Guide to encrypt Arch / Endeavour OS ARM on Pinebook Pro

This might be of no use to anybody but me, but one never knows, so I wrote it as clearly as possible in a way that when I need it I can understand it and be quick about it.


Recurrent terms

pbp = pinebook pro
SD = mini SD card
ALARM = Arch Linux Arm

What you’ll need for this

  • 2 mini SD cards or 1 mini SD card and an eMMc
  • 1 adapter for the second SD card is installing on the SD
  • archiso image from Nadia Holmquist’s github


You can use these instructions to encrypt and install Arch into a mini SD or the eMMC, I’ve tried with both.
If installing on a mini SD: You can do this first part in the pbp itself, an x86 computer os another ARM device with an SD inserted.
If installing on the eMMc: You need to do this in the pbp while booted from the SD.

Using the pbp, the SD is probably in /dev/mmcblk0 or /dev/mmcblk1. The eMMc is probably /dev/mmcblk2. I wrote mmcblk0 in the instructions, which (I think) corresponds to the SD inserted in a USB, USB-c and SDcard adapter in the pbp or an x86 machine.

You can replace all occurrences if you are not isntalling to mmcblk0, for instance in Vim:

changing mmcblk0 to mmcblk1 in Vim:


changing mmcblk0 to sda in vim:


If you don’t replace beforehand, be especially careful with commands such as “cryptsetup open /dev/mmcblk0p2”, where the 0 needs to be replaced to 1 or 2, depending where you’re installing to.


  1. Create a directory to work on, e.g. ~/alarm and “cd” into it.

  2. Make sure the SD card / eMMc module is unmounted.

  3. Zero the beginning of the SD / eMMC:

dd if=/dev/zero of=/dev/mmcblk0 bs=1M count=32

  1. Use fdisk to partition:

fdisk /dev/mmcblk0

a. Type “o”. This will clear out any partitions on the drive.
b. Type “p” to list partitions. There should be no partitions left.
c. Type “n”, then “p” for primary, “1” for the first partition on the drive, “32768” for the first sector, and then type “442367” for the last sector.
d. Type “t”, then “c” to set the first partition to type W95 FAT32 (LBA).
e. Type “n”, then “p” for primary, “2” for the second partition on the drive, “442368” for the first sector, and then press ENTER to accept the default last sector.
f. Write the partition table and exit by typing “w”.

  1. Create and mount the FAT filesystem:

mkfs.vfat -n BOOT_ALARM /dev/mmcblk0p1
mkdir boot
mount /dev/mmcblk0p1 boot

  1. Encrypt the second partition:

cryptsetup -y -v luksFormat /dev/mmcblk0p2

[you’ll also have to type “YES”, then choose a password and retype it.]

  1. Open the encrypted partition:
    [“SEGREDO” is what I chose to call it here:]

cryptsetup open /dev/mmcblk0p2 SEGREDO

  1. Write the EXT4 file system to the partition we’ve just opened, label it ROOT_ALARM and mount it to new folder “root”:

sudo mkfs.ext4 -L ROOT_ALARM /dev/mapper/SEGREDO
mkdir root
mount /dev/mapper/SEGREDO root

  1. Download and extract the root filesystem (as root, not via sudo) to folder root:


bsdtar -xpf ArchLinuxARM-pbp-latest.tar.gz -C root

  1. Move boot files from the second to the first partition:

mv root/boot/* boot

  1. Install the Tow-Boot bootloader [to mmcblkX or sdX – NOT to a partition, such as mmcblkXp1 or sda1]:

[Comment: If you’re installing in the eMMc and your computer only boots Arch in the eMMc with uboot-pinebookpro-bsp, here you need to use the bsp uboot instead of Tow-Boot.
Originally my pbp came with Debian, but I don’t know if that is why it needs the bsp uboot.]


dd if=boot/idbloader.img of=/dev/mmcblk0 seek=64 conv=notrunc,fsync
dd if=boot/tow-boot.itb of=/dev/mmcblk0 seek=16384 conv=notrunc,fsync

