Styper
Posts: 1
Joined: Mon Aug 06, 2018 9:42 pm

Raspbian Stretch Luks Encrypt

Mon Aug 06, 2018 10:14 pm

Hello,

I was searching for a way to Luks encrypt my root folder but all the tutorials I found were for Jessie and weren't very noob friendly so I decided to bundle them into a few automated scripts to make the job easier.

The tutorials I got most of the info from are here:
https://robpol86.com/raspberry_pi_luks.html
https://github.com/johnshearing/MyEther ... encryption

I've uploaded the scripts here:
https://github.com/styper/Luks-Encrypt-Raspbian-Stretch

What you need:
A Raspberry PI 3
An sdcard with Raspbian Stretch installed (I used the lite edition in my tests)
A flash drive connected to the RPI (needed to copy the data from root partition during encrypt so you don't lose it)

This tutorial should be usable with an already running Raspbian Stretch, just skip the burning iso/img part

Burn the Raspbian Stretch image to the SDCard using Etcher or a similiar tool

Download the scripts from the repo and place them inside /boot/install/

Run script: sudo /boot/install/1.update.sh
What this does is update the system, in my first try there was a bug with a kernel version that was sending the system into a kernel panic during the process, that didn't happened when I updated to 4.14 though

sudo reboot
This is needed so the system loads the new kernel version

Run script: /boot/install/2.disk_encrypt.sh
This prepares the environment adding new applications to initramfs to make the job easier and prepares the needed files for Luks

sudo reboot
Now we're going to be dropped to the initramfs shell, this is normal

In the initramfs shell run the following commands:
mkdir /tmp/boot
mount /dev/mmcblk0p1 /tmp/boot/
/tmp/boot/install/3.disk_encrypt_initramfs.sh

The script copies all your data to the flash drive because Luks deletes everything when it's encrypting the partition
When luks encrypts the root partition it will ask you to type YES (in uppercase) then the decryption password twice (watch out if you used CAPS LOCK to type the YES), so add a new strong password to your liking
Then Luks will ask for the decryption password again so we can copy the data back from the flash drive to the root partition

reboot -f
We're dropped again to the initramfs, this is still normal

mkdir /tmp/boot
mount /dev/mmcblk0p1 /tmp/boot/
/tmp/boot/install/4.luks_open.sh

Type in your decryption password again, then the system should resume booting as normal, at this point all the data is encrypted already, we just need to rebuild the initramfs

Run script: /boot/install/5.rebuild_initram.sh

There it is, once you reboot it will ask for the decrypt password again every time now.

Some notes:
There is probably an easier way to do this using chroot so you don't need to reboot so much but I don't know how to do it yet
I added expect to the initramfs hook because I'll probably add another script to auto generate a strong password, it can be removed though

johnshearing
Posts: 17
Joined: Sun Jun 11, 2017 6:12 am

Re: Raspbian Stretch Luks Encrypt

Fri Apr 12, 2019 5:52 am

Thank you so much @styper for sharing this.
Now the www.privatekeyvault.com can move to stretch.
I forked your repository and changed the README.md a bit to address issues specific to the Vault.
Thank you again, John

manjuk123
Posts: 1
Joined: Thu Jun 20, 2019 3:19 pm

Re: Raspbian Stretch Luks Encrypt

Thu Jun 20, 2019 3:28 pm

First, Thanks for the tut.
I wanted to know how to unlock using key-file instead of entering passphrase every time when booting.

jlut
Posts: 1
Joined: Fri Jul 19, 2019 3:07 pm

Re: Raspbian Stretch Luks Encrypt

Fri Jul 19, 2019 3:09 pm

I was wondering if it was possible to run a script on startup using rc.local on a LUKS encrypted PI without having to enter the password first?

glassman3333
Posts: 2
Joined: Fri Aug 09, 2019 9:18 pm

Re: Raspbian Stretch Luks Encrypt

Wed Aug 21, 2019 12:28 am

Styper wrote: There it is, once you reboot it will ask for the decrypt password again every time now.
Thank you so much for this write-up. I was wondering if you (or someone) knew of a way to instead add the key to a TPM 2 module using tpm2-tools? I would like the secret to be stored on the TPM module so that it is secure and the password need not be entered to decrypt the drive on boot.

Mikeynl
Posts: 27
Joined: Sat Nov 11, 2017 1:36 pm

Re: Raspbian Stretch Luks Encrypt

Thu Aug 29, 2019 9:11 am

jlut wrote:
Fri Jul 19, 2019 3:09 pm
I was wondering if it was possible to run a script on startup using rc.local on a LUKS encrypted PI without having to enter the password first?
You can add hooks to the initramfs that will do this for you. But as long your /boot is not encrypted it means i can still boot your rpi if your password is in the initramfs.
glassman3333 wrote:
Wed Aug 21, 2019 12:28 am
Styper wrote: There it is, once you reboot it will ask for the decrypt password again every time now.
Thank you so much for this write-up. I was wondering if you (or someone) knew of a way to instead add the key to a TPM 2 module using tpm2-tools? I would like the secret to be stored on the TPM module so that it is secure and the password need not be entered to decrypt the drive on boot.
You can re-generate initramfs with tpm support and add that hook yourself.

Return to “Raspbian”