How to enable LUKS / Encryption?

[Deadarius]

I have copied the contents of the image to nvme drive. As there is no installer per se, there was no option to enable LUKS on install. I do now want to enable LUKS (or whichever other way to encrypt full drive), how can I go about it? Thanks in advance.

[AlexBaranowski]

It's not possible for an image that has already been baked; luks encryption is created before the image is baked and data is written to the partition.

Possible solution.

1. Recreate the image with the changed kickstart -> example https://github.com/AlmaLinux/raspberry-pi/blob/master/AlmaLinux-9-RaspberryPi-console.aarch64.ks

Original

part / --asprimary --fstype=ext4 --size=2400 --label=rootfs --ondisk=sda

Changed to something like this

part / --asprimary --fstype=ext4 --size=2400 --label=rootfs --ondisk=sda --encrypted --passphrase=My$ecre1Pa$$

TAKE the information below with a grain of salt. I'm not 100% sure 👍🏻.

One of the reasons the luks images are not provided is that the encryption key is shared between images after installation. So even though you change your LUKS password with something like:

sudo cryptsetup luksChangeKey /dev/sda1 -S 0

The encryption key (volume key) is accessible only with a different password, but it's the same key!!!

Actually, I checked the specification -> https://gitlab.com/cryptsetup/LUKS2-docs/blob/main/luks2_doc_wip.pdf

And there is section 4.9 reencryption.

It should be possible to have a common password for images and then inform the user that it is necessary to re-encrypt the device after changing the password.

Something like

sudo cryptsetup luksChangeKey /dev/XXX -S 0
sudo cryptsetup reencrypt /dev/XXX

I'm sorry, but I do not have an ARM64 builder ATM to check it. However, this should give you a rough idea of how you can safely achieve full encryption.