How do you install Pop!_OS on a Raspberry Pi 4 with an encrypted disk?

Question

The title says it all. The current version of Pop!_OS for the Pi 4 does not offer the option to encrypt the root partition.

Answer 1

What follows is basically this answer adapted to the current Pop!_OS release, with additional tweaks. This took me almost a day of tinkering and testing until everything worked flawlessly with the fewest possible changes to the original image.

1. Download Pop!_OS for the Raspberry Pi 4. You should now have a file pop-os_22.04_arm64_raspi_3.img.xz or similar.

2. Take a fast USB stick or an SSD and connect it to a USB port of your Linux desktop PC (I'm going to assume a Gnome desktop). If partitions mounted automatically, unmount them (easiest via the Disks application) but make sure the drive still appears in Disks. Going forward the instructions will assume this is /dev/sda.

3. Create a text file named install somewhere and open it in an editor.

4. Add the following script:

   #!/bin/bash
   # Adapt the following variables to suit
   image=~/Downloads/pop-os_22.04_arm64_raspi_3.img.xz
   drive=/dev/sda
   device=/dev/sda2
   partitionNumber=2
   sudo xzcat $image | sudo dd of=$drive status=progress
   sudo e2fsck -f $device
   Resize the filesystem to minimal size to make room for LUKS header
   sudo resize2fs -p -M $device
   Encrypt in place
   sudo cryptsetup-reencrypt --new --reduce-device-size 64M --type=luks2 --cipher xchacha12,aes-adiantum-plain64 --key-size 256 --hash sha512 --use-urandom $device
   Resize partition to maximum. NOTE: growpart probably needs to be installed
   sudo growpart $drive $partitionNumber
   sudo cryptsetup luksOpen $device writable
   sudo e2fsck -f /dev/mapper/writable
   Resize filesystem to fill the partition
   sudo resize2fs -p /dev/mapper/writable
   

5. Adapt the variables at the top to suit your situation. The image variable will almost certainly be different. The other variables are often correct for USB sticks and SSDs connected over USB.

6. Save and close the editor.

7. Open a Terminal in the folder where you created the install file.

8. sudo chmod a+x install

9. ./install

   This will take a few minutes (even with a fast SSD). Along the way you will be prompted for your password and the encryption passphrase a few times.

10. When the script is finished, mount both the system-boot and writable partitions manually. On a system with a GUI, this is most conveniently done by powering down (e.g. in Disks), removing and replugging the device). You will need to enter the encryption passphrase.

11. Back in the terminal enter sudo gedit (or use your favorite editor instead). The sudo ensures that we can edit files in the writable partition.

12. In the writable partition open /etc/crypttab and replace the example line with the following line:

    writable   /dev/sda2   none    luks
    

    NOTE: Apparently, the elements must be separated by TABS and there must be a LF at the end.

13. In the writable partition open /etc/fstab and change the first line as follows (noatime only, the rest should be similar):

    LABEL=writable    /     ext4    defaults,noatime    0 0
    

14. In the system-boot partition open cmdline.txt and change it as follows (usb-storage.quirks and cryptdevice needs to be added; if present, splash must be removed):

    usb-storage.quirks=aaaa:bbbb:u dwc_otg.lpm_enable=0 console=tty1 root=LABEL=writable rootfstype=ext4 elevator=deadline rootwait fixrtc cryptdevice=/dev/sda2:writable
    

    NOTE: The usb-storage.quirks entry is only necessary for some USB adapter-->SSD combinations. Without it, you will get abysmal read/write performance. If so, you should find the id of your SSD with lsusb and replace aaaa:bbbb with the id of your SSD.

15. Save all files and close the editor.

16. Unmount all partitions, power down the device (if necessary) and connect it to your Raspberry Pi 4. Initial boot will take a long time (>5 minutes). At times the boot process will appear to be stuck only to resume after a minute or two. It is expetced to finally fail and display an (initramfs) prompt.

17. At the (initramfs) prompt, enter cryptsetup luksOpen /dev/sda2 writable.

18. At the (initramfs) prompt, enter exit. The boot process will now resume and boot into Pop!_OS.

19. After going through initial setup, open a Terminal and enter sudo update-initramfs -u.

20. sudo reboot. After a few seconds, the system should ask you for the encryption passphrase and then quickly boot to the login screen.