RDPUser
Posts: 148
Joined: Tue Jan 30, 2018 12:18 pm

[Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Wed Aug 07, 2019 1:06 am

Warning: Make backup before you try this with your system. I suggest beginning with a fresh installation of Raspian Buster.

These commands suppose you have cryptsetupv2. This comes with Buster only. So update to Buster before when you try to encrypt on old system.

You need an external USB storage media in the setup process to temporarly store the systemfiles, this is NOT the backup as written above. Freespace should be about 1.5 times bigger then your current rootfs.

On this Tutorial we will implement the RAM content deletion like described here https://www.raspberrypi.org/forums/view ... 9&t=247870

I've decided not to make any scripts, because you should understand what you're doing here.

In /etc/default/raspberrypi-kernel uncomment #INITRD=Yes

Install some prequisites

Code: Select all

sudo apt install initramfs-tools dropbear secure-delete
create file in /etc/initramfs-tools/hooks/myHook

Code: Select all

#!/bin/sh

set -e

PREREQ=""

prereqs () {
        echo "${PREREQ}"
}

case "${1}" in
        prereqs)
                prereqs
                exit 0
                ;;
esac

. /usr/share/initramfs-tools/hook-functions

copy_exec /usr/bin/sdmem /usr/bin
copy_exec /sbin/fdisk /sbin
copy_exec /sbin/dumpe2fs /sbin
copy_exec /sbin/resize2fs /sbin
copy_exec /bin/lsblk /sbin
copy_exec /sbin/e2fsck /sbin

exit 0
Important chmod +x myHook

Place in /etc/initramfs-tools/scripts/init-top/sdmem

Code: Select all

#!/bin/sh
PREREQ=""
prereqs()
{
   echo "$PREREQ"
}

case $1 in
prereqs)
   prereqs
   exit 0
   ;;
esac

/bin/sdmem -llv
Also here ensure that it is executable chmod +x

In /boot/cmdline.txt add

Code: Select all

net.ifnames=0
that your networkadapters remain named eth0 and wlan0

Initramfs creation ensures that needed libraries are automatically copied.

The system scripts are in /usr/share/initramfs-tools/hooks/ and are executed first upon initramfs generation.

Now we use two scripts from https://raspberrypi.stackexchange.com/q ... spberry-pi

First to ensure that upon kernel updates everything keeps working we rebuild the initramfs upon update automatically. For initramfs working there must be the correct version in /boot/config.txt the following two scripts take care of this.

There is a built in update for the initramfs, but we move it to a safe place

Code: Select all

sudo mv /etc/kernel/postinst.d/initramfs-tools ~
Then we create /etc/kernel/postinst.d/rpi-initramfs-tools

Code: Select all

#!/bin/bash -e
# Environment variables are set by the calling script

version="$1"
bootopt=""

command -v update-initramfs >/dev/null 2>&1 || exit 0

# passing the kernel version is required
if [ -z "${version}" ]; then
        echo >&2 "W: initramfs-tools: ${DPKG_MAINTSCRIPT_PACKAGE:-kernel package} did not pass a version number"
        exit 2
fi

# exit if kernel does not need an initramfs
if [ "$INITRD" = 'No' ]; then
        # delete initramfs entries in /boot/config.txt
        /bin/sed -i '/^initramfs /d' /boot/config.txt
        exit 0
fi

# there are only two kernel types: with and without postfix "-v7+" or "-v8+"
currentversion="$(uname -r)"

# get §currenttype from $currentversion
currenttype="<no currenttype>"
echo $currentversion | grep -Pq '^\d+\.\d+\.\d+\+$'
[ $? -eq 0 ] && currenttype="+"
echo $currentversion | grep -Pq '^\d+\.\d+\.\d+-v[78]\+$'
[ $? -eq 0 ] && currenttype="${currentversion#*-}"

# get $newtype from $version
newtype="<no newtype>"
echo $version | grep -Pq '^\d+\.\d+\.\d+\+$'
[ $? -eq 0 ] && newtype="+"
echo $version | grep -Pq '^\d+\.\d+\.\d+-v[78]\+$'
[ $? -eq 0 ] && newtype="${version#*-}"

# we do nothing if the new kernel is not for the same kernel type then the current
if [ "$newtype" != "$currenttype" ]; then
        exit 0
fi

# absolute file name of kernel image may be passed as a second argument;
# create the initrd in the same directory
if [ -n "$2" ]; then
        bootdir=$(dirname "$2")
        bootopt="-b ${bootdir}"
fi

