xoru
Posts: 6
Joined: Tue Mar 14, 2017 7:50 am

Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 7:55 am

Hi all,

I've been experimenting with the Raspberry Pi Zero v1.3 for a while and I've decided to implement full disk encryption for a project I'm working on. The thing is, they only way this zero is going to be able to connect (or be connected to) is through the g_ether usb ethernet module.

Now, the thing is, when I apply full disk encryption (luks) and boot the pi, it doesn't seem to ever load the g_ether module any more. The module exists in /boot, however I think it requires dependencies in /root (which is at that time encrypted)

Can anybody point me in the right direction?

Thanks y'all!

User avatar
RaTTuS
Posts: 10743
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
Contact: Twitter YouTube

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 9:16 am

FYI
there is no reason whatever to have full disk encryption ...
anyone with access to the device can circumnavigate the encryption.
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

xoru
Posts: 6
Joined: Tue Mar 14, 2017 7:50 am

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 11:36 am

RaTTuS wrote:FYI
there is no reason whatever to have full disk encryption ...
anyone with access to the device can circumnavigate the encryption.
Care to elaborate? Wouldn't they need the XTS AES 256-bit key for that?

User avatar
RaTTuS
Posts: 10743
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
Contact: Twitter YouTube

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 11:37 am

how do you plan on gettting it to boot without having it on the card
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

xoru
Posts: 6
Joined: Tue Mar 14, 2017 7:50 am

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 11:40 am

RaTTuS wrote:how do you plan on gettting it to boot without having it on the card
Encrypting the root partition, but have a separate unencrypted /boot partition works out fine. The data is safe, but the device can boot. After entering a key, the root partition will be decrypted and the boot continues.

I don't want to prevent booting, I want to protect all the data on the card.

scotty101
Posts: 4202
Joined: Fri Jun 08, 2012 6:03 pm

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 11:54 am

xoru wrote:
RaTTuS wrote:I don't want to prevent booting, I want to protect all the data on the card.
How will the Pi boot if the main partition is encrypted? How do you enter the key to 'unlock' it?
Electronic and Computer Engineer
Pi Interests: Home Automation, IOT, Python and Tkinter

xoru
Posts: 6
Joined: Tue Mar 14, 2017 7:50 am

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 12:27 pm

scotty101 wrote:
xoru wrote:
RaTTuS wrote:I don't want to prevent booting, I want to protect all the data on the card.
How will the Pi boot if the main partition is encrypted? How do you enter the key to 'unlock' it?
Like I just said, the boot partition isn't encrypted. The boot partition will use busybox and dropbear to allow SSH connections into the terminal, you enter the password, you continue the boot. InitramFS :)

Still though, we're getting off topic

User avatar
RaTTuS
Posts: 10743
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
Contact: Twitter YouTube

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 12:30 pm

TBH - I'd encrypt a data partition not the root fs ...
but I'll step away from this now
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

xoru
Posts: 6
Joined: Tue Mar 14, 2017 7:50 am

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 12:39 pm

RaTTuS wrote:TBH - I'd encrypt a data partition not the root fs ...
but I'll step away from this now
I thought of that as well, however I need the home directory and var directory to be encrypted. I considered making home and var separate partitions, but why not encrypt root completely right? I can then encrypt the etc directory as well in one go.

Thanks for your replies.

scotty101
Posts: 4202
Joined: Fri Jun 08, 2012 6:03 pm

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 1:45 pm

Not going to work....

Lets say you do the following
1. Leave boot directory alone, unencrypted
2. Encrypt root file system
3. Put some software somewhere to unencrypt the root
4. Have a key to unencrypt the root fs.

How do you plan to solve the following
1. Where you you place the software to un-encrypt the file system?
2. Does the software need to be running inside the linux os? What if the OS is on the encrypted fs?
3. Where do you keep the decryption key?
3.a On the boot partion where anyone can read it?
3.b Do you type it in each time? How? What program is running to read your keyboard input?

This topic has been discussed MANY times on this forum and I'm yet to see a secure solution that couldn't easily be broken in to.
Electronic and Computer Engineer
Pi Interests: Home Automation, IOT, Python and Tkinter

xoru
Posts: 6
Joined: Tue Mar 14, 2017 7:50 am

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Tue Mar 14, 2017 2:06 pm

scotty101 wrote:Not going to work....

Lets say you do the following
1. Leave boot directory alone, unencrypted
2. Encrypt root file system
3. Put some software somewhere to unencrypt the root
4. Have a key to unencrypt the root fs.

How do you plan to solve the following
1. Where you you place the software to un-encrypt the file system?
2. Does the software need to be running inside the linux os? What if the OS is on the encrypted fs?
3. Where do you keep the decryption key?
3.a On the boot partion where anyone can read it?
3.b Do you type it in each time? How? What program is running to read your keyboard input?

This topic has been discussed MANY times on this forum and I'm yet to see a secure solution that couldn't easily be broken in to.
https://github.com/fpunktk/raspi-fde

That solution runs a limited environment and encrypts the whole root directory. Decryption software is run by the means of initramfs, busybody and dropbear and the key entering is done via SSH. This is a solution for the Pi models with an ethernet adapter instead of the zero, with a usb ether module.

I've come to the point that everything goes well, instead of the part where the g_ether module has to be loaded right before decryption can be done.

User avatar
RaTTuS
Posts: 10743
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
Contact: Twitter YouTube

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Fri Jul 07, 2017 1:43 pm

How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

AndyPi
Posts: 83
Joined: Wed Feb 22, 2012 10:24 pm
Location: Gloucestershire,UK

Re: Pi Zero 1.3, Full Disk Encryption and g_ether?

Fri Jul 07, 2017 3:34 pm

Is it possible that you need to add the g_ether modules into the initramfs and load the modules on kernel cmdline
maybe something like

Code: Select all

MODULES="dwc2 g_ether usb_f_ecm"
in the initramfs config file

Return to “Advanced users”