No problem ;)

That was really hard to do. I created a note for myself and I will also publish it on my website. You can also decrypt the sd using fido2 hardware key (I have a nitrokey). If you don't need that just skip steps that are for fido2.

The note:

Download the image.

Format SD card to new DOS table:

• Boot: 512M 0c W95 FAT32 (LBA)
• Root: 83 Linux

As root:

xz -d 2023-12-11-raspios-bookworm-arm64-lite.img.xz
losetup -fP 2023-12-11-raspios-bookworm-arm64-lite.img
dd if=/dev/loop0p1 of=/dev/mmcblk0p1 bs=1M
cryptsetup luksFormat --type=luks2 --cipher=xchacha20,aes-adiantum-plain64 /dev/mmcblk0p2
systemd-cryptenroll --fido2-device=auto /dev/mmcblk0p2
cryptsetup open /dev/mmcblk0p2 root
dd if=/dev/loop0p2 of=/dev/mapper/root bs=1M
e2fsck -f /dev/mapper/root
resize2fs -f /dev/mapper/root
mount /dev/mapper/root /mnt
mount /dev/mmcblk0p1 /mnt/boot/firmware
arch-chroot /mnt

In chroot:

apt update && apt full-upgrade -y && apt autoremove -y && apt install cryptsetup-initramfs fido2-tools jq debhelper git vim -y
git clone https://github.com/bertogg/fido2luks && cd fido2luks
fakeroot debian/rules binary && sudo apt install ../fido2luks*.deb
cd .. && rm -rf fido2luks*

Edit /etc/crypttab:

root            /dev/mmcblk0p2          none            luks,keyscript=/lib/fido2luks/keyscript.sh

Edit /etc/fstab:

/dev/mmcblk0p1    /boot/firmware  vfat    defaults          0       2
/dev/mapper/root  /               ext4    defaults,noatime  0       1

Change root to /dev/mapper/root and add cryptdevice=/dev/mmcblk0p2:root to /boot/firmware/cmdline.txt.

PATH="$PATH:/sbin"
update-initramfs -u

Exit chroot and finish!

umount -R /mnt

I'm already building the website ;)

https://gitlab.com/Nulide/findmydevice/-/wikis/FMD-Server

On my main profile on GrapheneOS there are 7 closed source apps and 1 self build technically closed source (for now) all out of total 71 apps.

7 out of 705 installed packages are non-free packages on my RPi server.

On my Raspberry Pi 4 4gb with encrypted sd is:

• pihole
• wireguard server
• vaultwarden
• cloudflare ddns
• nginx proxy manager
• my website
• ntfy server
• mollysocket
• findmydevice server
• watchtower

Pi is overkill for this kind of job. Load average is only 0.7% and ram usage is only 400M

It's private if you give email alias and pay with crypto or prepaid cards.

Yep, its how it is. I converted my family from Viber to Signal, but whole my class... Thats maybe too much.

I did and every other search engine is slower than google which is very important to me. But when I tried Kagi it was so quick, even faster than Google.

Thanks for advice! If I upgrade to proton unlimited for next 2 years I get 500gb of cloud storage and (imo) a little worse but still great VPN for 3,5$ less per month.

Do I have unlimited aliases on Proton Pass or also on SimpleLogin? You can login to simplelogin using proton account.

I have 15 days left on MullvadVPN and maybe 2 months on SimpleLogin. I'll upgrade next month.

Yes I did but it was too complex for me at the time. Maybe I'll give it a second go.