Encrypting both SD and external USB HD

Hi folks. Loving the Zymkey on Raspberry Pi 4s with Ubuntu Server. Curious as to whether there might be some way to use the zymkey bootstrapping scripts to encrypt the SD card as the root disk, and then also encrypt a couple external USB HDs as well, and all of them unlock during the Ubuntu Server boot process. I’d be happy to cut-n-paste-n-possibly-modify scripts as needed to get this done, if guided in the right direction.

The application is for a cost-effective linux video surveillance setup, and I’d love for the two external USB HDs to be encrypted to secure the actual surveillance footage from physical theft.

Thank you.

Leaving a follow up note that after a bit of wrangling it’s all sorted out.

Encrypted the SD, but sliced the mk_encr_sd_rfs.sh script just a tiny but to save a backup of the key.bin as /root/key.bin instead of deleting it.

That /root/key.bin can be used to encrypt a fresh external USB HD. Piggy back the unlocking mechanism for the SD card during boot to also unlock the external USB HD (update /etc/crypttab and /etc/fstab as necessary). Make sure to shred that /root/key.bin if you want total security, or save it elsewhere offline (to your secure vault, etc) if you ever need to decrypt the drives down the road without the Zymkey, etc.

Glad to hear that you got it working. Can you send a copy of your changes in mk_encr_sd_rfs.sh, /etc/crypttab, and /etc/fstab to support@zymbit.com? I’d like to review. We’ve had similar requests from other customers in the past.

Bob

Hey @Bob_of_Zymbit sorry for the long forum absence here on my part. Dove into this then, and recently had to do a new system, and while my initial stab at this functionally worked on ubuntu server, i now see at it as pretty insecure, and i’ll describe why below.

note my copy of mk_encr_sd_rfs.sh is outdated here by about 6 months, and haven’t checked the newest version of that via your online resources recently.

the partial mk_encr_sd_rfs.sh snippet is below, which dumps the key.bin into the will-be-encrypted /root folder, ignoring the wiping of that key entirely, etc:

# Mount the boot partition in a safe place
mkdir -p /mnt/tmpboot
mount /dev/mmcblk0p1 /mnt/tmpboot || exit

## Backup the plaintext key now
echo -n "Backing up the key..."
cp /run/key.bin /root/key.bin.backup
cp /run/key.bin ${crfsvol}/root/key.bin.backup
echo "done."

### Remove the plaintext key now
## rm /run/key.bin

# Change fstab to no longer use the unencrypted root volume
echo -n "Configuring fstab..."
pushd ${crfsvol}/etc/
cp /etc/fstab .

then i’d finish the normal sd card encryption, and with a blank external USB HD attached (in this example /dev/sda), run this from /root/ of the freshly encrypted and booted up pi:

$ mkdir /media/sec_hd_7t
$ cat key.bin.backup | cryptsetup -q -v luksFormat /dev/sda -
$ cat key.bin.backup | cryptsetup luksOpen /dev/sda sec_hd_7t --key-file=-
$ mkfs.ext4 -L "sec_hd_7t" -j /dev/mapper/sec_hd_7t -F
$ blkid /dev/sda
$ nano /etc/crypttab

that /etc/crypttab file would be edited to look something like this:

cryptrfs	/dev/mmcblk0p2	/etc/cryptroot/key.bin	luks,keyscript=/lib/cryptsetup/scripts/zk_get_key,tries=100,timeout=30s
sec_hd_7t  UUID=uuidgoes-here-xxxx-xxxx-xxxxxxxxxxxx  /root/key.bin.backup  luks

then one more step of $ nano /etc/fstab would make that file look like:

#LABEL=writable	/	 ext4	defaults	0 0
LABEL=system-boot       /boot/firmware  vfat    defaults        0       1
# crypto root fs
/dev/mapper/cryptrfs /             ext4    defaults,noatime  0       1
/dev/mapper/sec_hd_7t /media/sec_hd_7t ext4 defaults 0 2

so this solution functionally decrypts the external USB HD on boot, using the /root/key.bin.backup file to do so, instead of the zymkey itself. this process assumed a few things:

• the initial boot process from power on to ubuntu login is safe
• the security model here that anybody with ubuntu login credentials is a trusted person, so /root/key.bin.backup is fine sitting there in the mounted /root/ dir
• this really would only protect the sd card and USB HD from being decrypted after physical theft
• the only way into the system is by cracking the ubuntu login, which seems tough as fuck

however…! it turns out the boot process is not safe. i’m actually now able to drop into the /root/ during the boot process, after the sd card is mounted, but before the USB HD is mounted and before ubuntu requires login (dropping to root without a password required), so this means storage of /root/key.bin.backup is no bueno any more. it can be seen during this drop-to-root-prompt process after SD boot decryption. it wasn’t really great to begin with, but now that i can drop to a decrypted /root during the boot process without an ubuntu login required, that’s extra shitty.

so now i’m trying to figure out how to achieve a /etc/crypttab that looks more like this, however as i unpack that /lib/cryptsetup/scripts/zk_get_key keyscript code a bit, that keyscript isn’t available after an ecrypted SD /root/ is mounted during boot (and good on you guys for getting that situated like that, i like that):

cryptrfs	/dev/mmcblk0p2	/etc/cryptroot/key.bin	luks,keyscript=/lib/cryptsetup/scripts/zk_get_key,tries=100,timeout=30s
sec_hd_7t  UUID=uuidgoes-here-xxxx-xxxx-xxxxxxxxxxxx  /etc/cryptroot/key.bin  luks,keyscript=/lib/cryptsetup/scripts/zk_get_key,tries=100,timeout=30s

my ending question here @Bob_of_Zymbit is, if there might be an answer avail: What command, or series of commands, could i use to pipe the same content of the /etc/cryptroot/key.bin during SD card decryption after the SD /root is mounted into the luks decryption process, so that I could then mount the USB external HD?

thank you Bob.

tagging @Scott_of_Zymbit here as well.

after a few more days of occassional whackamole, i’ve got this one figured out as well. able to mount the 2nd external usb drive via /lib/cryptsetup/scripts/zk_get_key during the boot process (removed the /root/key.bin.backup entirely). will post the updates here next week-ish.

@sudobasher I’ve reached the same conclusion as you but can’t figure out how to get the key from zk_get_key during the boot process. You say you figured it out but I can’t see a post with the solution? Are you able to update on how you did it? Many thanks!

For those looking for a potential sollution, this is how I’ve resolved the issue: Part 2: Are you feeling LUKy? Mounting an encrypted external drive using the Zymkey - Cross Connected