cryptsetup:not included in initramfs while hooks get called

10 posts
by Chuck » Sun Dec 27, 2015 8:17 pm
Hi all,

I tried today to build a jessie initramdisk including cryptsetup (plus dropbear and busybox) to be able to use an encrypted root partition/full disk encryption. It was a bit of a rough path with some debugging. I just would like to document how it got running in the end in case smebody stumbles over the same problem (or has a proper fix ;) )

In the end my problem was, that -while initramfs hooks for cryptsetup (cryptroot) got called when building a new initramdisk- the binaries for cryptsetup etc. got apparently not copied into the initramfs.

I.e., after installing busybox, dropbear and cryptsetup
Code: Select all
> mkinitramfs -v -o /boot/initramfs.gz >  /tmp/initramfs.out

Code: Select all
> lsinitramfs  /boot/initramfs.gz | grep cryptsetup
--> nada

I tried to work a bit through the hooks (/usr/share/initramfs-tools/hooks/cryptroot) but gave up and went for a ham-fisted hack to get the binaries into the initramfs just adding to the hook:
Code: Select all
copy_exec /sbin/cryptsetup
copy_exec /sbin/dmsetup
copy_exec /lib/cryptsetup/askpass
for mod in aes chainiv cryptomgr krng sha256 sha224 sha512 sha1 xts cbc ecb ctr dm-crypt dm-mod; do
    add_crypto_modules $mod

While this got the binaries into the initramfs, the modules got not loaded and the initrd's's /proc/crypto stayed quite emtpy - thus, I added the modules to /usr/share/initramfs-tools/modules / /etc/initramfs-tools/modules as well. Afterwards the initramfs was able to give me a password prompt and got into the LUKS encypted partition :)

Hope, it can be of help or maybe somebody has a better idea?

Posts: 6
Joined: Sun Jul 07, 2013 11:10 am
by ervee » Thu Jan 21, 2016 8:11 pm

I had a similar problem after installing Raspbian Jessie. After modifying and encrypting the btrfs root partition and placing it back into the Pi, no cryptsetup to unlock the root.

Debugging the hooks/cryptroot I found the hook is looking for an encrypted root filesystem. But the root filesystem is not encrypted yet during that stage.

What I did was just fake an encrypted root and edit the cmdline.txt, fstab and crypttab before removing the SD card and actually encrypting it.

Edit /boot/cmdline.txt and change "root=/dev/mmcblk0p2" to "root=/dev/mapper/sdcard cryptdevice=/dev/mmcblk0p2:sdcard"
Edit /etc/fstab and change "/dev/mmcblk0p2" to "/dev/mapper/sdcard"
Create /etc/crypttab and add:
sdcard /dev/mmcblk0p2 none luks
dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
cryptsetup luksFormat /tmp/fakeroot.img
cryptsetup luksOpen /tmp/fakeroot.img sdcard
mkfs.btrfs /dev/mapper/sdcard # or create the filesystem you use as rootfs!
update-initramfs -u -v
lsinitramfs /boot/initrd.img-3.18.0-trunk-rpi | grep cryptsetup
--> Tadaah!
Posts: 2
Joined: Thu Jan 21, 2016 7:56 pm
by Balgerda » Sat Jan 30, 2016 5:18 am
ervee's method works. Thank you.
Posts: 1
Joined: Sat Jan 30, 2016 5:07 am
by simpleuser » Thu Feb 18, 2016 6:50 pm
I don't understand. :cry:
Please explain in more detail.
Posts: 1
Joined: Thu Feb 18, 2016 6:41 pm
by merze » Fri Jun 24, 2016 7:07 pm

Are you aware of this tutorial?

I am currently trying to encrypt a pi 3, but I fail at unlocking after reboot.
It can't find cryptsetup.
Does someone have a hint for me maybe?


Edit: Got it working thanks to ervees tip. Also had to set the network delay according to to make it work in the end.
Posts: 4
Joined: Mon Aug 05, 2013 9:43 am
by piotr.lewicki » Wed Jul 06, 2016 7:37 am
I'm trying to encrypt the rootfs using tutorial that @merze linked ( but at the step "First boot" I have the same problem: cryptsetup is not included in the initramfs.

I'm not sure how to apply @ervees hint. Can you help / explain a little bit more on how to fix this issue?

Posts: 3
Joined: Wed Jul 06, 2016 7:29 am
by merze » Wed Jul 06, 2016 8:14 am
hi piotr

after editing fstab and crypttab you need to do:

Code: Select all
dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
cryptsetup luksFormat /tmp/fakeroot.img
cryptsetup luksOpen /tmp/fakeroot.img sdcard
mkfs.ext4 /dev/mapper/sdcard

assuming you are using ext4 for your root partition
cryptsetup will not be included in the initramfs if no crypted partition is present.

after that do
Code: Select all
sudo mkinitramfs -o /boot/initramfs.gz

and check for cryptsetup within your initramfs:
Code: Select all
lsinitramfs /boot/initramfs.gz | grep cryptsetup

now proceed with the steps left of the tutorial.
don not forget to add the network config delay mentioned here:
Posts: 4
Joined: Mon Aug 05, 2013 9:43 am
by piotr.lewicki » Wed Jul 06, 2016 12:31 pm
Thank you. It worked.

I wonder if there is no other way to put the cryptsetup into initramfs..
Posts: 3
Joined: Wed Jul 06, 2016 7:29 am
by greggde » Sun Aug 14, 2016 7:13 am
Posts: 1
Joined: Sun Aug 14, 2016 7:11 am
by merze » Mon Oct 03, 2016 7:25 pm
I am currently trying to redo a pi with encrypted root filesystem.
The Pi boots and accepts my cryptpassword via USB keyboard.
However I can not make it to work with remote unlock.

My /etc/initramfs-tools/root/.ssh/authorized_keys file looks like this:

cat /etc/initramfs-tools/root/.ssh/authorized_keys
Code: Select all
command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3`"ssh-rsa AApubkey

ls -al /etc/initramfs-tools/root/.ssh/authorized_keys
Code: Select all
-rw------- 1 root root 821 Oct  3 21:16 /etc/initramfs-tools/root/.ssh/authorized_keys

If I put the public key in its own line it will accept my connection but drop to busybox.
If I put everything in one line it will ask for a (user-)pass on login and not for the cryptpass.
The pi is running latest raspbian with latest kernel via rpi-update.
Did someone experience the same maybe and is able to help out?

Posts: 4
Joined: Mon Aug 05, 2013 9:43 am