Tutorial: Full disk encryption on Librem5

This post aims to be a simple and noob-friendly tutorial to -test- Luks encryption on the Librem5. This is how I found my way through it and there might be different methods. At the end of the instructions you will have an encrypted root filesystem, encrypted with a pasphrase of your choice, using the full size of the phone’s disk. The original image of Byzantium-luks from Purism is only 3.7GB, but we will expand it to the whole disk.

This method doesn’t offer the opportunity to regenerate the encryption keys (luks type1 doesn’t allow for reencryption of online partitions). Remember --> encryption key encryption passphrase. Meaning is -not secure as it should-, its meant for testing. Still, the security of using the phone after following this instructions is improved if compared with no encryption at all.

We start by flashing the latest Byzantium-Luks image with the script and instructions found in the librem5-devkit-tools:

Flash with this command:

$ ./librem5-flash-image --dist byzantium --variant luks --skip-cleanup

TIP: In case you want to reflash again without downloading again the image, the “–skip-cleanup” argument saves a folder named like “devkit_image_flj6du8z…” with everything you need for an offline flashing with your existing image.

For flashing your device from a previously downloaded image, enter the “devkit_image_flj…” folder (you should see 3 files) and use:

$ uuu flash_librem5r4.lst

Once done, boot the phone and enter the decryption passphrase, default is “123456”.

Connect your librem5 via USB to your computer and access it via picocom:

$ sudo picocom -b 115200 /dev/ttyACM0

Press Enter, it will ask for your login and password. Default username “purism”, default password “123456”.

Now we are going to expand the encrypted partition from 3.7GB to the full size of the disk.
For that I follow this instructions, describing them a bit more:

First we use cfdisk to alter the partitions:

$ sudo cfdisk /dev/mmcblk0

You should see a menu. With the arrows, select the partition /dev/mmcblk0p2 and press “Delete”.
Then press “New” partition, it will appear with the full size, select “primary”, and confirm it.
Press “Write” to save the changes, type yes to confirm, then press “Quit”.

Reboot the system with:
$ sudo reboot

You should be disconnected. Enter the decryption passphrase once again in your phone, then connect via USB with picocom as described before, and insert again your username and password.

Run this two command to resize and expand the encrypted partition:

$ sudo cryptsetup resize /dev/mapper/crypt_root
$ sudo resize2fs /dev/mapper/crypt_root

The encrypted partition should have expanded to use the full disk, you can verify it with:
$ df -h

Now let’s change the encryption passphrase:
$ sudo cryptsetup luksChangeKey /dev/mmcblk0p2

First insert the default passphrase (123456)
Then insert twice your new passphrase.

With this your encrypted partition should be as big as the phone’s disk is, and with a password of your choice. As this is a fresh system you might want to update the timezone, time and date, then run an update:
$ sudo apt update && sudo apt upgrade
and change your user passphrase with:
$ passwd

Now you should have a fresh and encrypted librem5.

-As to solve the issue of regenerating the encryption keys, I’ve tried to create a separate partition, encrypt it with Luks type 2, migrate the whole system there via rsync, but I didn’t manage to instruct u-boot to boot from a different partition.
-Another approach could be to use the Jumpdrive to regenerate the encryption keys while the encrypted partition is not mounted, but haven’t tried it yet.
Would be eager to hear other experiences or methods.

Thanks to the devs and community of Librem5 in Matrix for patiently helping to navigate some questions.

22 Likes

Hi! Cool tutorial. :slight_smile:

In this case, the /boot will be encrypted too, or not?

When I try to run the
/librem5-flash-image --dist byzantium --variant luks --skip-cleanup

the script says “INFO Looking for librem5r4 luks byzantium image”
and then “ERROR No matching image found”

I looked, and it does seem like the latest Jenkins image for byzantium-luks have failed to build. Is anyone else seeing the same thing?

I believe “no”. The partition for /boot is not encrypted. The other partition (the main partition, the root partition) is encrypted.