# avoid running multiple times
if [ -n "$DEB_MAINT_PARAMS" ]; then
        eval set -- "$DEB_MAINT_PARAMS"
        if [ -z "$1" ] || [ "$1" != "configure" ]; then
                exit 0
        fi
fi

# we're good - create initramfs.  update runs do_bootloader
INITRAMFS_TOOLS_KERNEL_HOOK=1 update-initramfs -c -t -k "${version}" ${bootopt} >&2

# delete initramfs entries in /boot/config.txt
/bin/sed -i '/^initramfs /d' /boot/config.txt

# insert initramfs entry in /boot/config.txt
INITRD_ENTRY="initramfs initrd.img-${version}"
echo >&2 $(basename "$0"): insert \'"$INITRD_ENTRY"\' into /boot/config.txt
/bin/sed -i "1i $INITRD_ENTRY" /boot/config.txt
Also make sure that it is executable

Code: Select all



sudo chmod 755 /etc/kernel/postinst.d/rpi-initramfs-tools
Now we create a script we'll use for updating the initramfs in /usr/local/sbin/update-rpi-initramfs

Code: Select all

#!/bin/bash
# This script calls default update-initramfs
# and then insert a 'initramfs' entry into /boot/config.txt if necessary

# should return e.g. "update-initramfs: Generating /boot/initrd.img-4.14.79-v7+"
# or                 "update-initramfs: Deleting /boot/initrd.img-4.14.71-v7+"
MSG=$(/usr/sbin/update-initramfs "[email protected]")
RETCODE=$?
echo $MSG

if [[ $RETCODE -ne 0 ]]; then
        echo >&2 ATTENTION! Check \'initramfs\' entry in /boot/config.txt
        exit "$RETCODE"
fi

CMP="update-initramfs: Deleting *"
if [[ $MSG == $CMP ]]; then
        # delete initramfs entries in /boot/config.txt
        /bin/sed -i '/^initramfs /d' /boot/config.txt
        echo $(basename "$0"): deleted all \'initramfs\' entries from /boot/config.txt
        exit 0
fi

CMP="update-initramfs: Generating *"
if [[ $MSG == $CMP ]]; then
        # delete initramfs entries in /boot/config.txt
        /bin/sed -i '/^initramfs /d' /boot/config.txt

        # exit if kernel does not need an initramfs
        source /etc/default/raspberrypi-kernel
        if [ "${INITRD,,}" != 'yes' ]; then
                echo $(basename "$0"): no entry in /boot/config.txt \(see INITRD in /etc/default/raspberrypi-kernel\)
                exit 0
        fi

        # insert initramfs entry in /boot/config.txt
        VERSION=$(basename "$MSG")
        INITRD_ENTRY="initramfs $VERSION"
        echo $(basename "$0"): insert \'"$INITRD_ENTRY"\' into /boot/config.txt
        /bin/sed -i "1i $INITRD_ENTRY" /boot/config.txt

        exit 0
fi

echo >&2 ATTENTION! Check 'initramfs' entry in /boot/config.txt
exit 1
Also here, make it executable

Code: Select all

sudo chmod 755 /usr/local/sbin/update-rpi-initramfs
You can now run this script via sudo update-rpi-initramfs -u

Remember: These scripts built the initramfs only for the current kernel and RPi Type, so before inserting your SD-Card from RPi 3 to RPI 4 you have to manually generate the initramfs via sudo update-initramfs -c -k <kernel-version>

To avoid a warning execute about

Code: Select all

sudo ln -s /sbin/e2fsck /sbin/fsck.luks
#Avoids warning W: /sbin/fsck.luks doesn't exist, can't install to initramfs
Now we come to main enryption part. Create
/etc/initramfs-tools/conf.d/my containing

Code: Select all

COMPRESS=lzma
BUSYBOX=y
DROPBEAR=y
It will complain about unknown compression method LZMA. But it works and is LZMA (verified with 7zip), which is about 30 % smaller than GZIP.

In /etc/cryptsetup-initramfs/conf-hook uncomment the line so that there is

Code: Select all

CRYPTSETUP=y 
Dropbear ssh Server enables remote unlock. It seems that it supports only public key auth in initramfs mode. So if you don't have a keypair for remote login in, just create one

Code: Select all

ssh-keygen -f key -b 4096
#copy it to dropbear
sudo cp key.pub /etc/dropbear-initramfs/authorized_keys
You can enter a password for the Key. Please do that, otherwise an adversary which gets the key could get your password if he eavesdropped the wire (don't know if this SSH setup uses forward secrecy).
Copy the key to your PC so that you can log into!

