Encrypting RaspberryPI root partition

Description of encrypting root partition of already installed ArchLinux running on Raspberry. I assume that ArchLinux is already installed on SD card and Pi is booting correctly.

Tested on: * Kernel 4.1.6 (it may not work with much older kernel) * Raspberry model B revision 2

Creating initrd

Best is to start on some actions that need to be done on raspberry. We need to install mkinitcpio and create initram file.

pacman -S mkinitcpio
cp /etc/mkinitcpio.conf ~/mkinitcpio.ripi.conf
vi ~/mkinitcpio.ripi.conf

Make sure that in the configuration file you have HOOKS and MODULES variables changed as below:

MODULES="dm_mod hid usbhid usbcore"
HOOKS="base udev autodetect modconf block filesystems keyboard encrypt fsck"

In MODULES most important is dm_mod and in HOOKS encrypt. Also order is very important in HOOKS. Once done generate new init-ram.

mkinitcpio -k `uname -r` -c ~/mkinitcpio.ripi.conf -g /boot/initrd-crypt

Creating encrypted volume

This must be done on PC. Insert SD card, mount root partition and copy it’s content to some temporary location. Don’t forget trailing / after temporary_location, it is important.

mount /dev/mmcblk0p2 /media
mkdir /temporary_location
rsync --progress -axv /media /temporary_location/

Next step is to create encrypted volume, format it and copy back root partition content:

cryptsetup luksFormat /dev/mmcblk0p2
cryptsetup luksOpen /dev/mmcblk0p2 root-raspberry
mkfs.ext4 /dev/mapper/root-raspberry
mount /dev/mapper/root-raspberry /mnt
rsync --progress -axv /temporary_location/ /mnt

Modification in /etc/fstab, /mnt/boot/config.txt and /mnt/boot/cmdline.txt file

Watch out here - many sources on internet says that you need to specify and address on which initram is loaded (something like initramfs initrd-crypt 0x0a000000, in config.txt). This doesn’t work with kernel 4.1. It’s enough to specify name of the init-ram file in config.txt and cmdline.txt

• /mnt/etc/fstab: Change device that mounts on /. File must have following entry (remove entry that starts with /dev/mmcblk0p2)

  /dev/mapper/root / ext4 defaults,discard,commit=120 0 1

• /mnt/boot/config.txt: Set initramfs. This file needs to have following line

  initramfs initrd-crypt

• /mnt/boot/cmdline.txt: Add following kernel command line arguments:

  cryptdevice=/dev/mmcblk0p2:root:allow-discards root=/dev/mapper/root rootwait rootfstype=ext4 initrd=initrd-crypt

Unmount and close crypto device:

sync
unmount /mnt
cryptsetup luksClose root-raspberry

Now you can put back SD card to raspberry and boot device. It should ask for password while booting.

Password on USB key

Raspberry can also read a password directly from file on USB key while booting. In order to do it, create a file with password:

dd if=/dev/urandom of=/mnt/sdb1/ripi.txt
cryptsetup luksAddKey /dev/mmcblk0p2 /mnt/sdb1/ripi.txt

And add following entry to cmdline.txt

cryptkey=/dev/disk/by-uuid/ABCD-EFGH:vfat:/ripi.txt

Where value for ABCD-EFGH you get by running blkid on partition of USB key that contains password:

blkid /dev/sdb1
/dev/sda: UUID="ABCD-EFGH" TYPE="vfat"

Interesting links

1. https://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
2. https://outflux.net/blog/archives/2017/08/30/grub-and-luks/