Tutorial: Full disk encryption on Librem5

This post aims to be a simple and noob-friendly tutorial to -test- Luks encryption on the Librem5. This is how I found my way through it and there might be different methods. At the end of the instructions you will have an encrypted root filesystem, encrypted with a pasphrase of your choice, using the full size of the phone’s disk. The original image of Byzantium-luks from Purism is only 3.7GB, but we will expand it to the whole disk.

This method doesn’t offer the opportunity to regenerate the encryption keys (luks type1 doesn’t allow for reencryption of online partitions). Remember --> encryption key encryption passphrase. Meaning is -not secure as it should-, its meant for testing. Still, the security of using the phone after following this instructions is improved if compared with no encryption at all.

We start by flashing the latest Byzantium-Luks image with the script and instructions found in the librem5-devkit-tools:

Flash with this command:

$ ./librem5-flash-image --dist byzantium --variant luks --skip-cleanup

TIP: In case you want to reflash again without downloading again the image, the “–skip-cleanup” argument saves a folder named like “devkit_image_flj6du8z…” with everything you need for an offline flashing with your existing image.

For flashing your device from a previously downloaded image, enter the “devkit_image_flj…” folder (you should see 3 files) and use:

$ uuu flash_librem5r4.lst

Once done, boot the phone and enter the decryption passphrase, default is “123456”.

Connect your librem5 via USB to your computer and access it via picocom:

$ sudo picocom -b 115200 /dev/ttyACM0

Press Enter, it will ask for your login and password. Default username “purism”, default password “123456”.

Now we are going to expand the encrypted partition from 3.7GB to the full size of the disk.
For that I follow this instructions, describing them a bit more:

First we use cfdisk to alter the partitions:

$ sudo cfdisk /dev/mmcblk0

You should see a menu. With the arrows, select the partition /dev/mmcblk0p2 and press “Delete”.
Then press “New” partition, it will appear with the full size, select “primary”, and confirm it.
Press “Write” to save the changes, type yes to confirm, then press “Quit”.

Reboot the system with:
$ sudo reboot

You should be disconnected. Enter the decryption passphrase once again in your phone, then connect via USB with picocom as described before, and insert again your username and password.

Run this two command to resize and expand the encrypted partition:

$ sudo cryptsetup resize /dev/mapper/crypt_root
$ sudo resize2fs /dev/mapper/crypt_root

The encrypted partition should have expanded to use the full disk, you can verify it with:
$ df -h

Now let’s change the encryption passphrase:
$ sudo cryptsetup luksChangeKey /dev/mmcblk0p2

First insert the default passphrase (123456)
Then insert twice your new passphrase.

With this your encrypted partition should be as big as the phone’s disk is, and with a password of your choice. As this is a fresh system you might want to update the timezone, time and date, then run an update:
$ sudo apt update && sudo apt upgrade
and change your user passphrase with:
$ passwd

Now you should have a fresh and encrypted librem5.

-As to solve the issue of regenerating the encryption keys, I’ve tried to create a separate partition, encrypt it with Luks type 2, migrate the whole system there via rsync, but I didn’t manage to instruct u-boot to boot from a different partition.
-Another approach could be to use the Jumpdrive to regenerate the encryption keys while the encrypted partition is not mounted, but haven’t tried it yet.
Would be eager to hear other experiences or methods.

Thanks to the devs and community of Librem5 in Matrix for patiently helping to navigate some questions.

22 Likes

Hi! Cool tutorial. :slight_smile:

In this case, the /boot will be encrypted too, or not?

When I try to run the
/librem5-flash-image --dist byzantium --variant luks --skip-cleanup

the script says “INFO Looking for librem5r4 luks byzantium image”
and then “ERROR No matching image found”

I looked, and it does seem like the latest Jenkins image for byzantium-luks have failed to build. Is anyone else seeing the same thing?

I believe “no”. The partition for /boot is not encrypted. The other partition (the main partition, the root partition) is encrypted.

1 Like

Great job Beltrandroid!!:clap::clap::clap:
And thank you so much for sharing it!
Anyway I hope it’ll be done automatically by Purism ASAP :sweat_smile:
And hope to have picture password too so no stress to hide keyboard with one hand or scared to be spied by someone back to me or cam during my unlocking phone/display.

Exactly, as pointed by @irvinewade /boot still remains unencrypted with this method. With the hypothetical second scenario using the jumpdrive we could also encrypt the rest of the disk.

It was commented before that full disk encryption is coming close to be shipped by default, and seeing how it works with this method I think it will be coming soon.

@amuser you are right, thanks for flagging this! the script now returns byzantium --plain but not byzantium --luks. I wonder if it was stopped or what, will ask around. the --skip-cleanup has proven handy cause of this, i have the last image I used saved on my disk :slight_smile:

1 Like

Hi @amuser, this seemed a problem with the building of Purism images, it is now solved and working again:

2021-06-05 17:16:43 INFO Found disk image Build 7925 'luks librem5r4 byzantium image' from Sat Jun  5 05:45:17 2021

Great tutorial, :+1: I had something to learn from here, thanks!

1 Like

I just managed to make the necessary reencryption.

The quick way, is that you have to go to the path of the downloaded image and do the following:
reencrypted_loop_device=losetup -P -f --show librem5r4.img
cryptsetup-reencrypt “${reencrypted_loop_device}p2”
losetup -d “${reencrypted_loop_device}”

I think something like this should be integrated into the librem5-flash-image.
Alternativly I created a script which creates a new image and creates a new LUKS container.