Exceute the following in a root shell like sudo -i

Code: Select all

sed -i '$s/$/ cryptdevice=\/dev\/mmcblk0p2:sdcard/' /boot/cmdline.txt
Not 100% sure why we need this. Seems to add a label.

Code: Select all

ROOT_CMD="$(sed -n 's|^.*root=\(\S\+\)\s.*|\1|p' /boot/cmdline.txt)"
sed -i -e "s|$ROOT_CMD|/dev/mapper/sdcard|g" /boot/cmdline.txt
We change the root point. Rebooting after that causes kernel to stop in initramfs. Since the root filesystem can't be found anymore.

Code: Select all

FSTAB_CMD="$(blkid | sed -n '/dev\/mmcblk0p2/s/.*\ PARTUUID=\"\([^\"]*\)\".*/\1/p')"
sed -i -e "s|PARTUUID=$FSTAB_CMD|/dev/mapper/sdcard|g" /etc/fstab
We add the dmcrypt mountpoint to fstab. Hint: The root= Parameter in cmdline.txt is for the Kernel at boottime. At a later stage (I think right before systemd starts) root "/" gets remounted to the value in fstab

Code: Select all

echo 'sdcard /dev/mmcblk0p2 none luks' | tee --append /etc/crypttab > /dev/null
We append it to crypttab. If somebody knows why this is necessary please tell.

We now we create the initramfs

Code: Select all

sudo update-rpi-initramfs -c
Make sure you have done this, otherwise your installation is broken. It can be repaired, but I won't give support for that.

Now reboot. It stops in the initramfs. You can connect via SSH user "root" and the private key. Maybe your IP has changed. Simplest way is to connect a monitor and look for the IP address or watch in your router/DHCP-Server.
First execute

Code: Select all

PATH=/sbin:/usr/sbin:/bin:/usr/bin
Don't know why in dropbear ssh shell the standard path enviroment doesn't include the sbin directories. In initramfs shell it is included in the Path. If somebody knows how to fix this permanently please write.

Now we reduce the filesystem

Code: Select all

e2fsck -f /dev/mmcblk0p2
resize2fs -fM /dev/mmcblk0p2
resize2fs will tell you the blockcount it reduced. Please note that down.
If you have an ext4 filesystem on your USB storage media you can mount it (you could also include ntfs-3g or other filesystems in initramfs, but that is not part of this tutorial), otherwise we write directly to the media.

Each ext4 block is 4KB, so multiplying the number of blocks gives you the filesystem size in KB. To speed things up we block copy (copying each file is quite slow) the whole filesytem.

Code: Select all

dd if=/dev/mmcblk0p2 of=<mountdir or /dev/sda for direct copy, [b]attention all existing data on the USB device is lost then[/b]> bs=16M count=<count>
Get the count by dividing your blockcounts from resize2fs through 4 (short for *4 /16) round that number up. So e.g. if you get 323,524.25 use 323525 as count. dd in initramfs doesn't support status=progress so you won't see any progress. Make sure there are no errors during copy!

Hint: There is also a luks inplace enryption (cryptsetup-reencrypt). You could add that to your initramfs as well, but for data security reasons I feel more comfortable with this method.


Now we encrypt

Code: Select all

cryptsetup -v --type luks2 --cipher aes-xts-plain64 --pbkdf argon2id --key-size 512 --hash sha256 --iter-time 4000 --verify-passphrase --use-random luksFormat /dev/mmcblk0p2
We use 256 Bit AES (because of XTS we need 512 bit key, one half is for XTS). For password protetion against bruteforce we use the latest hash function argon2id which secures against bruteforce by dedicated hardware and side channel attacks (these one are not so important here). These is the safest setup I currenctly know. Please use a strong password / passphrase!
Type YES in uppercase letters to confirm overrding your existing files.

Now we open

Code: Select all

cryptsetup luksOpen /dev/mmcblk0p2 sdcard
#or to enable TRIM support, my recommended way, this sets a FLAG that discards are allowed, see with  /usr/sbin/cryptsetup luksDump /dev/mmcblk0p2
cryptsetup --allow-discards --persistent open /dev/mmcblk0p2 sdcard
Enter your passphrase.

