I prefer to encrypt the storage on all of my mobile devices. This post applies only to the Pinebook Pro running Slackware.
It is an easy step to implement while installing Slackware x86_64, and the Aarch64 port is no exception. At the time of this writing, there are only a few steps that deviate from the README_CRYPT.TXT, which is available on every SlackwareAarch64-current mirror. I will be encrypting the root partition and the swap partition using LUKS + LVM. The boot partition will remain on the SD Card unencrypted, where it is necessary that these files remain clear text. I will only document the parts of this procedure that deviate from the Slackware documentation.
Step 1: Partition your disks
This step is covered thoroughly in many places online. Just be sure you are running “cryptsetup” on a storage device that does not contain important files. It will be irrevocably erased.
The partition layout I used on my Pinebook Pro was pretty simple. I took the internal Kingston NVMe drive, and added a partition to fill the whole disk. The disk was identified by the Slackware installer as /dev/nvme0n1, using partition “p1”, so /dev/nvme0n1p1. I formatted it with cryptsetup using a key size of 256. Be aware that /dev/nvme0n1p1 could be different on your system. Make sure you check the output of the “lsblk” command.
cryptsetup -s 256 -y luksFormat /dev/nvme0n1p1
Step 2: After Formatting
Open the disk and type in the password you entered during the previous step.
cryptsetup luksOpen /dev/nvme0n1p1
Step 3: Initialize and create the logical volumes
These commands are borrowed from the README_CRYPT.TXT directions. Read that document if you require an explanation. The README_CRYPT.TXT can be found on your installation medium or on a Slackware mirror as a reference. More information about Slackware mirrors or to find the mirror geographically closest to you is listed here.
vgcreate cryptvg /dev/mapper/luksnvme0n1p1
lvcreate -L 4G -n swap cryptvg
lvcreate -l 100%FREE -n root cryptvg
Step 4: Format Swap and Launch Installer
This part should be the same as the README_CRYPT.TXT document. Be certain you select the correct root disk (/dev/cryptvg/root) and the swap partition (/dev/cryptvg/swap) and you should be golden until the installer is finished.
DO NOT REBOOT YET!
Exit the installer and choose the option to be dropped to a shell.
Step 5: Post Installation
Previously this step outlined some post install directions. There is no need to do anything to the initrd or to create a load_kernel_modules.post at this point. Support for full disk encryption has been tested and will work with Slackware Aarch64 . From the ChangeLog.txt in SlackwareAarch64-current:
Mon Feb 14 08:08:08 UTC 2022
Added cryptsetup and dependencies required for LUKS.
Follow the next step to modify the boot loader configuration to enable the right partition, and LUKS block device. Make sure you run os-initrd-mgr if you happen to make any other changes related to kernel modules or firmware.
Step 6: Edit the boot loader
Do not power off or reboot your system. Enter a chroot shell (if you haven’t already) so we can update the boot loader configuration.
In the chroot shell, edit the boot loader configuration file to point to your encrypted root disk. At the time of this writing this step is manual. It’s possible in the future that the Slackware ARM installer will do this for you.
Edit: /boot/extlinux/extlinux.conf with vim or nano.
APPEND rootfs=ext4 root=/dev/cryptvg/root luksdev=/dev/nvme0n1p1
You need to edit the “root” variable and the “luksdev” variable to the above line. Point luksdev to your encrypted block device. Set root to your decrypted disk volume.
Save and close the extlinux.conf boot loader configuration and proceed to the next step.
Step 7: Shut Down the System
Exit the chroot shell by typing “exit” and shut down the system completely by typing “poweroff”. If nothing happens add the -f flag to the command, “poweroff -f”. It is a requirement to shut down the system completely on the Pinebook Pro. Sometimes U-boot does funny things when the “reboot” command is executed.
Step 8: Profit
Go about your day and be comforted by the fact that your data is secure!
Questions and Comments will be answered on LinuxQuestions.org.
Thanks for Reading!