Just a quick tutorial for setting up an encrypted /home partition on your Pinebook Pro with OpenSUSE Tumbleweed.
This assumes you are doing a fresh install. If not, be sure to backup your data.
Initial Installation
Follow OpenSUSE’s tutorial for creating an bootable SD card, booting from it, and putting the same image on the eMMC here:
https://en.opensuse.org/HCL:Pinebook-Pro-RK3399
(I’ll be using the KDE Image and Tow-Boot)
Once you have imaged OpenSUSE to the eMMC, restart and boot from the SD card again.
Resizing Root
Open Konsole (or another terminal) and install the KDE partition manager to the SD card.
zypper install partitionmanager
Open KDE Partition Manager from the Application Launcher
Choose the eMMC device on the left and resize the root partition. I shrink it so roughly 32GB is free for my /home partition at the end of the drive.
Shutdown and remove the SD card.
Boot from the eMMC.
Log in as root.
Once again, install KDE Partition Manager (this time on the eMMC) by opening Konsole and running:
zypper install partitionmanager
Open KDE Partition Manager from the Application Launcher
Create a new partition in the new blank space.
Choose BTRFS with LUKS encryption.
Set a password (you’ll need to enter this password every time you boot, so make sure it’s one you’re remember).
Open Konsole
Ensure that the new partition is unlocked, entering the password if prompted:
cryptsetup luksOpen /dev/mmcblk0p4 luks-`cryptsetup luksUUID /dev/mmcblk0p4`
Added the encrypted partition to crypttab so I can be automatically mounted at boot:
echo luks-`cryptsetup luksUUID /dev/mmcblk0p4` UUID=`cryptsetup luksUUID /dev/mmcblk0p4` none luks >> /etc/crypttab
Add the encrypted partition to fstab so it’s automatically mounted at boot:
echo /dev/mapper/luks-`cryptsetup luksUUID /dev/mmcblk0p4` /home btrfs defaults 0 0 >> /etc/fstab
Reboot. You should be asked for encryption password during the boot process.
Log in as root and open Konsole again.
lsblk
You should see something like this:
You should see something like this: NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS mmcblk0 179:0 0 58.2G 0 disk ├─mmcblk0p1 179:1 0 16M 0 part /boot/efi ├─mmcblk0p2 179:2 0 500M 0 part [SWAP] ├─mmcblk0p3 179:3 0 32.7G 0 part / └─mmcblk0p4 179:4 0 25G 0 part └─luks-26a9eb0a-fc68-47f5-917c-89281603cfa8 254:0 0 25G 0 crypt /home
The last partition should be type “crypt” mounted as “/home”. If so, you’re all set!
Finally, create a real user. Their home directory will default to the encrypted /home mount.