Now copy your data back

Code: Select all

dd if=<path of of from above> of=/dev/mapper/sdcard bs=16M count=<your count from above>
If you've copied to a file you can ommit the blockcountAlso ensure that there are no errors.
If you want to ensure that nobody knows how much data is actually stored on the device execute

Code: Select all

mkdir /mount
mount /dev/mapper/sdcard /mount
dd if=/dev/zero of=/mount/largefile bs=1M 
#when it returns execute to get the last bits overwritten
cat /dev/zero > zero.file
sync
Since we write to the mounted encrypted filesystem it will look like random data. I don't recommend this step because I recommend enabling trim support and run once a day via

Code: Select all

 crontab -e and add @daily sudo ionice /sbin/fstrim / 
Now we have to resize the filesystem to maximum filesize again. Since nothing has been written we can omit the file system check. Just execute now

Code: Select all

resize2fs -f /dev/mapper/sdcard
Now we need a keyboard (don't know how to drop out of dropbear busybox shell) and just type exit (you can type blindly). It now boots, dropbear ssh connection is lost and can be reached again via ssh to the full system.

Now run

Code: Select all

sudo update-rpi-initramfs -u
Now with the next reboot you see a password prompt on monitor. To unlock via ssh/dropbear just execute

Code: Select all

cryptroot-unlock
and Enter your password. Dropbear ssh connection is lost and RPi is fully booted.

Enjoy!

asimiklit
Posts: 2
Joined: Mon Aug 12, 2019 1:17 pm

Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Mon Aug 12, 2019 2:53 pm

Thanks for the article)
The problem with dropbear password auth in initramfs mode "Permission denied (publickey)" is because a password auth mode is disallowed.

It is disallowed in file:

Code: Select all

/usr/share/initramfs-tools/scripts/init-premount/dropbear
There should be:

Code: Select all

local flags="Fs"
Flag description: "-s Disable password logins", so we need to remove this flag:

Code: Select all

local flags="F"
Now the password auth mode is enable but we should care about /etc/passwd in our initramfs because at least in my case there was no password. It could be done in file:

Code: Select all

/usr/share/initramfs-tools/hooks/dropbear
There should be the following line:

Code: Select all

echo "root:*:0:0::${home#$DESTDIR}:/bin/sh" >"$DESTDIR/etc/passwd"
we can generate a password using command:

Code: Select all

openssl passwd -1
and after put the generated password into mentioned line:

Code: Select all

mypassword='$1$kESY/Oow$OiIpAmSw0XFuqB8WG5q/c.'
echo "root:$mypassword:0:0::${home#$DESTDIR}:/bin/sh" >"$DESTDIR/etc/passwd"
One more point, I added the following line

Code: Select all

DROPBEAR_OPTIONS="-R"
to file:

Code: Select all

/etc/dropbear-initramfs/config
But I am not sure whether this line is needed because I didn't test password auth mode without it.

Yes don't forget to update your initramfs after that)

asimiklit
Posts: 2
Joined: Mon Aug 12, 2019 1:17 pm

Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Fri Aug 16, 2019 6:45 am

One more point with luks 2. I received an error while I was trying to mount it:

Code: Select all

Command failed with code -3 (out of memory)
it because argon2id requires 1GB memory by default:

Code: Select all

Memory required: 1048576kB
and then I found these issues:
https://gitlab.com/cryptsetup/cryptsetup/issues/372
https://github.com/sylabs/singularity/issues/4162

So I had to re-created the encrypted rootfs to fix this error and this additional parameter for cryptsetup luksFormat actually helped:

Code: Select all

--pbkdf-memory 16384

RDPUser
Posts: 148
Joined: Tue Jan 30, 2018 12:18 pm

Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Sun Aug 25, 2019 9:03 pm

@asimiklit
Thank you very much for explaining how to use password authentikcation with dropbear.
One more point with luks 2. I received an error while I was trying to mount it:
Did you create it on another machine with more memory? The linked article says that this happends when the other machine has to much memory.

