This repository contains multiple tools to encrypt the home folder of the reMarkable 2 epaper tablet using gocryptfs. Detailed background information can be found in the accompanying blog post.

This project is considered experimental and it cannot be guaranteed that the device will not be bricked as a result of this setup. The project and the toolchain in this repository were tested on the reMarkable 2 firmware version 3.2.3.1595. If a different firmware version is used, the commit hash (FRAMEBUFFER_COMMIT) in the Makefile has to be updated to a remarkable2-framebuffer commit that supports the chosen firmware version. Otherwise, the toolchain likely produces a crashing passphrase prompt application. In this case, the device can be unlocked by providing the passphrase via USB network connection:

# the actual IP addres may differ
echo 'yourpassphrase' | nc 10.11.99.1 1234

In some cases, the GUI (xochitl) will start rendering on a dark background causing graphics glitches right after entering the crytpo passphrase. This can be fixed by provoking a full screen refresh for example by opening a document.

This project is meant to be build using the toltec v2.x toolchain. However, as this project contains Qt and Go builds, no single toltec Docker image can compile the whole project. Instead, this project contains a Dockerfile which is based on the toltec Qt Dockerfile and adds Go 1.20, git and wget.

docker build -t remarkable-crypto-toolchain .
docker run --rm -it -u $(id -u):$(id -g) -v $(pwd):/project remarkable-crypto-toolchain make

Alternatively, the components of this project can be built separately with the official toltec Docker images and the corresponding Makefile targets (dist_go with the golang image, dist_qt with the qt image and dist_rest in any environment with wget, ar, tar and sha256sum installed).

After building the project, the directory structure has to be created on the reMarkable 2:

# on reMarkable 2
mkdir -p /home/crypto/bin /home/crypto/fs /home/crypto/lib

The contents of the dist folder are replicated on the reMarkable:

# on build system
scp dist/home/crypto/bin/* remarkable:/home/crypto/bin/
scp dist/home/crypto/lib/* remarkable:/home/crypto/lib/
scp dist/etc/systemd/system/cryptodaemon.service remarkable:/etc/systemd/system/
scp dist/etc/systemd/system/framebufferserver.service remarkable:/etc/systemd/system/

The setup can then be completed on the reMarkable:

# on reMarkable 2
chmod u+x /home/crypto/bin/*
PATH=/home/crypto/bin gocryptfs -init /home/crypto/fs
systemctl daemon-reload

# WARNING: after the next step, xochitl (on plaintext home directory)
# won't start by default anymore
systemctl mask xochitl --now

# after this step the screen will become blank
systemctl enable framebufferserver --now

# WARNING: After entering the password, xochitl will start with the
# encrypted filesystem which is still empty. This means that the
# device setup starts again and A NEW SSH PASSPHRASE IS SET.
systemctl enable cryptodaemon --now

We are happy to receive contributions in the form of issues or pull requests. However, the scope of this project remains limited to our usecase. This means that only new features that suit this usecase are added. For different needs or if your threat model differs, feel free to fork this project.