tl;dr: Are there steps to set up the LUKS encrypted drive (where one doesn’t exist) after flashing?
I just reflashed my phone using the instructions here: https://puri.sm/posts/reflashing-the-librem-5/
After going through the initial setup post-flash, I realised that the LUKS partition is missing.
Digging through the forums some have mentioned running the official scripts with a switch for the encrypted drive image.
However, others have mentioned that you will and up with a cloned key making the encrypted drive vulnerable.
I’m guessing the best way to proceed is to encrypt after the flash but I’m unclear on that point.
I’m hoping one of you kind people can advise on the the best way to proceed?
I think the step missing is before flashing. You have to download the correct variant i.e. the one that even has the LUKS partition.
Then, yes, you are right. There is the risk (certainty?) that you will end up with a globally available LUKS master key. I believe that Purism will fix this - so it could depend on when they fix it v. when you download it. However …
Assuming that you wish to reencrypt with a new random LUKS master key then somewhere in this forum you will find instructions for doing that i.e. after downloading and before flashing. (Since LUKS is standard across Linux, you can reencrypt on a Linux host computer before even flashing onto your Librem 5.)
You should of course also update the LUKS slot unlock passphrase but that is trivial by comparison with reencrypting the drive.