Tutorial: Full disk encryption on Librem5

I believe “no”. The partition for /boot is not encrypted. The other partition (the main partition, the root partition) is encrypted.

1 Like

Great job Beltrandroid!!:clap::clap::clap:
And thank you so much for sharing it!
Anyway I hope it’ll be done automatically by Purism ASAP :sweat_smile:
And hope to have picture password too so no stress to hide keyboard with one hand or scared to be spied by someone back to me or cam during my unlocking phone/display.

Exactly, as pointed by @irvinewade /boot still remains unencrypted with this method. With the hypothetical second scenario using the jumpdrive we could also encrypt the rest of the disk.

It was commented before that full disk encryption is coming close to be shipped by default, and seeing how it works with this method I think it will be coming soon.

@amuser you are right, thanks for flagging this! the script now returns byzantium --plain but not byzantium --luks. I wonder if it was stopped or what, will ask around. the --skip-cleanup has proven handy cause of this, i have the last image I used saved on my disk :slight_smile:

1 Like

Hi @amuser, this seemed a problem with the building of Purism images, it is now solved and working again:

2021-06-05 17:16:43 INFO Found disk image Build 7925 'luks librem5r4 byzantium image' from Sat Jun  5 05:45:17 2021

Great tutorial, :+1: I had something to learn from here, thanks!

1 Like

I just managed to make the necessary reencryption.

The quick way, is that you have to go to the path of the downloaded image and do the following:
reencrypted_loop_device=losetup -P -f --show librem5r4.img
cryptsetup-reencrypt “${reencrypted_loop_device}p2”
losetup -d “${reencrypted_loop_device}”

I think something like this should be integrated into the librem5-flash-image.
Alternativly I created a script which creates a new image and creates a new LUKS container.

For this you have to Install:
apt install partman

This is the code of the script which needs the folder which was downloaded by librem5-flash-image as input:

if [[ -d “${reencrypted_path}” ]]; then
echo “Cleaning up path for reencrypted version: ‘${reencrypted_path}’”
rm -rf “${reencrypted_path}”
echo “”
echo “Coping Source Path to ‘${reencrypted_path}’”
cp -a “${source_path}” “${reencrypted_path}”

echo “”
echo “Opening Source LUKS Container…”
source_loop_device=losetup -P -f --show "${source_path}/librem5r4.img"
cryptsetup luksOpen “${source_loop_device}p2” Librem5_Orig
cryptsetup status /dev/mapper/Librem5_Orig
UUID=cryptsetup luksDump "${source_loop_device}p2" | grep UUID | sed -e 's/^UUID:\s*\(\S*\)$/\1/'

echo “”
echo “Reencryptipng new LUKS Container…”
reencrypted_loop_device=losetup -P -f --show "${reencrypted_path}/librem5r4.img"
cryptsetup luksFormat --type luks1 --key-size 256 --uuid “${UUID}” -q “${reencrypted_loop_device}p2”

echo “”
echo “Opening Reencrypted LUKS Container…”
cryptsetup luksOpen “${reencrypted_loop_device}p2” Librem5_Reencrypted
cryptsetup status /dev/mapper/Librem5_Reencrypted

echo “”
echo “Transfering all data to the reencrypted LUKS Container…”
partclone.ext4 --dev-to-dev -s /dev/mapper/Librem5_Orig -o /dev/mapper/Librem5_Reencrypted

echo “”
echo “Unloading the crypt containers…”
cryptsetup luksClose /dev/mapper/Librem5_Reencrypted
cryptsetup luksClose /dev/mapper/Librem5_Orig
losetup -d “${reencrypted_loop_device}”
losetup -d “${source_loop_device}”

echo “”
echo “New Image created succesfully”
echo “Please put your Librem5 to flash mode”
echo “cd ‘${reencrypted_path}’”
echo “uuu flash_librem5r4.lst”


Just a small note for expanding the encrypted partition from 3.7GB to the full size of the disk.

