Install with disk encryption?

ambirdsall · August 18, 2023, 10:23pm

As far as I know, the Asahi Remix installer script doesn’t offer the option to set up an encrypted root partition at installation, as the anaconda installer does, just a selection of curated package sets for different desktop environments/use cases. It is possible to manually set up encryption post-installation, though it is a significant increase in bother. Are there any plans to add this to the installer?

jasoneckert · August 18, 2023, 10:30pm

Here’s a guide from David Alger that details how you can deploy Fedora Asahi Remix with LUKS:

However, there are a few things that have changed since the guide was first written (copied here from Leif Liddy’s Matrix chat earlier this month):

The cryptsetup cracklib cracklib-dicts rpms are now included in the main image (and the USB image).
You now need to run the following commands in U-Boot to boot a USB drive:

env set boot_efi_bootmgr
run usb_boot (or bootcmd_usb0)

The USB install has a chroot.asahi command built into it that will mount the internal drives under /mnt and then chroots into it (link).

Moreover, when you use arch-chroot (vs just chroot) you don’t have to bind mount the /dev, /proc, /sys…etc directories - it’ll do that for you.

You’ll also notice that the guide uses Leif’s installation script, which is nearly identical to the official one but with a few improvements.

ambirdsall · August 19, 2023, 10:51pm

Glad to see the first reply marked as a solution, because it is a very nice rundown on how to get that set up right now (especially with the follow-up conte{n,x}t, I appreciate the diligent and thoughtful reply @jasoneckert).

That said, I’m slightly worried that having an official “answered”/“solved” status will bury the actual question: are there any plans to add options with disk encryption to the asahi installation script? It seems that the point at which it would be simplest to encrypt a partition is when they’re being created. (In theory, at least: I’m quite willing to believe that the installation script being run in macOS userland complicates that tidy little mental image).

To be clear, I ask out of curiosity and perhaps to register interest; I’m grateful to the folks working on the huge pile of other tasks needed to get the asahi remix ready to release and do not feel particularly entitled to complicate that roadmap

jasoneckert · August 19, 2023, 11:51pm

No problem

Whether the installer will support LUKS in the future was asked on the Matrix chat earlier this month, and as you suspected, Hector Martin noted that it is “planned for the future but not right now. it needs quite a bit of integration/investigation to figure out how to offer that option reasonably and safely.”

From February onwards, that chat also has great commentary and information regarding LUKS implementation options/considerations specifically for Fedora Asahi Remix.

Topic		Replies	Views
Asahi with Disk Encryption - Issue to boot encrypted Disk Ask Asahi disk , encryption , asahi	1	457	December 20, 2024
Return LUKS1 option in Anaconda through Fedora's Live ISO Ask Fedora encryption , luks2 , f40 , luks1	13	476	June 20, 2024
LUKS2 encrypted boot on Fedora - how to set up correctly? Ask Fedora installation , security , selinux , luks2 , grub , cryptsetup , encrypted-boot	11	2067	July 26, 2024
How do I install fedora with an encrypted /boot? Ask Fedora installation	1	1390	November 8, 2023
LUKS support during installation Ask Asahi	1	524	February 7, 2024

Install with disk encryption?

Related topics