Ok so I successfully encrypted my eMMC, where my roots sits. This will be an journal of my experience. (flashed nv-uboot REQUIRED)
Warning: This process is very dangerous and could lead to an unbootable device if your not sure what your doing. You are the only one responsible for any damage which may occur.First I had to create an initrd.
To do this I had to install mkinitcpio and uboot-mkimage, and edit the /etc/mkinitcpio.conf line HOOKS
$this->bbcode_second_pass_code('', '
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard keymap consolefont shutdown fsck"
')
then you have to make the initrd image and wrap it up as a uboot image
$this->bbcode_second_pass_code('', '
# mkinitcpio -g ~/uInitrd.img
# mkimage -A arm -T ramdisk -C none -n initramfs -d ~/uInitrd.img /boot/uInitrd.uimg
')
Now is a tricky part which depends on your configuration. I used the Arch-wiki guide
https://wiki.archlinux.org/index.php/Samsung_Chromebook_(ARM) and have ALARM on my eMMC and have flashed nv-uboot, so to boot with initrd I followed the steps I posted on the PREVIOUS POST. If you followed the ALARM guide
http://archlinuxarm.org/platforms/armv7/samsung/samsung-chromebook I have no idea how you can continue with this step :/
You should now have a working initramfs with an encrypt hook.
The linux-chromebook kernel does not support all the available ciphers so you'll have to compile your own kernel with cipher support.
Its a fairly easy task to accomplish.
First configure makepkg to compile packages in your eMMC, SDcard or USBstick because compilation of the kernel package wont fit in RAM.
Edit the /etc/makepkg.conf line BUILDDIR.
$this->bbcode_second_pass_code('', '
BUILDDIR=~/makepkg
')
Then download the PKGBUILDs of the ALARM.
$this->bbcode_second_pass_code('', '
$ cd /tmp
$ git clone git://github.com/archlinuxarm/PKGBUILDs.git
$ cd PKGBUILDs/core/linux-chromebook/
')
Download and extract source of package.
$this->bbcode_second_pass_code('', '
$ makepkg --nobuild
$ cd ~/makepkg/linux-chromebook/src/chromeos-3.4/
')
Configure new kernel to support all available ciphers.
$this->bbcode_second_pass_code('', '
$ make menuconfig
')
Now an ncurses window apears. Go down to the 'Cryptographic API' tab and hit Enter. Now include all options in the new kernel(press 'y' for each option). Besides one that autocofigures its self as a module(Testing module).
Press right arrow and select 'Exit'. Now go down and save the configuration with the default name provided, and exit.
Go back to the PKGBUILD directory and compile the kernel. (if you have another computer I would strongly recoment to set up distributed cross compiling as the time to compile the kernel only on the chromebook is about 45mins, and the device will get HOT)
$this->bbcode_second_pass_code('', '
$ cd /tmp/PKGBUILDs/core/linux-chromebook/
$ makepkg --skipchecksums --noextract
')
I would recommend making a backup of your current kernel image.
$this->bbcode_second_pass_code('', '
$ cd /boot
# cp vmlinux.uimg vmlinuxORIGINAL.uimg
')
Install the kernel and header packages.
$this->bbcode_second_pass_code('', '
# pacman -U linux-chromebook-[version]-armv7h.pkg.tar.xz linux-headers-chromebook-[version]-armv7h.pkg.tar.xz
')
Now reboot your system and test if everything went fine.
$this->bbcode_second_pass_code('', '
# cryptosetup benchmark
')
If all is ok you should see something lie this:
PBKDF2-sha1 209715 iterations per second
PBKDF2-sha256 154202 iterations per second
PBKDF2-sha512 37236 iterations per second
PBKDF2-ripemd160 184608 iterations per second
PBKDF2-whirlpool 26319 iterations per second
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 57.1 MiB/s 59.7 MiB/s
serpent-cbc 128b 35.2 MiB/s 34.6 MiB/s
twofish-cbc 128b 47.9 MiB/s 50.7 MiB/s
aes-cbc 256b 44.5 MiB/s 45.7 MiB/s
serpent-cbc 256b 35.4 MiB/s 34.6 MiB/s
twofish-cbc 256b 48.1 MiB/s 50.5 MiB/s
aes-xts 256b 60.6 MiB/s 60.2 MiB/s
serpent-xts 256b 35.9 MiB/s 34.5 MiB/s
twofish-xts 256b 50.1 MiB/s 46.3 MiB/s
aes-xts 512b 46.3 MiB/s 45.9 MiB/s
serpent-xts 512b 36.4 MiB/s 34.7 MiB/s
twofish-xts 512b 50.5 MiB/s 50.6 MiB/s
Now follow the ArchWiki guides on how to encrypt your drive.
https://wiki.archlinux.org/index.php/EncryptionI also have pacman ignore the chromebook-kernel package so I wont override my kernel with an official ALARM kernel but still get notified by pacman if a newer version is avaolable so I can update.
Edit the /etc/pacman.conf line IgnorePkg.
$this->bbcode_second_pass_code('', '
IgnorePkg = linux-chromebook linux-headers-chromebook
')
For me all works fine so far with no problems but one. If I try to close a luks device I get an error message 'Device busy' even if its unmounted and completely idle, the ony way to come around this is a reboot. This has no sideffects on something crucial but its the only problem I came across.
I hope this has been a helpfull guide. Dont hesitate to ask any question I might be able to help you with.