Filesystem Encryption

Is it possible to encrypt the entire filesystem to prevent people from copying files off the board?

Is it possible to encrypt the entire filesystem to prevent people from copying files off the board?

It is possible but it is a bit fiddly. A basic approach looks something
like the follows:

  1. Make sure kernel has crypto support

  2. Boot from SD card

a) Use tar or resize2fs/dd to backup current eMMC rootfs (this is
optional, you could also convert the current image from
releases.linaro.org)

b) Use cryptsetup to put a LUKS header on the underlying partition
and map it

c) Restore your backup onto the newly mapped device (it will be in
/dev/mapper)

  1. Mount the root filesystem (whilst still running from an SD card).
    chroot into the rootfs and setup crypttab.

  2. Regenerate and install a new initramfs

You might prefer a simpler approach (either as an alternative solution
or as a learning exercise to build confidence) of placing /home onto
an encrypted SD card. This is rather simpler because you can become
familiar with the crypto tooling without having to understand
backup/restore and initramfs at the same time.

Just a thought…

as usual, if there are kernel options missing, i am very happy to take patches against kernel/configs/distro.config, to get more features / use cases supported with our default builds…