Luks for Raspberry Pi

Hello, I was just installing Fedora 37 on my Raspberry Pi 4, and could not figure out how to enable Luks. Usually (at least on x86 systems) there is a checkbox to encrypt the filesystem when you choose the filesystem layout. However (and I tried this fresh multiple times), on initial setup, I was presented with neither option. I configured my sd card using arm-image-installer, as described in the docs, and didn’t see any obvious flag to pass to tell it to enable encryption.

I am hoping there is something simple I am missing. Otherwise, I thought perhaps I need to edit the base raw image of Fedora to include in the kickstart:

autopart --noswap --encrypted

I would rather not have to go to that extent though if anyone has any idea of something simpler that would work.

AFAIK there is no way other than manually editing the raw image to enable luks for the Pi.
The arm-image-installer only takes the raw image and expands it while writing to the sd card. It is not actually doing the normal install process.

There is a live iso image for the aarch64 that as I understand it can be used on one usb device to install to another usb device. I don’t know if that would support encryption or not since I only use the sd card for my OS on the Pi. The RPi4B will only boot from USB when no sd card is installed, so that also presents an issue when using an sd card.

@computersavvy thanks for the reply, I was afraid that might be the case. I have not really messed with raw images, do you happen to have any good guide you could point me at? I’ll search myself, just hoping you knew a good starting point, since you seem familiar with this.

Just another quick update.
I downloaded the iso and tried booting the Pi from it but was unable to succeed. It wasn’t able to successfully boot from the iso image on my flash drive for some reason.

I followed the directions here:

In order to do this, you need the raw.xz file from the getfedora download page. I also looked at the fedora wiki on this, and they seem to have the same install flow, using arm-image-installer with a raw image, rather than the iso. There is mention of installing new firmware and then doing an iso install, but I have not tried that.

That is the same way I installed it.
Have not tried luks and do not intend to for my use case. Home only, running a 3d printer as the main task.

For anyone else trying to do this, I have successfully gotten it working, using this blog post as a starting point. The author has useful articles linked from the fwmotion blog, and tom’s hardware. My goal was simply to set up a Fedora system on a standard SD Card, with luks filesystem encryption enabled. Following the standard install directions from the fedora docs resulted in a fully working fedora, but no way to set up luks (unless I wanted to set it up after installation, which sounded to me very likely to go horribly wrong). This resulted in a process that mostly follows the directions in the linked fwmotion article, but using a USB stick for the iso, and the SD card for the UEFI partition. Note that the directions from that article using fdisk didn’t work for me, so you can use whatever method you prefer for that.
That said, here are the general steps I took:

  • Use the Raspberry Pi Imager to configure the Pi to be able to boot from a USB drive (directions in the linked tom’s hardware article).
  • Format the sd card with FAT32, and put the upstream UEFI with Pi4 support on it
  • Use Fedora Media Writer to write the Fedora 37 (arm) live iso to the USB stick
  • Put in both the sd card and USB stick, select ‘run fedora’ from the boot menu
  • Use the Live distro to install Fedora to the SD Card as usual - at this step, you can enable Luks
  • Leave the partition with UEFI on the SD Card, and then use system as usual.
1 Like