Code: Select all

sudo cryptsetup luksDump /dev/mmcblk0p2
gives

Code: Select all

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  4
        Memory:     135760
        Threads:    4
        Salt:      xxx
        AF stripes: 4000
        AF hash:    sha256
        Area offset:32768 [bytes]
        Area length:258048 [bytes]
        Digest ID:  0
So about 135 MB memory usage for opening the container.

mh150456
Posts: 1
Joined: Sun Nov 03, 2019 5:21 pm

Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Sun Nov 03, 2019 6:55 pm

Thanks a bunch, works like a charm. Two little additions:

If you are stuck on the first reboot make sure you havent missed

>sudo update-rpi-initramfs -u

Also, you have to add your Kernelversion for

>sudo update-rpi-initramfs -c

with

>sudo update-rpi-initramfs -c -k $(uname -r)

HimbeerKuchenBretter
Posts: 5
Joined: Sat Nov 23, 2019 1:43 am

cryptsetup-reencrypt Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Thu Dec 19, 2019 3:43 pm

tried for ssd boot with on the fly offline encryption. no partition copy needed with cryptsetup-reencrypt :) but do BACKUP first

Code: Select all

aptitude install initramfs-tools dropbear secure-delete -y

Code: Select all

nano /etc/initramfs-tools/hooks/myHook
to build and include into inittramfs static , add before exit:

Code: Select all

copy_exec /sbin/cryptsetup-reencrypt /sbin

Code: Select all

chmod +x /etc/initramfs-tools/hooks/myHook

Code: Select all

 nano /etc/initramfs-tools/scripts/init-top/sdmem

Code: Select all

chmod +x /etc/initramfs-tools/scripts/init-top/sdmem

Code: Select all

echo "net.ifnames=0" >> /boot/cmdline.txt 

Code: Select all

sudo mv /etc/kernel/postinst.d/initramfs-tools ~

Code: Select all

 nano /etc/kernel/postinst.d/rpi-initramfs-tools

Code: Select all

sudo chmod 755 /etc/kernel/postinst.d/rpi-initramfs-tools

Code: Select all

nano /usr/local/sbin/update-rpi-initramfs

Code: Select all

sudo chmod 755 /usr/local/sbin/update-rpi-initramfs
You can now run this script via sudo update-rpi-initramfs -u

failed for me because script update-rpi-initramfs
needed to add manually to /boot/config.txt or script fails execute with error ATTENTION! Check initramfs entry in /boot/config.txt

Code: Select all

echo "initramfs initrd.img-$(uname -r)" >> /boot/config.txt 
generates for example line:

Code: Select all

 initramfs  initrd.img-4.19.75-v8+

Code: Select all

sudo ln -s /sbin/e2fsck /sbin/fsck.luks

Code: Select all

ssh-keygen -f key -b 4096
#copy it to dropbear
sudo cp key.pub /etc/dropbear-initramfs/authorized_keys
check passphrase working, for no self lockout

Code: Select all

 ssh-keygen -y -f key

Code: Select all

nano /etc/initramfs-tools/conf.d/my

Code: Select all

nano /etc/cryptsetup-initramfs/conf-hook

Code: Select all

sed -i '$s/$/ cryptdevice=\/dev\/sda2:rootfs/' /boot/cmdline.txt

Code: Select all

ROOT_CMD="$(sed -n 's|^.*root=\(\S\+\)\s.*|\1|p' /boot/cmdline.txt)"
sed -i -e "s|$ROOT_CMD|/dev/mapper/rootfs|g" /boot/cmdline.txt

Code: Select all

FSTAB_CMD="$(blkid | sed -n '/dev\/sda2/s/.*\ PARTUUID=\"\([^\"]*\)\".*/\1/p')"        
 sed -i -e "s|PARTUUID=$FSTAB_CMD|/dev/mapper/rootfs|g" /etc/fstab      

Code: Select all

echo 'rootfs /dev/sda2 none luks' | tee --append /etc/crypttab > /dev/null    

RDPUser wrote:
Wed Aug 07, 2019 1:06 am

We now we create the initramfs

Code: Select all

sudo update-rpi-initramfs -c
Make sure you have done this, otherwise your installation is broken. It can be repaired, but I won't give support for that.
broken? oh no :mrgreen:
sudo update-rpi-initramfs -c

Code: Select all

Create mode requires a version argument
ATTENTION! Check 'initramfs' entry in /boot/config.txt
stuck in bad step of howto. reboots to nirvana.

initrd.img missing in /boot/.[/i]

please do:

Code: Select all

sudo update-rpi-initramfs -c -k $(uname -r)
ignore this things:
cryptsetup: ERROR: Couldn't resolve device /dev/root
cryptsetup: WARNING: Couldn't determine root device
W: Couldn't identify type of root file system for fsck hook

reboot and be good to go. thanks @RDPUser

Code: Select all

 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 e2fsck -f /dev/sda2
 dd if=/dev/sda2 of=/dev/mmcblk0p2  bs=16M count=
 cryptsetup-reencrypt --reduce-device-size 262144 --new --use-directio -v --type luks2 --cipher aes-xts-plain64 --pbkdf argon2id --key-size 512 --iter-time 10000 --use-random /dev/sda2
the option --hash sha256 does nothing here. there is --hash sha512 exits but since pbkdf argon2id is set, this is the hashing used. sha hash is only in effect by use of pbkdf2 hashing algo

