There are a couple of ways to reencrypt a device in place. The device to reencrypt can be a loop device of a freshly downloaded image, as in the OP, or it can be a jumpdrive straight to the eMMC, for a chance to continue using the device without losing data. ( Always have a backup; the usual DISCLAIMER. )
Here, I did it on a freshly downloaded image:
librem5-flash-image --variant luks --skip-cleanup --skip-flash --dir devkit_image
sudo losetup -P -f --show devkit_image/librem5r4.img
Note the output, which was /dev/loop0
in my case.
Alternative #1 – convert to LUKS2
This is the one I tried successfully. The downloaded image comes with LUKS1 encryption, but the boot partition is unencrypted, so no need to worry about GRUB with LUKS2.
sudo cryptsetup convert /dev/loop0p2 --type luks2
sudo cryptsetup reencrypt /dev/loop0p2
The second command requires the old password ( 123456
).
Alternative #2 – stay with LUKS1
I haven’t tried this, but it seems pretty straightforward:
sudo cryptsetup-reencrypt /dev/loop0p2
Now give it a strong mount passphrase :
sudo cryptsetup luksChangeKey /dev/loop0p2
From here, continue as usual to boot the device. In the case of a downloaded image, remove the loop device and flash the image:
sudo losetup -d /dev/loop0
cd devkit_image/
uuu flash_librem5r4.lst
Once inside the freshly booted Librem 5, open the terminal application and expand the partition:
sudo parted /dev/mmcblk0 resizepart 2 100%
sudo cryptsetup resize crypt_root
sudo resize2fs /dev/mapper/crypt_root