Encrypted root partition on Pinebook Pro with EOS Calamares?

Does the EOS Calamares installer allow for setting up an encrypted root partition on the PBP (or other ARM) devices?

Short story:
Setting up an encrypted root partition on a ARM device is not available at the present time.

Long story:
There are two types of images available for each supported ARM device.

  1. dd compatible bit by bit image which is burned directly to a storage device.
  2. A compressed tar file that is burned to a storage device with a script.

Further details here.


dd Compatible image

With a x86_64 device you are running on a live ISO and building and configuring a completed OS on a storage device that is ready to run.

With ARM devices, you are burning a complete OS from an image created for a particular device (such as RPi 4 or Odroid N2) to a memory storage device (uSD, eMMC, USB SSD). When this storage device is booted it runs Calamares to finish configuring the OS with your personal information. The OS it boots into on the first boot up is a completed OS image, including existing partitions, formatted with the appropriate file systems, etc. So no chance to create encrypted partitions. All dd compatible images are created with ext4 file system and no encryption, including partition sizes appropriate for the used storage device.

ROOTFS tar images

With the tar image, a script is run that will determine the size of the storage device, partition the storage device appropriately, then format the partitions. The rootfs tar image is downloaded and uses bsdtar to untar the file and copy it to the prepared storage device.

Since the script prepares the target storage device, this allows the script to be more flexible with how the partitions are created. So far, the only choice with a rootfs install is the file system for the root partition. The choices are ext4 or btrfs. The boot partition needs to be Fat 32 only.

Can an encryption option be offered. I don’t know, I haven’t looked into it. Maybe for the root partition ? Less likely for the boot partition I’m guessing.

ARM devices do not have a grub or systemd-boot, instead they use a bootloader. I know very little about encryption, but I believe that it’s during grub or systemd-boot that the encryption passphrase is entered. Correct me if I am wrong on this.

If it is possible, it would require some code to be written to allow for a choice of encrypted or not encrypted.


1 Like

I’m afraid I can’t be much help on this.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.