1 Like

Great job Beltrandroid!!:clap::clap::clap:
And thank you so much for sharing it!
Anyway I hope it’ll be done automatically by Purism ASAP :sweat_smile:
And hope to have picture password too so no stress to hide keyboard with one hand or scared to be spied by someone back to me or cam during my unlocking phone/display.

Exactly, as pointed by @irvinewade /boot still remains unencrypted with this method. With the hypothetical second scenario using the jumpdrive we could also encrypt the rest of the disk.

It was commented before that full disk encryption is coming close to be shipped by default, and seeing how it works with this method I think it will be coming soon.

@amuser you are right, thanks for flagging this! the script now returns byzantium --plain but not byzantium --luks. I wonder if it was stopped or what, will ask around. the --skip-cleanup has proven handy cause of this, i have the last image I used saved on my disk :slight_smile:

1 Like

Hi @amuser, this seemed a problem with the building of Purism images, it is now solved and working again:

2021-06-05 17:16:43 INFO Found disk image Build 7925 'luks librem5r4 byzantium image' from Sat Jun  5 05:45:17 2021

Great tutorial, :+1: I had something to learn from here, thanks!

1 Like

I just managed to make the necessary reencryption.

The quick way, is that you have to go to the path of the downloaded image and do the following:
reencrypted_loop_device=losetup -P -f --show librem5r4.img
cryptsetup-reencrypt “${reencrypted_loop_device}p2”
losetup -d “${reencrypted_loop_device}”

I think something like this should be integrated into the librem5-flash-image.
Alternativly I created a script which creates a new image and creates a new LUKS container.

For this you have to Install:
apt install partman

This is the code of the script which needs the folder which was downloaded by librem5-flash-image as input:
source_path=$1
reencrypted_path="${source_path}_reencrypted"

if [[ -d “${reencrypted_path}” ]]; then
echo “Cleaning up path for reencrypted version: ‘${reencrypted_path}’”
rm -rf “${reencrypted_path}”
echo “”
fi
echo “Coping Source Path to ‘${reencrypted_path}’”
cp -a “${source_path}” “${reencrypted_path}”

echo “”
echo “Opening Source LUKS Container…”
source_loop_device=losetup -P -f --show "${source_path}/librem5r4.img"
cryptsetup luksOpen “${source_loop_device}p2” Librem5_Orig
cryptsetup status /dev/mapper/Librem5_Orig
UUID=cryptsetup luksDump "${source_loop_device}p2" | grep UUID | sed -e 's/^UUID:\s*\(\S*\)$/\1/'

echo “”
echo “Reencryptipng new LUKS Container…”
reencrypted_loop_device=losetup -P -f --show "${reencrypted_path}/librem5r4.img"
cryptsetup luksFormat --type luks1 --key-size 256 --uuid “${UUID}” -q “${reencrypted_loop_device}p2”

echo “”
echo “Opening Reencrypted LUKS Container…”
cryptsetup luksOpen “${reencrypted_loop_device}p2” Librem5_Reencrypted
cryptsetup status /dev/mapper/Librem5_Reencrypted

echo “”
echo “Transfering all data to the reencrypted LUKS Container…”
partclone.ext4 --dev-to-dev -s /dev/mapper/Librem5_Orig -o /dev/mapper/Librem5_Reencrypted
exit

echo “”
echo “Unloading the crypt containers…”
cryptsetup luksClose /dev/mapper/Librem5_Reencrypted
cryptsetup luksClose /dev/mapper/Librem5_Orig
losetup -d “${reencrypted_loop_device}”
losetup -d “${source_loop_device}”

echo “”
echo “New Image created succesfully”
echo “Please put your Librem5 to flash mode”
echo “cd ‘${reencrypted_path}’”
echo “uuu flash_librem5r4.lst”

2 Likes

Just a small note for expanding the encrypted partition from 3.7GB to the full size of the disk.

The commands can also directly entered on the Librem5. So may be just integrated into the LUKS image by Purism.

1 Like