Chuck
Posts: 6
Joined: Sun Jul 07, 2013 11:10 am

cryptsetup:not included in initramfs while hooks get called

Sun Dec 27, 2015 8:17 pm

Hi all,

I tried today to build a jessie initramdisk including cryptsetup (plus dropbear and busybox) to be able to use an encrypted root partition/full disk encryption. It was a bit of a rough path with some debugging. I just would like to document how it got running in the end in case smebody stumbles over the same problem (or has a proper fix ;) )

In the end my problem was, that -while initramfs hooks for cryptsetup (cryptroot) got called when building a new initramdisk- the binaries for cryptsetup etc. got apparently not copied into the initramfs.

I.e., after installing busybox, dropbear and cryptsetup

Code: Select all

> mkinitramfs -v -o /boot/initramfs.gz >  /tmp/initramfs.out 

Code: Select all

> lsinitramfs  /boot/initramfs.gz | grep cryptsetup 
--> nada

I tried to work a bit through the hooks (/usr/share/initramfs-tools/hooks/cryptroot) but gave up and went for a ham-fisted hack to get the binaries into the initramfs just adding to the hook:

Code: Select all

copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
copy_exec /lib/cryptsetup/askpass
for mod in aes chainiv cryptomgr krng sha256 sha224 sha512 sha1 xts cbc ecb ctr dm-crypt dm-mod; do
    add_crypto_modules $mod
done
While this got the binaries into the initramfs, the modules got not loaded and the initrd's's /proc/crypto stayed quite emtpy - thus, I added the modules to /usr/share/initramfs-tools/modules / /etc/initramfs-tools/modules as well. Afterwards the initramfs was able to give me a password prompt and got into the LUKS encypted partition :)

Hope, it can be of help or maybe somebody has a better idea?

Cheers,
Thomas

ervee
Posts: 2
Joined: Thu Jan 21, 2016 7:56 pm

Re: cryptsetup:not included in initramfs while hooks get cal

Thu Jan 21, 2016 8:11 pm

Hi,

I had a similar problem after installing Raspbian Jessie. After modifying and encrypting the btrfs root partition and placing it back into the Pi, no cryptsetup to unlock the root.

Debugging the hooks/cryptroot I found the hook is looking for an encrypted root filesystem. But the root filesystem is not encrypted yet during that stage.

What I did was just fake an encrypted root and edit the cmdline.txt, fstab and crypttab before removing the SD card and actually encrypting it.

Edit /boot/cmdline.txt and change "root=/dev/mmcblk0p2" to "root=/dev/mapper/sdcard cryptdevice=/dev/mmcblk0p2:sdcard"
Edit /etc/fstab and change "/dev/mmcblk0p2" to "/dev/mapper/sdcard"
Create /etc/crypttab and add:
sdcard /dev/mmcblk0p2 none luks
Then:
dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
cryptsetup luksFormat /tmp/fakeroot.img
cryptsetup luksOpen /tmp/fakeroot.img sdcard
mkfs.btrfs /dev/mapper/sdcard # or create the filesystem you use as rootfs!
update-initramfs -u -v
lsinitramfs /boot/initrd.img-3.18.0-trunk-rpi | grep cryptsetup
--> Tadaah!

Balgerda
Posts: 1
Joined: Sat Jan 30, 2016 5:07 am

Re: cryptsetup:not included in initramfs while hooks get cal

Sat Jan 30, 2016 5:18 am

ervee's method works. Thank you.

simpleuser
Posts: 1
Joined: Thu Feb 18, 2016 6:41 pm

Re: cryptsetup:not included in initramfs while hooks get cal

Thu Feb 18, 2016 6:50 pm

I don't understand. :cry:
Please explain in more detail.

merze
Posts: 4
Joined: Mon Aug 05, 2013 9:43 am

Re: cryptsetup:not included in initramfs while hooks get cal

Fri Jun 24, 2016 7:07 pm

Hello

Are you aware of this tutorial?

http://paxswill.com/blog/2013/11/04/enc ... pberry-pi/

I am currently trying to encrypt a pi 3, but I fail at unlocking after reboot.
It can't find cryptsetup.
Does someone have a hint for me maybe?

Cheers

Edit: Got it working thanks to ervees tip. Also had to set the network delay according to https://www.offensive-security.com/kali ... ncryption/ to make it work in the end.

piotr.lewicki
Posts: 3
Joined: Wed Jul 06, 2016 7:29 am

Re: cryptsetup:not included in initramfs while hooks get cal

Wed Jul 06, 2016 7:37 am

Hi,
I'm trying to encrypt the rootfs using tutorial that @merze linked (http://paxswill.com/blog/2013/11/04/enc ... pberry-pi/) but at the step "First boot" I have the same problem: cryptsetup is not included in the initramfs.

I'm not sure how to apply @ervees hint. Can you help / explain a little bit more on how to fix this issue?


Thanks

merze
Posts: 4
Joined: Mon Aug 05, 2013 9:43 am

Re: cryptsetup:not included in initramfs while hooks get cal

Wed Jul 06, 2016 8:14 am

hi piotr

after editing fstab and crypttab you need to do:

Code: Select all

dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
cryptsetup luksFormat /tmp/fakeroot.img
cryptsetup luksOpen /tmp/fakeroot.img sdcard
mkfs.ext4 /dev/mapper/sdcard
assuming you are using ext4 for your root partition
cryptsetup will not be included in the initramfs if no crypted partition is present.

after that do

Code: Select all

sudo mkinitramfs -o /boot/initramfs.gz
and check for cryptsetup within your initramfs:

Code: Select all

lsinitramfs /boot/initramfs.gz | grep cryptsetup
now proceed with the steps left of the tutorial.
don not forget to add the network config delay mentioned here:
https://www.offensive-security.com/kali ... ncryption/

piotr.lewicki
Posts: 3
Joined: Wed Jul 06, 2016 7:29 am

Re: cryptsetup:not included in initramfs while hooks get cal

Wed Jul 06, 2016 12:31 pm

Thank you. It worked.

I wonder if there is no other way to put the cryptsetup into initramfs..


merze
Posts: 4
Joined: Mon Aug 05, 2013 9:43 am

Re: cryptsetup:not included in initramfs while hooks get cal

Mon Oct 03, 2016 7:25 pm

I am currently trying to redo a pi with encrypted root filesystem.
The Pi boots and accepts my cryptpassword via USB keyboard.
However I can not make it to work with remote unlock.

My /etc/initramfs-tools/root/.ssh/authorized_keys file looks like this:

cat /etc/initramfs-tools/root/.ssh/authorized_keys

Code: Select all

command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3`"ssh-rsa AApubkey
ls -al /etc/initramfs-tools/root/.ssh/authorized_keys

Code: Select all

-rw------- 1 root root 821 Oct  3 21:16 /etc/initramfs-tools/root/.ssh/authorized_keys
If I put the public key in its own line it will accept my connection but drop to busybox.
If I put everything in one line it will ask for a (user-)pass on login and not for the cryptpass.
The pi is running latest raspbian with latest kernel via rpi-update.
Did someone experience the same maybe and is able to help out?

(Source: http://paxswill.com/blog/2013/11/04/enc ... pberry-pi/and https://www.offensive-security.com/kali ... ncryption/)

Return to “Raspbian”

Who is online

Users browsing this forum: No registered users and 34 guests