Preliminaries - On your Raspberry
This tutorial was tested on Raspbian Pixel Lite (2017).
Remove shitty things
sudo apt-get -y purge plymouth
Create your initramfs
sudo apt-get install busybox cryptsetup ntp dropbear
dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
cryptsetup luksFormat /tmp/fakeroot.img
sudo cryptsetup luksOpen /tmp/fakeroot.img sdcard
sudo mkfs.ext4 /dev/mapper/sdcard
sudo mkinitramfs -o /boot/initramfs.gz
Check if cryptsetup
is available
lsinitramfs /boot/initramfs.gz | grep cryptsetup
Export SSH key
sudo scp /etc/initramfs-tools/root/.ssh/id_rsa username@othercomputer:~/.ssh/id_rsa_rpi_dropbear
Configure Dropbear
Edit /etc/initramfs-tools/root/.ssh/authorized_keys
and add the following line at the beginning of the file:
command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3`"
Edit /usr/share/initramfs-tools/scripts/init-premount/dropbear
and replace configure_networking &
by:
echo "Waiting 5 seconds for USB to wake"
sleep 5
configure_networking &
Rebuild the initramfs
sudo mkinitramfs -o /boot/initramfs.gz
Configure boot
Edit /boot/config.txt
and add these lines at the end:
initramfs initramfs.gz followkernel
Edit /boot/cmdline.txt
and replace the first line something like that:
dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mapper/sdcard cryptdevice=/dev/mmcblk0p2:sdcard rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait
Configure mouting points
Edit /etc/fstab
and change /dev/mmcblk0p2
to /dev/mapper/sdcard
.
Edit /etc/crypttab
add the following line (separated by tab
char):
sdcard /dev/mmcblk0p2 none luks
Encrypt the partition - On a separate computer
Power off your Raspberry Pi and plug the SD-Card to a linux-based computer. In my case, the SD-Card is /dev/sdc
.
Backup your original FS
sudo apt-get install cryptsetup
sudo dd if=/dev/sdc2 of=/tmp/raspbian-plain.img bs=4M
sudo e2fsck -f /tmp/raspbian-plain.img
sudo resize2fs -M /tmp/raspbian-plain.img
Encrypt the partition
sudo cryptsetup -v -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sdc2
sudo cryptsetup -v luksOpen /dev/sdc2 sdcard
Restore your FS
sudo dd if=/tmp/raspbian-plain.img of=/dev/mapper/sdcard bs=4M
sudo e2fsck /dev/mapper/sdcard
sudo resize2fs /dev/mapper/sdcard
Umount all
sudo umount /tmp/pi_boot /tmp/pi_root
sudo cryptsetup luksClose sdcard
Boot your raspberry
After few seconds, try to unlock your raspberry with this command and type your passphrase:
ssh -t -o UserKnownHostsFile=luks_kwown_hosts "root@192.168.x.x" -i ~/.ssh/id_rsa_rpi_dropbear "/lib/cryptsetup/askpass Pass: > /lib/cryptsetup/passfifo"