Raspberry Pi Encrypt Root Partition Tutorial

NicoHood edited this page Sep 3, 2016 · 1 revision

This tutorial describes how to encrypt the root partition of a raspberry pi. This can be used with an already setup system. Please backup your data completely before you try. The password then needs to be entered at every boot like on an Ubuntu system for example.

Attention! If you update your kernel make sure to regenerate the initramfs or the next boot will fail!

# Install luks dependencies
sudo apt-get update
sudo apt-get install cryptsetup lvm2 busybox
sudo reboot

# Add to config.txt
sudo nano /boot/config.txt
initramfs initramfs.gz followkernel

# Change and add to cmdline.txt
sudo nano /boot/cmdline.txt
root=/dev/mapper/crypt cryptdevice=/dev/mmcblk0p2:crypt

# Change in fstab
sudo nano /etc/fstab
/dev/mapper/crypt  /               ext4    defaults,noatime  0       1

# Add to crypttab (use tabs, not spaces!)
sudo nano /etc/crypttab
crypt   /dev/mmcblk0p2   none   luks

# Create fake luks filesystem to include cryptsetup into initramsfs
dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
cryptsetup luksFormat /tmp/fakeroot.img
YES password password
sudo cryptsetup luksOpen /tmp/fakeroot.img crypt
sudo mkfs.ext4 /dev/mapper/crypt

# Create initramfs. Check for warnings and also make sure cryptsetup is included!
sudo mkinitramfs -o /boot/initramfs.gz
lsinitramfs /boot/initramfs.gz | grep cryptsetup 

# Shutdown the raspberry pi and plug the sd card into your linux PC
sudo init 0

# Mount the 2nd partition with your PC and backup the data
# TODO check if a raw copy of the filesystem also works (see last link below)
sudo tar -czf rpibackup.tar.gz --one-file-system -C /media/user/sdcardroot/

# Open the gnome disks utility and delete the 2nd partition.
# Create a new luks + ext4 partition in the old space named "crypt"

# Mount the new encrypted partition and restore backup
sudo tar -xpf rpibackup.tar.gz -C /media/user/crypt/

# Boot your raspberry and enter password at boot

Enter password via ssh

# Install a simple ssh server for the initramfs and generate a special key pair
sudo apt-get install dropbear
sudo mkinitramfs -o /boot/initramfs.gz

# Get ssh key and save it on your linux pc in a file "key"
sudo cat /etc/initramfs-tools/root/.ssh/id_rsa

# Kill cryptroot before starting ssh
sudo nano /etc/initramfs-tools/root/.ssh/authorized_keys
# Add before ssh-rsa (all one line!)
command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3` && exit"

# Wait for usb devices (ethernet) to show up, otherwise dropbear will exit
sudo nano /usr/share/initramfs-tools/scripts/init-premount/dropbear
# Change to the following
echo "Waiting $usbdelay seconds for USB to wake"
sleep $usbdelay
configure_networking &

# Regenerate initramfs
sudo mkinitramfs -o /boot/initramfs.gz

# Note current ip
sudo reboot

# Try to ssh from another pc
ssh root@ -i key


If you want to auto mount other encrypted hdds you can now safely store the password on the raspberry pis root. However you will first get an error error storing passphrase in keyring (the name org.freedesktop.secrets was not provided by any service files). To solve this install:

sudo apt-get install gnome-keyring


Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.