elfduck
Posts: 5
Joined: Tue Aug 18, 2020 9:40 pm

Encrypt external SSD

Tue Aug 18, 2020 9:51 pm

Hello fellow raspberry tinkers!

If I wanted to encrypt my external SSD where I would also like to install my Raspbian 10, how can I achieve this?

I saw a video on YouTube where a user bypassed the SD card booting completely:
https://youtu.be/r27WcPRtpWM

What I would like to do is kind of the same, but encrypt my external SSD HDD too and make the bootup prompt for a password while booting.

Is this possible?

Kendek
Posts: 265
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: Encrypt external SSD

Wed Aug 19, 2020 4:42 pm

It's possible, with LUKS (Adiantum is preferred for performance reasons) and initramfs. But the RPi4 bootloader (in the EEPROM) doesn't support LUKS (like GRUB), so the /boot FAT32 partition will be vulnerable.
If you only want to encrypt a few directories, fscrypt is also a viable option.

elfduck
Posts: 5
Joined: Tue Aug 18, 2020 9:40 pm

Re: Encrypt external SSD

Thu Aug 20, 2020 11:03 am

Thank you for answering, Kendek. Is there any benefit to keep my SD card for booting and then just run the Raspbian from the SSD? Will the /boot partition be vulnerable is I choose to use my NOOBS SD card for booting and encrypt the whole SSD drive using LUKS?

Kendek
Posts: 265
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: Encrypt external SSD

Thu Aug 20, 2020 12:00 pm

elfduck wrote:
Thu Aug 20, 2020 11:03 am
Is there any benefit to keep my SD card for booting and then just run the Raspbian from the SSD?
I don't think so.
elfduck wrote:
Thu Aug 20, 2020 11:03 am
Will the /boot partition be vulnerable is I choose to use my NOOBS SD card for booting and encrypt the whole SSD drive using LUKS?
Yes, it doesn't matter if the /boot unencrypted filesystem is on the SD card or SSD. And if the OS is vulnerable, it makes no sense to encrypt all the non-sensitive system files.
I only encrypt my data files using fscrypt. It's effective if the HDD/SSD is stolen or after a police raid and seizure (which isn't a common thing in Hungary, and I pay the private copying fee, so I copy freely).

elfduck
Posts: 5
Joined: Tue Aug 18, 2020 9:40 pm

Re: Encrypt external SSD

Thu Aug 20, 2020 12:48 pm

Can I encrypt my home folder using fscrypt or LUKS?

Kendek
Posts: 265
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: Encrypt external SSD

Thu Aug 20, 2020 2:13 pm

elfduck wrote:
Thu Aug 20, 2020 12:48 pm
Can I encrypt my home folder using fscrypt or LUKS?
Yes, of course, fscrypt is the best option here. See the ArchWiki, including the preparations (install libpam-fscrypt). Just make sure that the fscrypt.conf is configured to use policy_version 2, and recompile the kernel with Adiantum support.

elfduck
Posts: 5
Joined: Tue Aug 18, 2020 9:40 pm

Re: Encrypt external SSD

Thu Aug 20, 2020 2:35 pm

Thank you very much! I think I can manage using these instructions =)

elfduck
Posts: 5
Joined: Tue Aug 18, 2020 9:40 pm

Re: Encrypt external SSD

Mon Aug 31, 2020 8:57 am

Hello again!

I had to continue this thread since I'm a bit confused about some things ;)
Yes, of course, fscrypt is the best option here. See the ArchWiki, including the preparations (install libpam-fscrypt). Just make sure that the fscrypt.conf is configured to use policy_version 2, and recompile the kernel with Adiantum support.

I installed Raspberry Pi OS to my new external SSD. I made a new, fresh installation because I had a NOOBS SD-card and it has a recovery partition so I could not clone that to my SSD. Source: https://www.tomshardware.com/how-to/boo ... y-pi-4-usb

After I had made some initial changes to the installation, I followed an online guide that is located here:
https://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html

I compared the block size to my page size and they are both 4096. Then I enabled the encryption using:

Code: Select all

tune2fs -O encrypt /dev/sda2

According to fdisk -l, /dev/sda1 is FAT32 /boot and /dev/sda2 is where my EXT4-filesystem resides. Then I installed fscrypt along with libpam-fscrypt.

I followed the aforementioned fscrypt-tutorial and ran into issues. First of all, should I create a new user and encrypt that user's home-directory? I know I can enable password-login from Raspberry Pi OS settings, but I think it would still be easier that way.

I was able to configure the "policy_version": "2" setting, after I carefully read this section:
https://github.com/google/fscrypt#configuration-file

When I tried to enable the PAM-module, I ran into trouble since the recommended way is to use a strong login passphrase and "You should also increase the number of rounds that your system's passphrase hashing uses":
https://github.com/google/fscrypt#secur ... passphrase
https://wiki.archlinux.org/index.php/Fscrypt#PAM_module
https://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html

I don't have a file in "/etc/pam.d/system-login" so I cannot increase the rounds. How is this file generated normally?

The third and final question is, do I really have to compile the kernel for Adiantum-support? According to uname -a, my kernel is 5.4.51-v7l+ and I read here that the Adiantum-support has been included since kernel version 5:
https://www.howtogeek.com/406737/linux- ... ncryption/

Kendek
Posts: 265
Joined: Thu Jul 25, 2019 4:39 pm
Location: Kaposvár, Hungary

Re: Encrypt external SSD

Mon Aug 31, 2020 11:43 am

The Debian repository contains an outdated version of fscrypt, so you need to compile and install/replace the files first:

Code: Select all

sudo -i
apt install fscrypt libpam-fscrypt
cd /
wget https://github.com/google/fscrypt/archive/v0.2.9.tar.gz
tar xzf v0.2.9.tar.gz
wget https://golang.org/dl/go1.15.linux-armv6l.tar.gz
tar xzf go1.15.linux-armv6l.tar.gz
cd fscrypt-0.2.9
PATH+=:/go/bin
make
mv bin/fscrypt /usr/local/bin
mv bin/pam_fscrypt.so /lib/aarch64-linux-gnu/security
Then encrypt the home directory:

Code: Select all

fscrypt setup /
mkdir /home/<username>_
fscrypt encrypt /home/<username>_ --user=<username>
1
rsync -a /home/<username>/ /home/<username>_
rm -rf /home/<username> && mv /home/<username>_ /home/<username>
You don't have to worry about PAM configuration, libpam-fscrypt configures everything. Just need to update the pam_fscrypt.so file.
The official RPi kernel lacks Adiantum support, so you need to add the following lines:

Code: Select all

CONFIG_CRYPTO_ADIANTUM=m
CONFIG_CRYPTO_CHACHA20_NEON=m
CONFIG_CRYPTO_NHPOLY1305_NEON=m

Return to “Advanced users”