encrypted block device. Set root to your decrypted disk volume.

Save and close the extlinux.conf boot loader configuration and proceed to the next step.

Step 7: Shut Down the System

Exit the chroot shell by typing “exit” and shut down the system completely by typing “poweroff”. If nothing happens add the -f flag to the command, “poweroff -f”. It is a requirement to shut down the system completely on the Pinebook Pro. Sometimes U-boot does funny things when the “reboot” command is executed.

Step 8: Profit

Go about your day and be comforted by the fact that your data is secure!

Questions and Comments will be answered on LinuxQuestions.org.

Thanks for Reading!

Author: Brenton Earl
Author of exitstatus.one.

4 thoughts on “Slackware Aarch64: Disk Encryption

  1. Hi! I’ve got one question and would be glad to move over to LinuxQuestions.

    I’ve been working on getting full disk enycryption going with slackware-aarch64 on an NVME drive in my PBP. After three attempts, I figured I’d ask for help.

    In the official slackware-aarch64 installation instructions for the PBP, it says passwords for encrypted partitions can only be entered over serial console and that there’s not yet a workaround.

    However, in the youtube video on os-initrd-mgr, it’s stated that it should be relatively easy to use the layout of the load_kernel_modules.post script to make the necessary adjustments for luks.

    I tried putting /dev/nvme0n1p1 (also tried specifying by UUID) in /boot/local/luksdev and putting modprobe dm_crypt (also tried dm-crypt) in /boot/local/load_kernel_modules prior to running os-initrd-mgr.

    No cigar. Pretty sure I’m doing something wrong.

    My one question: How’d you go about modifying that ramdisk to support LUKS + LVM encrypted volumes?

    Thank you,
    -slacaroni-and-cheese

    1. The trick is to drop to a chroot on /mnt after the Slackware installer finishes the process. The cryptsetup command and all its dependencies were added into the stock ramdisk for the installer. The cryptsetup command can be added to /boot/local/load_kernel_modules.post file. Then run the os-initrd-mgr command within the chroot. After that you will need to modify your /boot/extlinux/extlinux.conf to point to your encrypted root disk.

      You shouldn’t need to modify the ramdisk manually like I did.

      You can then detach your drives, reboot, and type your password to decrypt your root disk. You will not have anything on the display at this point because the kernel boot text is being displayed in a serial console. This will be fixed in the future. This isn’t all that practical, I know. What you can do instead is wait a minute or two, then type in your password. After you hit enter, wait 10-15 seconds, and you will then see on the display a log in prompt to your decrypted system.

  2. Ah, makes perfect sense, thank you very much.

    I’ve conducted three more full installs (probably should be tinkering with the existing one through the installer) and am still being met with a black screen. It doesn’t seem to be taking keyboard input – CAPS light remains off. Tried rebooting and carefully typing passphrase a few times.

    Haven’t yet found any mistakes or missed steps but determined to get to the bottom of it. Boots no problem without encryption. Seems like I’m following these instructions exactly.

    I aim to report victory once obtained.

    Thank you,
    -slacaroni-and-cheese

    1. You didn’t miss any steps. The black screen and the lack of a password prompt were resolved. Stuart and I fixed it all up. A password prompt will be present during boot time on your monitor. If you have multiple hard disks, it should also work with those when pointing to LABEL or the UUID of the installed disks.

      Personally, I use with a key file stored on the SD Card, which also contains the kernel (/boot). I find it easier to just remove the sd card when I want to deny access to my system. I did add a second LUKS decryption key with a password. This allows the use of a password OR key file for decryption. Just in case I lose my sd card!

Leave a Reply

Your email address will not be published.