Pi Zero 1.3, Full Disk Encryption and g_ether?

xoru · Tue Mar 14, 2017 7:55 am

Hi all,

I've been experimenting with the Raspberry Pi Zero v1.3 for a while and I've decided to implement full disk encryption for a project I'm working on. The thing is, they only way this zero is going to be able to connect (or be connected to) is through the g_ether usb ethernet module.

Now, the thing is, when I apply full disk encryption (luks) and boot the pi, it doesn't seem to ever load the g_ether module any more. The module exists in /boot, however I think it requires dependencies in /root (which is at that time encrypted)

Can anybody point me in the right direction?

Thanks y'all!

RaTTuS · Tue Mar 14, 2017 9:16 am

FYI
there is no reason whatever to have full disk encryption ...
anyone with access to the device can circumnavigate the encryption.

xoru · Tue Mar 14, 2017 11:36 am

RaTTuS wrote:FYI
there is no reason whatever to have full disk encryption ...
anyone with access to the device can circumnavigate the encryption.

Care to elaborate? Wouldn't they need the XTS AES 256-bit key for that?

RaTTuS · Tue Mar 14, 2017 11:37 am

how do you plan on gettting it to boot without having it on the card

xoru · Tue Mar 14, 2017 11:40 am

RaTTuS wrote:how do you plan on gettting it to boot without having it on the card

Encrypting the root partition, but have a separate unencrypted /boot partition works out fine. The data is safe, but the device can boot. After entering a key, the root partition will be decrypted and the boot continues.

I don't want to prevent booting, I want to protect all the data on the card.

scotty101 · Tue Mar 14, 2017 11:54 am

xoru wrote:
RaTTuS wrote:I don't want to prevent booting, I want to protect all the data on the card.

How will the Pi boot if the main partition is encrypted? How do you enter the key to 'unlock' it?

xoru · Tue Mar 14, 2017 12:27 pm

scotty101 wrote:
xoru wrote:
RaTTuS wrote:I don't want to prevent booting, I want to protect all the data on the card.
How will the Pi boot if the main partition is encrypted? How do you enter the key to 'unlock' it?

Like I just said, the boot partition isn't encrypted. The boot partition will use busybox and dropbear to allow SSH connections into the terminal, you enter the password, you continue the boot. InitramFS

Still though, we're getting off topic

RaTTuS · Tue Mar 14, 2017 12:30 pm

TBH - I'd encrypt a data partition not the root fs ...
but I'll step away from this now

xoru · Tue Mar 14, 2017 12:39 pm

RaTTuS wrote:TBH - I'd encrypt a data partition not the root fs ...
but I'll step away from this now

I thought of that as well, however I need the home directory and var directory to be encrypted. I considered making home and var separate partitions, but why not encrypt root completely right? I can then encrypt the etc directory as well in one go.

Thanks for your replies.

scotty101 · Tue Mar 14, 2017 1:45 pm

Not going to work....

Lets say you do the following
1. Leave boot directory alone, unencrypted
2. Encrypt root file system
3. Put some software somewhere to unencrypt the root
4. Have a key to unencrypt the root fs.

How do you plan to solve the following
1. Where you you place the software to un-encrypt the file system?
2. Does the software need to be running inside the linux os? What if the OS is on the encrypted fs?
3. Where do you keep the decryption key?
3.a On the boot partion where anyone can read it?
3.b Do you type it in each time? How? What program is running to read your keyboard input?

This topic has been discussed MANY times on this forum and I'm yet to see a secure solution that couldn't easily be broken in to.

xoru · Tue Mar 14, 2017 2:06 pm

scotty101 wrote:Not going to work....

Lets say you do the following
1. Leave boot directory alone, unencrypted
2. Encrypt root file system
3. Put some software somewhere to unencrypt the root
4. Have a key to unencrypt the root fs.

How do you plan to solve the following
1. Where you you place the software to un-encrypt the file system?
2. Does the software need to be running inside the linux os? What if the OS is on the encrypted fs?
3. Where do you keep the decryption key?
3.a On the boot partion where anyone can read it?
3.b Do you type it in each time? How? What program is running to read your keyboard input?

This topic has been discussed MANY times on this forum and I'm yet to see a secure solution that couldn't easily be broken in to.

https://github.com/fpunktk/raspi-fde

That solution runs a limited environment and encrypts the whole root directory. Decryption software is run by the means of initramfs, busybody and dropbear and the key entering is done via SSH. This is a solution for the Pi models with an ethernet adapter instead of the zero, with a usb ether module.

I've come to the point that everything goes well, instead of the part where the g_ether module has to be loaded right before decryption can be done.

RaTTuS · Fri Jul 07, 2017 1:43 pm

https://community.zymbit.com/t/encrypt- ... rry-pi/150

AndyPi · Fri Jul 07, 2017 3:34 pm

Is it possible that you need to add the g_ether modules into the initramfs and load the modules on kernel cmdline
maybe something like

Code: Select all

MODULES="dwc2 g_ether usb_f_ecm"

in the initramfs config file

Pi Zero 1.3, Full Disk Encryption and g_ether?

Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?