LUKS on Intel or ARM Mac (using an ARM64 ArchLinux image under UTM)

For quite a while I’ve wanted to mount LUKS-encrypted partitions to my MacOS machines (here is how to do it in Windows). This post describes a way to do it using UTM virtual machine.

VM Method

Create VM

1. ArchLinux Config
   • Download ArchLinux ARM from https://mac.getutm.app/gallery/archlinux-arm.
   • Unzip archlinux-arm64-utm4.zip which will create ArchLinux.utm
   • In UTM create a new VM and Open the UTM file. Then resize the disk to 16G and mem to 8G.
   • Run ArchLinux from the GUI and it should boot the emulated Linux.
2. LUKS
   • Identify the drive using lsblk (mine was /dev/sda1)
   • cryptsetup luksOpen /dev/sda1 onetouch
3. Samba
   • From the ArchLinux menu, pass through your USB drive.
   • Install samba: pacman -Syu samba (choose 1) dbus-broker-units.
   • curl 'https://git.samba.org/samba.git/?p=samba.git;a=blob_plain;f=examples/smb.conf.default;hb=HEAD' > /etc/samba/smb.conf
   • Configure samba according to https://linuxways.net/arch/install-configure-samba-arch-linux/ (summarised below)
   • Edit /etc/samba./smb.conf and put the following at the end of the file

       [archshare]
           path = /samba
           writeable = yes
           browsable = yes
           read only = no
           guest ok = no
     

   • useradd phwl; mkdir /home/phwl; chown phwl:phwl /home/phwl; passwd phwl;
   • passwd root
   • groupadd -r smbusers; usermod -aG smbusers phwl
   • smbpasswd -a phwl
   • mkdir /samba; chown -R :smbusers /samba; mount /dev/mapper/onetouch /samba
   • systemctl enable --now smb nmb
   • ifconfig

Host

1. You should be able to run the Finder, Go, Connect to server: smb://192.168.64.2
2. You can also start it up automatically from MacOS using the following script:

   $ utmctl start 2F2C4095-EC5B-49CD-A654-FE17D7EC7CAA
   $ utmctl usb connect "ArchLinux" "0BC2:AB84"
   

Openwrt Method

APPARENTLY, THIS APPEARS TO BE A BAD IDEA FOR THE MOMENT DUE TO AN UNRESOLVED LUKS BUG IN OPENWRT.

This is using a GL.iNet GL-MT3000 router. It should be similar for any openwrt device.

1. First install openwrt and turn on wifi access.
2. USB: ssh to openwrt machine and do the following to get usb working:

   # opkg update
   # opkg install kmod-usb-storage cryptsetup
   # opkg install kmod-usb-uhci
   # insmod uhci_hcd
   # opkg install kmod-usb2
   # insmod ehci-hcd
   # opkg install kmod-usb3
   # insmod xhci-hcd
   # opkg install kmod-usb-storage-uas
   # dmesg
   # cryptsetup luksOpen /dev/sda1 onetouch
   

   You should see a message like [sda] Attached SCSI desk which means the USB drive is working.

3. The next problem is you may get Warning: keyslot operation could fail as it requires more than available memory. This problem is addressed here. On a computer with sufficient memory:

    $ cryptsetup luksAddKey -S 1 --pbkdf pbkdf2 /dev/sda1
    $ cryptsetup luksOpen -S 1 /dev/sda1 onetouch