Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Raspberry Pi Encrypt Root Partition Tutorial
This tutorial describes how to encrypt the root partition of a raspberry pi. This can be used with an already setup system. Please backup your data completely before you try. The password then needs to be entered at every boot like on an Ubuntu system for example.
Attention! If you update your kernel make sure to regenerate the initramfs or the next boot will fail!
# Install luks dependencies sudo apt-get update sudo apt-get install cryptsetup lvm2 busybox sudo reboot # Add to config.txt sudo nano /boot/config.txt initramfs initramfs.gz followkernel # Change and add to cmdline.txt sudo nano /boot/cmdline.txt root=/dev/mapper/crypt cryptdevice=/dev/mmcblk0p2:crypt # Change in fstab sudo nano /etc/fstab /dev/mapper/crypt / ext4 defaults,noatime 0 1 # Add to crypttab (use tabs, not spaces!) sudo nano /etc/crypttab crypt /dev/mmcblk0p2 none luks # Create fake luks filesystem to include cryptsetup into initramsfs dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20 cryptsetup luksFormat /tmp/fakeroot.img YES password password sudo cryptsetup luksOpen /tmp/fakeroot.img crypt sudo mkfs.ext4 /dev/mapper/crypt # Create initramfs. Check for warnings and also make sure cryptsetup is included! sudo mkinitramfs -o /boot/initramfs.gz lsinitramfs /boot/initramfs.gz | grep cryptsetup # Shutdown the raspberry pi and plug the sd card into your linux PC sudo init 0 # Mount the 2nd partition with your PC and backup the data # TODO check if a raw copy of the filesystem also works (see last link below) sudo tar -czf rpibackup.tar.gz --one-file-system -C /media/user/sdcardroot/ # Open the gnome disks utility and delete the 2nd partition. # Create a new luks + ext4 partition in the old space named "crypt" # Mount the new encrypted partition and restore backup sudo tar -xpf rpibackup.tar.gz -C /media/user/crypt/ sync # Boot your raspberry and enter password at boot
Enter password via ssh
# Install a simple ssh server for the initramfs and generate a special key pair sudo apt-get install dropbear sudo mkinitramfs -o /boot/initramfs.gz # Get ssh key and save it on your linux pc in a file "key" sudo cat /etc/initramfs-tools/root/.ssh/id_rsa # Kill cryptroot before starting ssh sudo nano /etc/initramfs-tools/root/.ssh/authorized_keys # Add before ssh-rsa (all one line!) command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3` && exit" # Wait for usb devices (ethernet) to show up, otherwise dropbear will exit sudo nano /usr/share/initramfs-tools/scripts/init-premount/dropbear # Change to the following usbdelay=1 echo "Waiting $usbdelay seconds for USB to wake" sleep $usbdelay configure_networking & # Regenerate initramfs sudo mkinitramfs -o /boot/initramfs.gz # Note current ip ifconfig sudo reboot # Try to ssh from another pc ssh firstname.lastname@example.org -i key
If you want to auto mount other encrypted hdds you can now safely store the password on the raspberry pis root.
However you will first get an error
error storing passphrase in keyring (the name org.freedesktop.secrets was not provided by any service files).
To solve this install:
sudo apt-get install gnome-keyring