BSP uboot, available here:
dd if=/boot/idbloader.img of=/dev/mmcblkX seek=64 conv=notrunc,fsync
dd if=/boot/uboot.img of=/dev/mmcblkX seek=16384 conv=notrunc,fsync
dd if=/boot/trust.img of=/dev/mmcblkX seek=24576 conv=notrunc,fsync

[Also, if installing Arch in my pbp’s eMMc, I need to replace the dtb file in /boot/dtbs… or it won’t boot. I usually replace it with the dtb of Manjaro, which I have stored in my files but can be easily got in a pbp Manjaro installation]

  1. Unmount the two partitions and close the encrypted partition:

umount boot root
cryptsetup close SEGREDO

poweroff your pbp if that’s where you have been working on, or remove the mini SD card from a different machine and insert it into your pbp with an SD adapter.

boot with Nadia’s image from a different mini SD inserted in the PBP mini SD slot. I downloaded the prebuilt image (the link is on top of this guide) and then dd-it to that second SD card (dd if=archlinux-2021.06.04-pbp.img of=/dev/mmcblkX status=progress). This allows us to go into arch-chroot. Possibly there’s another way (of generating iniramfs with all the necessary hooks, for instance), but I don’t know much about other methods of chrooting and haven’t found out another solution.

insert the SD where you’re installing encrypted ALARM in a separate adapter (USB-C adapter, probably USB 2 adapter also works)

  1. Open your encrypted partition, which now probably is /dev/sda2 if installing on an SD or the same mmcblk2 if on eMMc . Check with “lsblk”.

cryptsetup open /dev/sda2 SEGREDO

[type your password]

  1. Mount the encrypted partition

mount /dev/mapper/SEGREDO /mnt

  1. Mount the boot partition

mount /dev/sda1 /mnt/boot

  1. Ping if you have Internet cable connection or connect to wi-fi with:


  1. And:

arch-chroot /mnt

  1. Synchronize the system and RTC clocks:

timedatectl set-ntp on
hwclock -w

  1. Initialize the pacman keyring and populate the Arch Linux ARM and Pinebook Pro package signing keys:

pacman-key --init
pacman-key --populate archlinuxarm
pacman-key --populate archlinuxarm-pbp

  1. Create your locale(s) with nano or vi:

nano /etc/locale.gen

  1. Open /etc/mkinitcpio.conf

nano /etc/mkinitcpio.conf

  1. Edit the file, adding the following hooks (I don’t know if they are all necessary, but with less than these I have failed before, so…)

HOOKS=(base udev autodetect modconf block filesystems keyboard fsck keymap encrypt lvm2)

  1. Copy the UUID of /dev/sda2 (SD) or /dev/mmcblk2p2 into your “/boot/extlinux/extlinux.conf” file, replacing “YOUR-UUID” with the actual number, so that the file’s contents look like this:

LABEL Arch Linux ARM
FDT /dtbs/rockchip/rk3399-pinebook-pro.dtb
APPEND initrd=/initramfs-linux.img console=tty1 cryptdevice=UUID=YOUR-UUID:root root=/dev/mapper/root rootwait rw

Last line is, for instance:

APPEND initrd=/initramfs-linux.img console=tty1 cryptdevice=UUID=bc3c2b7e-81d7-2351-9d95-c424231990a3a:root root=/dev/mapper/root rootwait rw)

  1. Update system and install lvm2

[Before updating, you might want to add “ParallelDownloads = 8”, or some lower number, depending on the experience with your Internet provider, and to edit /etc/pacman.d/mirrorlists to comment out the general server (deactivating it) and uncomment (activating) servers that are nearer to you. Thanks for these tips, Pudge, they really make this part of the process fly in comparison.]

pacman -Syu
pacman -S lvm2

  1. Get out of there:

umount /mnt/boot /mnt
crypsetyp close SEGREDO

  1. Change your SD card to the pbp mini SD card entrance and boot, or just boot from the eMMc.
    [Enter with root/root into your encrypted alarm. Done!]

lsblk // to see the encrypted partition
pacman -S neofetch // to show yourself something pretty and rejoice!

I hope it worked.
If you know of another method, let me know, I’d like to try.

Now you can customize your Arch install or go with EndeavourOS Arm with an excellent guide that you can read here: