Styper
Posts: 1
Joined: Mon Aug 06, 2018 9:42 pm

Raspbian Stretch Luks Encrypt [solved]

Mon Aug 06, 2018 10:14 pm

Hello,

I was searching for a way to Luks encrypt my root folder but all the tutorials I found were for Jessie and weren't very noob friendly so I decided to bundle them into a few automated scripts to make the job easier.

The tutorials I got most of the info from are here:
https://robpol86.com/raspberry_pi_luks.html
https://github.com/johnshearing/MyEther ... encryption

I've uploaded the scripts here:
https://github.com/styper/Luks-Encrypt-Raspbian-Stretch

What you need:
A Raspberry PI 3
An sdcard with Raspbian Stretch installed (I used the lite edition in my tests)
A flash drive connected to the RPI (needed to copy the data from root partition during encrypt so you don't lose it)

This tutorial should be usable with an already running Raspbian Stretch, just skip the burning iso/img part

Burn the Raspbian Stretch image to the SDCard using Etcher or a similiar tool

Download the scripts from the repo and place them inside /boot/install/

Run script: sudo /boot/install/1.update.sh
What this does is update the system, in my first try there was a bug with a kernel version that was sending the system into a kernel panic during the process, that didn't happened when I updated to 4.14 though

sudo reboot
This is needed so the system loads the new kernel version

Run script: /boot/install/2.disk_encrypt.sh
This prepares the environment adding new applications to initramfs to make the job easier and prepares the needed files for Luks

sudo reboot
Now we're going to be dropped to the initramfs shell, this is normal

In the initramfs shell run the following commands:
mkdir /tmp/boot
mount /dev/mmcblk0p1 /tmp/boot/
/tmp/boot/install/3.disk_encrypt_initramfs.sh

The script copies all your data to the flash drive because Luks deletes everything when it's encrypting the partition
When luks encrypts the root partition it will ask you to type YES (in uppercase) then the decryption password twice (watch out if you used CAPS LOCK to type the YES), so add a new strong password to your liking
Then Luks will ask for the decryption password again so we can copy the data back from the flash drive to the root partition

reboot -f
We're dropped again to the initramfs, this is still normal

mkdir /tmp/boot
mount /dev/mmcblk0p1 /tmp/boot/
/tmp/boot/install/4.luks_open.sh

Type in your decryption password again, then the system should resume booting as normal, at this point all the data is encrypted already, we just need to rebuild the initramfs

Run script: /boot/install/5.rebuild_initram.sh

There it is, once you reboot it will ask for the decrypt password again every time now.

Some notes:
There is probably an easier way to do this using chroot so you don't need to reboot so much but I don't know how to do it yet
I added expect to the initramfs hook because I'll probably add another script to auto generate a strong password, it can be removed though

johnshearing
Posts: 17
Joined: Sun Jun 11, 2017 6:12 am

Re: Raspbian Stretch Luks Encrypt

Fri Apr 12, 2019 5:52 am

Thank you so much @styper for sharing this.
Now the www.privatekeyvault.com can move to stretch.
I forked your repository and changed the README.md a bit to address issues specific to the Vault.
Thank you again, John

manjuk123
Posts: 1
Joined: Thu Jun 20, 2019 3:19 pm

Re: Raspbian Stretch Luks Encrypt

Thu Jun 20, 2019 3:28 pm

First, Thanks for the tut.
I wanted to know how to unlock using key-file instead of entering passphrase every time when booting.

jlut
Posts: 1
Joined: Fri Jul 19, 2019 3:07 pm

Re: Raspbian Stretch Luks Encrypt

Fri Jul 19, 2019 3:09 pm

I was wondering if it was possible to run a script on startup using rc.local on a LUKS encrypted PI without having to enter the password first?

glassman3333
Posts: 4
Joined: Fri Aug 09, 2019 9:18 pm

Re: Raspbian Stretch Luks Encrypt

Wed Aug 21, 2019 12:28 am

Styper wrote: There it is, once you reboot it will ask for the decrypt password again every time now.
Thank you so much for this write-up. I was wondering if you (or someone) knew of a way to instead add the key to a TPM 2 module using tpm2-tools? I would like the secret to be stored on the TPM module so that it is secure and the password need not be entered to decrypt the drive on boot.

Mikeynl
Posts: 45
Joined: Sat Nov 11, 2017 1:36 pm

Re: Raspbian Stretch Luks Encrypt

Thu Aug 29, 2019 9:11 am

jlut wrote:
Fri Jul 19, 2019 3:09 pm
I was wondering if it was possible to run a script on startup using rc.local on a LUKS encrypted PI without having to enter the password first?
You can add hooks to the initramfs that will do this for you. But as long your /boot is not encrypted it means i can still boot your rpi if your password is in the initramfs.
glassman3333 wrote:
Wed Aug 21, 2019 12:28 am
Styper wrote: There it is, once you reboot it will ask for the decrypt password again every time now.
Thank you so much for this write-up. I was wondering if you (or someone) knew of a way to instead add the key to a TPM 2 module using tpm2-tools? I would like the secret to be stored on the TPM module so that it is secure and the password need not be entered to decrypt the drive on boot.
You can re-generate initramfs with tpm support and add that hook yourself.

glassman3333
Posts: 4
Joined: Fri Aug 09, 2019 9:18 pm

Re: Raspbian Stretch Luks Encrypt

Mon Oct 21, 2019 5:25 am

I had a question about Script 3. There is a command in it that states:

Code: Select all

SHA1SUM_NEWROOT="$(dd bs=4k count=1516179 if=/dev/mapper/sdcard | sha1sum)"
However, it looks as though this command is never used. There is another "if" statement below it that looks as if it was meant to use SHA1SUM_NEWROOT but instead SHA1SUM_ROOT was used, which poses another problem.

If SHA1SUM_NEWROOT was used for that "if" statement, since it has a specific block count, the sha1sum would never match the SHA1SUM_EXT it was intended for. Was the statement supposed to be taken out, or modified for use in another way that was forgotten about?

Would it be better if lines 21 -23 were instead this?

Code: Select all

	NEWBLOCK_COUNT="$(dumpe2fs /dev/mapper/sdcard | sed "s/ //g" | sed -n "/Blockcount:/p" | cut -d ":" -f 2)"
	SHA1SUM_NEWROOT="$(dd bs=4k count=$NEWBLOCK_COUNT if=/dev/mapper/sdcard | sha1sum)"
	if [ "$SHA1SUM_NEWROOT" == "$SHA1SUM_EXT" ]; then

Adambean
Posts: 5
Joined: Wed Nov 13, 2019 3:14 pm
Contact: Website

Re: Raspbian Stretch Luks Encrypt

Wed Nov 13, 2019 3:21 pm

I'm trying this out on a Pi 4 using Buster. It mostly seems to work fine until step 4:
Styper wrote:
Mon Aug 06, 2018 10:14 pm
mkdir /tmp/boot
mount /dev/mmcblk0p1 /tmp/boot/
/tmp/boot/install/4.luks_open.sh

Type in your decryption password again, then the system should resume booting as normal, at this point all the data is encrypted already, we just need to rebuild the initramfs
After entering the password the booting doesn't resume, it's just back at the initramfs terminal.

The LUKS mount works fine though. Using `mount /dev/mapper/sdcard /tmp/root` I can see the contents of my root file system fine, but what next? :)

I can reboot again but obviously the ramdisk image hasn't been updated to run the decryption at boot time. What I guess I'm looking for is a way to re-run the boot process after manually opening the LUKS volume.

--

Edit: Figured it, you just need to submit `exit` to close down BusyBox, then the Pi 4 boot process re...runs.

After that I ran the script for step 5, rebooted, and got prompted for my passphrase as intended. -- Unlocked, booted normally.

Thank you very much for this guide!

binbows
Posts: 2
Joined: Thu Apr 16, 2020 9:37 pm

Re: Raspbian Stretch Luks Encrypt

Thu Apr 23, 2020 12:31 am

Mikeynl wrote:
Thu Aug 29, 2019 9:11 am

You can add hooks to the initramfs that will do this for you. But as long your /boot is not encrypted it means i can still boot your rpi if your password is in the initramfs.
Do you know how I would go about writing a hook that unlocks depending on a certain variable, i.e. cpuinfo.
Or some rather effective way to "binding" the sd card to a certain raspberry?

Abraham76i
Posts: 3
Joined: Thu Apr 27, 2017 4:02 pm
Location: Guadajara, Jal., México

Re: Raspbian Stretch Luks Encrypt

Thu May 28, 2020 9:14 am

binbows wrote:
Thu Apr 23, 2020 12:31 am
Mikeynl wrote:
Thu Aug 29, 2019 9:11 am

You can add hooks to the initramfs that will do this for you. But as long your /boot is not encrypted it means i can still boot your rpi if your password is in the initramfs.
Do you know how I would go about writing a hook that unlocks depending on a certain variable, i.e. cpuinfo.
Or some rather effective way to "binding" the sd card to a certain raspberry?
Did you manage to boot the Pi with encryption using a variable like in cpuinfo example?

binbows
Posts: 2
Joined: Thu Apr 16, 2020 9:37 pm

Re: Raspbian Stretch Luks Encrypt

Thu May 28, 2020 1:38 pm

Abraham76i wrote:
Thu May 28, 2020 9:14 am
binbows wrote:
Thu Apr 23, 2020 12:31 am
Mikeynl wrote:
Thu Aug 29, 2019 9:11 am

You can add hooks to the initramfs that will do this for you. But as long your /boot is not encrypted it means i can still boot your rpi if your password is in the initramfs.
Do you know how I would go about writing a hook that unlocks depending on a certain variable, i.e. cpuinfo.
Or some rather effective way to "binding" the sd card to a certain raspberry?
Did you manage to boot the Pi with encryption using a variable like in cpuinfo example?

I didn't, I wasn't able to autounlock my Pi in any way, so I didn't get to use cpuinfo for it

pavithran
Posts: 2
Joined: Tue Dec 15, 2020 1:52 am

Re: Raspbian Stretch Luks Encrypt

Tue Dec 15, 2020 1:54 am

Styper wrote:
Mon Aug 06, 2018 10:14 pm
Hello,

I was searching for a way to Luks encrypt my root folder but all the tutorials I found were for Jessie and weren't very noob friendly so I decided to bundle them into a few automated scripts to make the job easier.

The tutorials I got most of the info from are here:
https://robpol86.com/raspberry_pi_luks.html
https://github.com/johnshearing/MyEther ... encryption

I've uploaded the scripts here:
https://github.com/styper/Luks-Encrypt-Raspbian-Stretch

What you need:
A Raspberry PI 3
An sdcard with Raspbian Stretch installed (I used the lite edition in my tests)
A flash drive connected to the RPI (needed to copy the data from root partition during encrypt so you don't lose it)

This tutorial should be usable with an already running Raspbian Stretch, just skip the burning iso/img part

Burn the Raspbian Stretch image to the SDCard using Etcher or a similiar tool

Download the scripts from the repo and place them inside /boot/install/

Run script: sudo /boot/install/1.update.sh
What this does is update the system, in my first try there was a bug with a kernel version that was sending the system into a kernel panic during the process, that didn't happened when I updated to 4.14 though

sudo reboot
This is needed so the system loads the new kernel version

Run script: /boot/install/2.disk_encrypt.sh
This prepares the environment adding new applications to initramfs to make the job easier and prepares the needed files for Luks

sudo reboot
Now we're going to be dropped to the initramfs shell, this is normal

In the initramfs shell run the following commands:
mkdir /tmp/boot
mount /dev/mmcblk0p1 /tmp/boot/
/tmp/boot/install/3.disk_encrypt_initramfs.sh

The script copies all your data to the flash drive because Luks deletes everything when it's encrypting the partition
When luks encrypts the root partition it will ask you to type YES (in uppercase) then the decryption password twice (watch out if you used CAPS LOCK to type the YES), so add a new strong password to your liking
Then Luks will ask for the decryption password again so we can copy the data back from the flash drive to the root partition

reboot -f
We're dropped again to the initramfs, this is still normal

mkdir /tmp/boot
mount /dev/mmcblk0p1 /tmp/boot/
/tmp/boot/install/4.luks_open.sh

Type in your decryption password again, then the system should resume booting as normal, at this point all the data is encrypted already, we just need to rebuild the initramfs

Run script: /boot/install/5.rebuild_initram.sh

There it is, once you reboot it will ask for the decrypt password again every time now.

Some notes:
There is probably an easier way to do this using chroot so you don't need to reboot so much but I don't know how to do it yet
I added expect to the initramfs hook because I'll probably add another script to auto generate a strong password, it can be removed though

Thank you. It worked perfectly on Raspberry pi 4 Model B.
Use "exit" after step 4 if you cannot boot as normal

otoneakey
Posts: 2
Joined: Wed Mar 31, 2021 11:50 pm

Re: Raspbian Stretch Luks Encrypt

Thu Apr 01, 2021 2:01 am

Styper thank you for sharing this :) I've used it on my pi4 running buster, worked great! (During the process I noticed a couple of errors/warnings, probably nothing important, in the end it worked out as expected). Also Adambean, pavithran, thanks for pointing out that "exit" part, I definitely wouldn't know what to do.
It would be perfect being able to enter the password remotely. Can anyone please explain how to do that or maybe link a good working tutorial? (I searched a little and I've seen a few older guides where they use dropbear to achieve this but I'm still not sure on how to do it). Thanks.

otoneakey
Posts: 2
Joined: Wed Mar 31, 2021 11:50 pm

Re: Raspbian Stretch Luks Encrypt

Thu Apr 01, 2021 11:36 pm

Solved :D I got the remote unlock working! For the most part I followed this guide: https://www.cyberciti.biz/security/how- ... -in-linux/ ;)

Return to “Raspberry Pi OS”