Code: Select all

/usr/sbin/cryptsetup luksDump /dev/sda2
cryptsetup --allow-discards --persistent open /dev/sda2 rootfs
 resize2fs -f /dev/mapper/rootfs
 
RDPUser wrote:
Wed Aug 07, 2019 1:06 am
Now run

Code: Select all

sudo update-rpi-initramfs -u
This effictively removed the initram entry from my /boot/config.txt

Code: Select all

 sudo update-rpi-initramfs -u
ln: Die harte Verknüpfung '/boot/initrd.img-4.19.75-v8+.dpkg-bak' => '/boot/initrd.img-4.19.75-v8+' konnte nicht angelegt werden: Die Operation ist nicht erlaubt
update-initramfs: Generating /boot/initrd.img-4.19.75-v8+
update-rpi-initramfs: no entry in /boot/config.txt (see INITRD in /etc/default/raspberrypi-kernel)
solution again was:

Code: Select all

echo "initramfs initrd.img-$(uname -r)" >> /boot/config.txt 
but i fear the next kernel update coming and let me with no boot if the hooked scripts will remove entry again :?

RDPUser wrote:
Wed Aug 07, 2019 1:06 am

Since we write to the mounted encrypted filesystem it will look like random data. I don't recommend this step because I recommend enabling trim support and run once a day via

Code: Select all

 crontab -e and add @daily sudo ionice /sbin/fstrim / 
my luks mounted successfully with Flags: allow-discards but the trim failed :?:

Code: Select all

fstrim: /: the discard operation is not supported

Kinux
Posts: 1
Joined: Sun Jan 12, 2020 11:28 pm

Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Sat Jan 18, 2020 9:59 pm

Is it possible to fully automate encryption/decryption using MicroSD card CID + Pi4 serial number to automatically lock and unlock?

I'm trying to make decryption automatic as long as the same card and same Pi are used together.

RDPUser
Posts: 148
Joined: Tue Jan 30, 2018 12:18 pm

Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Sun Jan 26, 2020 5:06 pm

Could be possible, but what you plan to do gives fake security.
Key space of serial is too limited to provide security. You could see the unlock code retriving the serial number. Sorry, I can't support you implementing unsecure encryption.

legogris
Posts: 3
Joined: Tue Jan 28, 2020 7:16 am

Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Tue Jan 28, 2020 11:44 am

I can add that in order to get dropbear-initramfs working with cryproot at boot, I had to:

Add the ethernet driver module to initramfs:

Code: Select all

# echo lan78xx >> /etc/initramfs-tools/modules
Wait for physical network interface to be visible before configuring networking by adding

Code: Select all

sleep 3
right before

Code: Select all

[ "$BOOT" != nfs ] || configure_networking
in

Code: Select all

/usr/share/initramfs-tools/scripts/init-premount/dropbear
.

HimbeerKuchenBretter
Posts: 5
Joined: Sat Nov 23, 2019 1:43 am

fail to unlock rootfs after Re: cryptsetup-reencrypt Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote un

Fri Mar 27, 2020 12:19 am

HimbeerKuchenBretter wrote:
Thu Dec 19, 2019 3:43 pm

This effictively removed the initram entry from my /boot/config.txt


but i fear the next kernel update coming and let me with no boot if the hooked scripts will remove entry again :?


after running

Code: Select all

apt upgrade
my pi failed to boot. i found that config.txt was missing initramfs entry. added it manually back again, bootet successfully into dropbear. but unlocking my rootfs does fail now. :cry:

Code: Select all

BusyBox v1.30.1 (Raspbian 1:1.30.1-4) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # cryptroot-unlock 
Please unlock disk rootfs: 
cryptsetup: cryptsetup failed, bad password or options?

User avatar
DougieLawson
Posts: 37703
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: [Tutorial] Encrypt Raspberry-PI on Debian Buster with remote unlock

Fri Mar 27, 2020 7:42 am

Have you defined the initramfs in /boot/config.txt ?

Code: Select all

initramfs initrd.file.name.here followkernel
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

Return to “Advanced users”