Tutorial: Full disk encryption on Librem5

This post aims to be a simple and noob-friendly tutorial to -test- Luks encryption on the Librem5. This is how I found my way through it and there might be different methods. At the end of the instructions you will have an encrypted root filesystem, encrypted with a pasphrase of your choice, using the full size of the phone’s disk. The original image of Byzantium-luks from Purism is only 3.7GB, but we will expand it to the whole disk.

This method doesn’t offer the opportunity to regenerate the encryption keys (luks type1 doesn’t allow for reencryption of online partitions). Remember --> encryption key encryption passphrase. Meaning is -not secure as it should-, its meant for testing. Still, the security of using the phone after following this instructions is improved if compared with no encryption at all.

We start by flashing the latest Byzantium-Luks image with the script and instructions found in the librem5-devkit-tools:

Flash with this command:

$ ./librem5-flash-image --dist byzantium --variant luks --skip-cleanup

TIP: In case you want to reflash again without downloading again the image, the “–skip-cleanup” argument saves a folder named like “devkit_image_flj6du8z…” with everything you need for an offline flashing with your existing image.

For flashing your device from a previously downloaded image, enter the “devkit_image_flj…” folder (you should see 3 files) and use:

$ uuu flash_librem5r4.lst

Once done, boot the phone and enter the decryption passphrase, default is “123456”.

Connect your librem5 via USB to your computer and access it via picocom:

$ sudo picocom -b 115200 /dev/ttyACM0

Press Enter, it will ask for your login and password. Default username “purism”, default password “123456”.

Now we are going to expand the encrypted partition from 3.7GB to the full size of the disk.
For that I follow this instructions, describing them a bit more:

First we use cfdisk to alter the partitions:

$ sudo cfdisk /dev/mmcblk0

You should see a menu. With the arrows, select the partition /dev/mmcblk0p2 and press “Delete”.
Then press “New” partition, it will appear with the full size, select “primary”, and confirm it.
Press “Write” to save the changes, type yes to confirm, then press “Quit”.

Reboot the system with:
$ sudo reboot

You should be disconnected. Enter the decryption passphrase once again in your phone, then connect via USB with picocom as described before, and insert again your username and password.

Run this two command to resize and expand the encrypted partition:

$ sudo cryptsetup resize /dev/mapper/crypt_root
$ sudo resize2fs /dev/mapper/crypt_root

The encrypted partition should have expanded to use the full disk, you can verify it with:
$ df -h

Now let’s change the encryption passphrase:
$ sudo cryptsetup luksChangeKey /dev/mmcblk0p2

First insert the default passphrase (123456)
Then insert twice your new passphrase.

With this your encrypted partition should be as big as the phone’s disk is, and with a password of your choice. As this is a fresh system you might want to update the timezone, time and date, then run an update:
$ sudo apt update && sudo apt upgrade
and change your user passphrase with:
$ passwd

Now you should have a fresh and encrypted librem5.

-As to solve the issue of regenerating the encryption keys, I’ve tried to create a separate partition, encrypt it with Luks type 2, migrate the whole system there via rsync, but I didn’t manage to instruct u-boot to boot from a different partition.
-Another approach could be to use the Jumpdrive to regenerate the encryption keys while the encrypted partition is not mounted, but haven’t tried it yet.
Would be eager to hear other experiences or methods.

Thanks to the devs and community of Librem5 in Matrix for patiently helping to navigate some questions.

18 Likes

Hi! Cool tutorial. :slight_smile:

In this case, the /boot will be encrypted too, or not?