The commands can also directly entered on the Librem5. So may be just integrated into the LUKS image by Purism.

1 Like

hi @Cc281080, im finally having the moment to try this out, I have wrote the script into a file I name crypto.sh, but i get stucked at the stage of:

For this you have to Install:
apt install partman

Can’t seem to find the package you are pointing at here. When I run it as it is in my system it gives several errors.
I assume this is meant to run on my laptop to reencrypt the image and after that flashing to the phone, correct?

Yes, it should be run on your desktop/laptop. Which will be flashing your phone.

I used Debian Bullseye for this, which is the current testing version. But there have been anouncments that it will be released (as stable) soon.

First try to flash the Librem5 without the modification with my script.

could you let me know about the:

For this you have to Install:
apt install partman

if running it now i get all of this:

$ ./crypto.sh
“Coping Source Path to ‘_reencrypted’”
cp: cannot stat ‘“”’: No such file or directory
“Opening Source LUKS Container…”
./crypto.sh: line 14: -P: command not found
Device “p2” doesn’t exist or access denied.
/dev/mapper/Librem5_Orig is inactive.
./crypto.sh: line 17: luksDump: command not found
“Reencryptipng new LUKS Container…”
./crypto.sh: line 21: -P: command not found
Device “p2” doesn’t exist or access denied.
“Opening Reencrypted LUKS Container…”
Device “p2” doesn’t exist or access denied.
/dev/mapper/Librem5_Reencrypted is inactive.
“Transfering all data to the reencrypted LUKS Container…”
./crypto.sh: line 31: partclone.ext4: command not found

You need to Install partclone. Under Debian Bullseye this is done by entering in a Terminal as root:
apt install partclone
(Not partman)

When it is installed you should be prepared for using the script on an downloaded Librem5 Image.

To get an Librem5 Image you should follow the regular Librem5 flash process and use the command you already posted in the first post:
./librem5-flash-image --dist byzantium --variant luks --skip-cleanup

After downloading you could use the script to reencrypt the Image:
./crypto.sh {folder of the downloaded Librem5 Image}

The reencrypted Image will be stored in a new folder and can be flashed with:
uuu flash_librem5r4.lst
(Like descriped in your first Post)

1 Like

It should actually be:
Apt Install partclone

This package:

I will fix it in my other posts (if possible)

managed to get partclone installed, that part is now clear!

But i still get the same errors when running the script, the only change is that the last line of the output from the script before was:

“Transfering all data to the reencrypted LUKS Container…”
./crypto.sh: line 31: partclone.ext4: command not found

and now is:

“Transfering all data to the reencrypted LUKS Container…”
open logfile /var/log/partclone.log error

All the previous ones remain the same. :confused:

You have to call it with the folder of the Image (which was downloaded from librem5-flash-image) as parameter:
./crypto.sh {folder to Librem5 Image}

thanks for the replies!

I tried running it with the script in the same folder as the image or to give the folder name as the parameter to the script, but same errors are happening.

Don’t put the script it in the same folder. Give the folder name as parameter.

The script copies the folder and reencrypt the image in the new folder.

Thats what I did (as mentioned in previous reply), added the absolute path to the folder but errors remain.

If the output is still:
$ ./crypto.sh
“Coping Source Path to ‘_reencrypted’”
cp: cannot stat ‘“”’: No such file or directory

Then it sounds like the path was not correct handed over to the script.
Else it should at least say something like:
“Coping Source Path to ‘xxx_reencrypted’”

If the path parameter was “xxx”.

You have to replace the utf-8 quotes “,” by the simple ascii " for the script to work. So if you copy the script from your browser you should run

sed ‘s/[“”]/"/g’ old.sh > new.sh

And all expressions with grey background have to be enclosed by backquotes: `

1 Like

Good hint! Seems that I am not good in using the forum. (I also had problems with some other characters).

May be I will find a way to upload the script to the forum as file in the next days.