For this you have to Install:
apt install partman

This is the code of the script which needs the folder which was downloaded by librem5-flash-image as input:
source_path=$1
reencrypted_path="${source_path}_reencrypted"

if [[ -d “${reencrypted_path}” ]]; then
echo “Cleaning up path for reencrypted version: ‘${reencrypted_path}’”
rm -rf “${reencrypted_path}”
echo “”
fi
echo “Coping Source Path to ‘${reencrypted_path}’”
cp -a “${source_path}” “${reencrypted_path}”

echo “”
echo “Opening Source LUKS Container…”
source_loop_device=losetup -P -f --show "${source_path}/librem5r4.img"
cryptsetup luksOpen “${source_loop_device}p2” Librem5_Orig
cryptsetup status /dev/mapper/Librem5_Orig
UUID=cryptsetup luksDump "${source_loop_device}p2" | grep UUID | sed -e 's/^UUID:\s*\(\S*\)$/\1/'

echo “”
echo “Reencryptipng new LUKS Container…”
reencrypted_loop_device=losetup -P -f --show "${reencrypted_path}/librem5r4.img"
cryptsetup luksFormat --type luks1 --key-size 256 --uuid “${UUID}” -q “${reencrypted_loop_device}p2”

echo “”
echo “Opening Reencrypted LUKS Container…”
cryptsetup luksOpen “${reencrypted_loop_device}p2” Librem5_Reencrypted
cryptsetup status /dev/mapper/Librem5_Reencrypted

echo “”
echo “Transfering all data to the reencrypted LUKS Container…”
partclone.ext4 --dev-to-dev -s /dev/mapper/Librem5_Orig -o /dev/mapper/Librem5_Reencrypted
exit

echo “”
echo “Unloading the crypt containers…”
cryptsetup luksClose /dev/mapper/Librem5_Reencrypted
cryptsetup luksClose /dev/mapper/Librem5_Orig
losetup -d “${reencrypted_loop_device}”
losetup -d “${source_loop_device}”

echo “”
echo “New Image created succesfully”
echo “Please put your Librem5 to flash mode”
echo “cd ‘${reencrypted_path}’”
echo “uuu flash_librem5r4.lst”

2 Likes

Just a small note for expanding the encrypted partition from 3.7GB to the full size of the disk.

The commands can also directly entered on the Librem5. So may be just integrated into the LUKS image by Purism.

1 Like

hi @Cc281080, im finally having the moment to try this out, I have wrote the script into a file I name crypto.sh, but i get stucked at the stage of:

For this you have to Install:
apt install partman

Can’t seem to find the package you are pointing at here. When I run it as it is in my system it gives several errors.
I assume this is meant to run on my laptop to reencrypt the image and after that flashing to the phone, correct?
Thanks!

Yes, it should be run on your desktop/laptop. Which will be flashing your phone.

I used Debian Bullseye for this, which is the current testing version. But there have been anouncments that it will be released (as stable) soon.

First try to flash the Librem5 without the modification with my script.

could you let me know about the:

For this you have to Install:
apt install partman

if running it now i get all of this:

$ ./crypto.sh
“Coping Source Path to ‘_reencrypted’”
cp: cannot stat ‘“”’: No such file or directory
“”
“Opening Source LUKS Container…”
./crypto.sh: line 14: -P: command not found
Device “p2” doesn’t exist or access denied.
/dev/mapper/Librem5_Orig is inactive.
./crypto.sh: line 17: luksDump: command not found
“”
“Reencryptipng new LUKS Container…”
./crypto.sh: line 21: -P: command not found
Device “p2” doesn’t exist or access denied.
“”
“Opening Reencrypted LUKS Container…”
Device “p2” doesn’t exist or access denied.
/dev/mapper/Librem5_Reencrypted is inactive.
“”
“Transfering all data to the reencrypted LUKS Container…”
./crypto.sh: line 31: partclone.ext4: command not found

You need to Install partclone. Under Debian Bullseye this is done by entering in a Terminal as root:
apt install partclone
(Not partman)

When it is installed you should be prepared for using the script on an downloaded Librem5 Image.

To get an Librem5 Image you should follow the regular Librem5 flash process and use the command you already posted in the first post:
./librem5-flash-image --dist byzantium --variant luks --skip-cleanup

After downloading you could use the script to reencrypt the Image:
./crypto.sh {folder of the downloaded Librem5 Image}

The reencrypted Image will be stored in a new folder and can be flashed with:
uuu flash_librem5r4.lst
(Like descriped in your first Post)

It should actually be:
Apt Install partclone

This package:
https://packages.debian.org/de/bullseye/partclone

I will fix it in my other posts (if possible)

managed to get partclone installed, that part is now clear!

But i still get the same errors when running the script, the only change is that the last line of the output from the script before was:

“Transfering all data to the reencrypted LUKS Container…”
./crypto.sh: line 31: partclone.ext4: command not found

and now is:

“Transfering all data to the reencrypted LUKS Container…”
open logfile /var/log/partclone.log error

All the previous ones remain the same. :confused:

You have to call it with the folder of the Image (which was downloaded from librem5-flash-image) as parameter:
./crypto.sh {folder to Librem5 Image}

thanks for the replies!

I tried running it with the script in the same folder as the image or to give the folder name as the parameter to the script, but same errors are happening.

Don’t put the script it in the same folder. Give the folder name as parameter.

The script copies the folder and reencrypt the image in the new folder.

Thats what I did (as mentioned in previous reply), added the absolute path to the folder but errors remain.