Skip to content

Instantly share code, notes, and snippets.

@coffeejunk

coffeejunk/README.md

Last active April 3, 2024 19:17
Show Gist options
  • Save coffeejunk/cc7c6d87fd7366bfe037d4be9e37ce4c to your computer and use it in GitHub Desktop.
Save coffeejunk/cc7c6d87fd7366bfe037d4be9e37ce4c to your computer and use it in GitHub Desktop.
Download ZIP
Asahi Full Disk Encryption
Raw
README.md

Using lsblk -f /dev/nvme0n1, identify the partition used for the root filesystem. This should present as a btrfs file system with the label fedora. In the example below, /dev/nvme0n1p6 is the Fedora root filesystem that will be encrypted in place:

[root@fedora ~]# lsblk -f /dev/nvme0n1
NAME        FSTYPE FSVER LABEL        UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1
├─nvme0n1p1 apfs                      4ccf344c-1842-4ed2-98f7-d34a509f5a88
├─nvme0n1p2 apfs                      dbb4789e-c51d-46bf-8332-90a43b4e4fa7
├─nvme0n1p3 apfs                      b98ec259-629b-4aee-9f26-02c5098abcee
├─nvme0n1p4 vfat   FAT32 EFI-FEDORA   B01E-2641                             419.8M    16% /run/.system-efi
├─nvme0n1p5 ext4   1.0   BOOT         5b094e58-d15f-4be2-85ff-147859c7b118
├─nvme0n1p6 btrfs        fedora       dd08a2bf-ae63-44e1-881d-fbb8928af4fb
└─nvme0n1p7 apfs                      b465c845-eaef-4bcb-aac9-865c42260844

Shrink the btrfs filesystem to make room for the LUKS header. The recommended minimum is 32 MiB, twice the size of a default LUKS 2 header:

mount /dev/nvme0n1p6 /mnt
btrfs filesystem resize -32M /mnt
umount /dev/nvme0n1p6

LUKS encrypt the root filesystem partition in place. This will destroy everything on the partition; please be careful!

cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6

You must confirm with YES and then enter your disk passphrase twice. The output should look like this:

[root@fedora ~]# cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6
WARNING!
========
This will overwrite data on LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new:
Verify passphrase:
Finished, time 14m10s,  925 GiB written, speed   1.1 GiB/s

Open the LUKS encrypted partition:

cryptsetup open /dev/nvme0n1p6 fedora
cryptsetup status fedora

Mount root and home filesystems from the btrfs filesystem on the LUKS mapping device:

mount -o subvol=root /dev/mapper/fedora /mnt
mount -o subvol=home /dev/mapper/fedora /mnt/home

Mount boot and efi filesystems (these should be the two partitions immediately preceding the one encrypted with LUKS):

mount /dev/nvme0n1p5 /mnt/boot
mount /dev/nvme0n1p4 /mnt/boot/efi

Store the LUKS UUID in a variable for later use.

export LUKS_UUID=$(cryptsetup luksUUID /dev/nvme0n1p6 | tee /dev/stderr)

Enter chroot to update grub, initramfs, etc

arch-chroot /mnt /bin/bash

Update crypttab

touch /etc/crypttab
chmod 0600 /etc/crypttab
echo "fedora UUID=${LUKS_UUID} none" >> /etc/crypttab
cat /etc/crypttab

Update /etc/default/grub appending rd.luks.uuid=LUKS_UUID to the value for GRUB_CMDLINE_LINUX_DEFAULT

perl -i -pe 's/(GRUB_CMDLINE_LINUX_DEFAULT)="(.*)"/$1="$2 rd.luks.uuid='"${LUKS_UUID}"'"/' /etc/default/grub
cat /etc/default/grub

Rebuild initramfs:

grub2-mkconfig -o /boot/grub2/grub.cfg
kver=$(ls /lib/modules| grep 'arch' | sort -V | tail -n 1)
dracut -f --kver $kver

Exit the chroot jail, then reboot.

