David Alger

Principal Site Reliability Engineer
Technology Enthusiast

Fedora Asahi Remix with LUKS Encryption

Posted on
#fedora #asahilinux #applesilicon #luks

This process will install Fedora Asahi Remix on an Apple Silicon (M1/M2) system, create a bootable USB recovery disk, and then setup LUKS encryption in-place on the root filesystem.

What the process looks like at a high level:

  1. Install prebuilt Fedora Asahi Remix image.
  2. Create a USB drive that will boot Fedora on an Apple Silicon system.
  3. Boot from the Fedora USB recovery drive.
  4. LUKS encrypt the root filesystem in-place.
  5. Configure grub and rebuild initramfs to open LUKS device during startup.

If this is your first time installing Asahi Linux or Fedora Asahi Remix, it is strongly recommended to review the Asahi Linux FAQ as well as the Asahi Fedora USB README before you begin.

Although Apple Silicon machines cannot be bricked, data loss may occur and they can be rendered unbootable if you break your System Recovery. Consider yourself warned!

See the partitioning cheatsheet for information on recovery processes and what to do in the event something goes wrong.

This process has been tested with Fedora 38 running kernel version 6.5.6-403.asahi.fc38.aarch64+16k.

Installing a Prebuilt Fedora Image

  • Install Fedora using using the Fedora Asahi Remix installer:

    curl https://fedora-asahi-remix.org/install | sh

  • Reboot into Fedora following the prompts and instructions provided by the installer.

  • Connect to a wireless network (if necessary):

    nmcli dev wifi connect NETWORK_SSID password NETWORK_PASSWORD

  • At this point, you should have a working Fedora installation.

Creating a Fedora USB Recovery Drive

  • Install dependencies for leifliddy/asahi-fedora-usb and clone the repo:

    dnf install arch-install-scripts bubblewrap gdisk pandoc rsync systemd-container git

    Until version 15.x is released for Fedora, install mkosi from git:

    dnf install python3-pip
python3 -m pip install --user git+https://github.com/systemd/mkosi.git@v15.1

    git clone https://github.com/leifliddy/asahi-fedora-usb.git

  • Build and install a minimal Asahi Fedora image to a USB drive. For details on this process, please see the Asahi Fedora USB README

    cd asahi-fedora-usb/
./build.sh -d /dev/sda

Note: Substitute /dev/sda with the device id of your USB drive.

LUKS Setup (non-encrypted boot, encrypted root)

Warning: It is critical that you correctly identify device ids here. If a wrong device id is used at any point during this process, data loss may occur or you may render your machine unbootable.

  • Reboot from the USB drive. To do this, enter the following U-BOOT commands during startup:

    env set boot_efi_bootmgr
run usb_boot

  • Login to user root using password fedora at the prompt.

  • Using lsblk -f /dev/nvme0n1 identify the partition used for the root filesystem. This should present as a btrfs file system with the label fedora_asahi. In the example below /dev/nvme0n1p6 is the Fedora root filesystem that will be encrypted in-place:

    [root@fedora ~]# lsblk -f /dev/nvme0n1
NAME        FSTYPE FSVER LABEL        UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1
├─nvme0n1p1 apfs                      4ccf344c-1842-4ed2-98f7-d34a509f5a88
├─nvme0n1p2 apfs                      dbb4789e-c51d-46bf-8332-90a43b4e4fa7
├─nvme0n1p3 apfs                      b98ec259-629b-4aee-9f26-02c5098abcee
├─nvme0n1p4 vfat   FAT32 EFI-FEDORA   B01E-2641                             419.8M    16% /run/.system-efi
├─nvme0n1p5 ext4   1.0   fedora_boot  5b094e58-d15f-4be2-85ff-147859c7b118
├─nvme0n1p6 btrfs        fedora_asahi dd08a2bf-ae63-44e1-881d-fbb8928af4fb
└─nvme0n1p7 apfs                      b465c845-eaef-4bcb-aac9-865c42260844

  • Shrink the btrfs filesystem to make room for the LUKS header. Recommended minimum is 32 MiB, twice the size of a default LUKS 2 header:

    mount /dev/nvme0n1p6 /mnt
btrfs filesystem resize -32M /mnt
umount /dev/nvme0n1p6

  • LUKS encrypt the root filesystem partition in-place. This will destroy everything on the partition, please be careful!

    cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6

    Note: On a MacBook Pro (2021, M1 Max) for example, encrypting a partition a little under 1 TiB in size takes roughly 15 minutes:

    [root@fedora ~]# time cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/nvme0n1p6

WARNING!
========
This will overwrite data on LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for LUKS2-temp-fb593537-72d7-4337-a1ae-64c064d7d8e7.new:
Verify passphrase:
Finished, time 14m10s,  925 GiB written, speed   1.1 GiB/s

real    14m57.106s
user    9m46.741s
sys 0m38.739s

  • Open the LUKS encrypted partition:

    cryptsetup open /dev/nvme0n1p6 fedora-root
cryptsetup status fedora-root

  • Mount root and home filesystems from the btrfs filesystem on the LUKS mapping device:

    mount -o subvol=root /dev/mapper/fedora-root /mnt
mount -o subvol=home /dev/mapper/fedora-root /mnt/home

  • Mount boot and efi filesystems (these should be the two partitions immediately preceding the one encrypted with LUKS):

    mount /dev/nvme0n1p5 /mnt/boot
mount /dev/nvme0n1p4 /mnt/boot/efi

  • Store the LUKS UUID in variable for later use

    export LUKS_UUID=$(cryptsetup luksUUID /dev/nvme0n1p6 | tee /dev/stderr)

  • Enter chroot to update grub, initramfs, etc

    arch-chroot /mnt /bin/bash

  • Update crypttab

    touch /etc/crypttab
chmod 0600 /etc/crypttab

echo "fedora-root UUID=${LUKS_UUID} none" >> /etc/crypttab

cat /etc/crypttab

  • Update /etc/default/grub appending rd.luks.uuid=LUKS_UUID to the value for GRUB_CMDLINE_LINUX_DEFAULT

    perl -i -pe 's/(GRUB_CMDLINE_LINUX_DEFAULT)="(.*)"/$1="$2 rd.luks.uuid='"${LUKS_UUID}"'"/' /etc/default/grub
cat /etc/default/grub

  • Rebuild initramfs:

    grub2-mkconfig -o /boot/grub2/grub.cfg
dracut -f

  • Exit the chroot jail, then reboot.

  • Note the first decrypt prompt may be lost in the syslog output, making it appear that the boot process has hung. Either just start typing the decrypt password (you should see *** in place of typed characters) or press enter to re-print the LUKS decrypt prompt.

  • Once decrypted, the boot process should complete and you should land on the familiar linux console prompt.

Updated on to use official Fedora Asahi Remix installer and bring use of recovery drive for encryption setup up to date.