Filesystem Encryption


#1

Is it possible to encrypt the entire filesystem to prevent people from copying files off the board?


#2

Is it possible to encrypt the entire filesystem to prevent people from copying files off the board?

It is possible but it is a bit fiddly. A basic approach looks something
like the follows:

  1. Make sure kernel has crypto support

  2. Boot from SD card

a) Use tar or resize2fs/dd to backup current eMMC rootfs (this is
optional, you could also convert the current image from
releases.linaro.org)

b) Use cryptsetup to put a LUKS header on the underlying partition
and map it

c) Restore your backup onto the newly mapped device (it will be in
/dev/mapper)

  1. Mount the root filesystem (whilst still running from an SD card).
    chroot into the rootfs and setup crypttab.

  2. Regenerate and install a new initramfs

You might prefer a simpler approach (either as an alternative solution
or as a learning exercise to build confidence) of placing /home onto
an encrypted SD card. This is rather simpler because you can become
familiar with the crypto tooling without having to understand
backup/restore and initramfs at the same time.

Just a thought…


#3

as usual, if there are kernel options missing, i am very happy to take patches against kernel/configs/distro.config, to get more features / use cases supported with our default builds…