Misc

Setting up WiFi

To connect to a wireless network, use the following sytanx: nmcli dev wifi connect network-ssid

An actual example: nmcli dev wifi connect your-ssid-here password supersecretpassword

Credits

Raw
create-minimal-asahi-thumb-drive.sh
#!/bin/bash
set -e
sudo dnf install -y arch-install-scripts bubblewrap gdisk mkosi pandoc rsync systemd-container
usb_drive=$(find /dev/disk/by-id/ -type l | grep -i usb | head -n 1)
if [[ -z "$usb_drive" ]]; then
echo "No thumb drive detected. Please insert a thumb drive and try again."
exit 1
fi
real_usb_drive=$(realpath "$usb_drive")
echo "Using thumb drive at $real_usb_drive"
tmp_dir=$(mktemp -d)
pushd "$tmp_dir" || exit
git clone https://github.com/leifliddy/asahi-fedora-usb.git
cd asahi-fedora-usb
git checkout e8d0cf5a440f199d3f49e104edb9fa98f376240a
sed -i '15,21d' build.sh
sudo su -c "./build.sh -wd $real_usb_drive"
popd || exit
sudo mount "${real_usb_drive}3" /mnt
sudo cp luks-encrypt-disk.sh /mnt
sudo cp README.md /mnt
printf "user: root\npassword: fedora\n\nTo start the disk encryption migration, run \`/luks-encrypt-disk.sh\`\n\nIn case of failure, refer to \`/README.md\`\n\n" | sudo tee /mnt/etc/issue
sudo cp setup-encrypted-boot.sh /opt
sudo umount /mnt
Raw
luks-encrypt-disk.sh
#!/bin/bash
set -e
efi=$(lsblk -f /dev/nvme0n1 | sed 's/├─\|└─//g' | awk '/vfat/ {print $1}')
boot=$(lsblk -f /dev/nvme0n1 | sed 's/├─\|└─//g' | awk '/ext4/ {print $1}')
root=$(lsblk -f /dev/nvme0n1 | sed 's/├─\|└─//g' | awk '/btrfs/ {print $1}')
if [[ -z "$efi" ]] && [[ -z "$boot" ]] && [[ -z "$root" ]]; then
echo "Nonstandard disk layout. RIP."
echo "You will have to run the steps manually. Proceed with caution."
exit 1
fi
# Shrink the btrfs filesystem to make room for the LUKS header. Recommended minimum is 32 MiB, twice the size of a default LUKS 2 header:
mount "/dev/${root}" /mnt
btrfs filesystem resize -32M /mnt
umount "/dev/${root}"
# LUKS encrypt the root filesystem partition in-place. This will destroy everything on the partition
cryptsetup reencrypt --encrypt --reduce-device-size 32M "/dev/${root}"
cryptsetup open "/dev/${root}" fedora
cryptsetup status fedora
mount -o subvol=root /dev/mapper/fedora /mnt
mount -o subvol=home /dev/mapper/fedora /mnt/home
mount "/dev/${boot}" /mnt/boot
mount "/dev/${efi}" /mnt/boot/efi
export LUKS_UUID=$(cryptsetup luksUUID /dev/$root | tee /dev/stderr)
arch-chroot /mnt /opt/setup-encrypted-boot.sh
rm -f /mnt/opt/setup-encrypted-boot.sh
reboot
Raw
setup-encrypted-boot.sh
#!/bin/bash
set -e
if [[ -z "$LUKS_UUID" ]]; then
echo "\$LUKS_UUID is not defined."
exit 1
fi
touch /etc/crypttab
chmod 0600 /etc/crypttab
echo "fedora UUID=${LUKS_UUID} none" >> /etc/crypttab
cat /etc/crypttab
perl -i -pe 's/(GRUB_CMDLINE_LINUX_DEFAULT)="(.*)"/$1="$2 rd.luks.uuid='"${LUKS_UUID}"'"/' /etc/default/grub
cat /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
kver=$(ls /lib/modules| grep 'arch' | sort -V | tail -n 1)
dracut -f --kver $kver
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment