Encrypting Your Root File System on RASPBERRY PI - using LUKS & dm-crypt

I’m using Stretch (raspbian v9)

After several restores I’m able to run the script without bricking it, but phase 2 never starts. It keeps rebooting back into the SD card with the zymbit flashing quickly as if it was not paired, which makes sense since the script stops zkifc from running.

Any way to get this working??

It sounds like you are running NOOBS. If that’s true, we’ve had issues with other customers that have tried to get the encrypted volumes running on NOOBS configured SD cards. Since we have only tested this script on the non-NOOBS images (e.g. Raspbian Buster Lite or Desktop), we have recommended that our customers use those images. This step has always solved their problems.

That was it - it worked when running the scripts with only 2 partitions and not the 7 that NOOBS uses.

Cheers

hi all,

my zymbit seems to be unstable. i dont know why. sometime the blink is like before binding sometime the blink is ok and in bind condition. (blink every 3 second).

its because of the power voltage goes under 4.75V? because the red led on my rpi stop blinking.

i try the sd encryption but fail. zymbit not found.

i hope can get some help

saufy

@msaufyrohmad

Yes it sounds like power could be the cause of your problems. Let me explain:

  1. If the red LED on the Pi is blinking, or not illuminated, then your Pi is likely not getting enough power and you will need a better power supply. (“better” meaning more power capacity). Learn About Power Quality on Pi>

  2. During encryption, the Pi generally consumes a lot of power (its compute intensive to initially encrypt the file system). If the power quality is poor, then the Pi can behave in ways that will slow or completely stall the encryption process:

a) when power quality is marginal, the Pi can reduce its clock speed to reduce power consumption - this slows the encryption process, dramatically

b) when power quality is poor, then Pi can reset, breaking the encryption process entirely.

Try a better power supply, it will likely fix your issues.

hi phil,

yes. i bought new adaptor and the process progressing. around 40 minutes i take the second option to convert external drive to LUKS drive.
i reboot but hang at initramfs.

cryptsetup: WARNING: cryptfs: ignoring unknown option ‘timeout’
UUID:xxxxxxxxxx

i remove the usb and the same happening.

help me. thnks

saufy

Hi,

I’ve been testing disk encryption using a Zymkey 4i with a Raspberry Pi 4B and Ubuntu 18.04.4 64-bit. There are a couple differences in the boot process for Ubuntu that prevented the current scripts from working as is.

  • Ubuntu doesn’t store the kernel command line string in cmdline.txt. Instead the script needs to check the cmdline option in config.txt to get the correct file. Affects both mk_encr_sd_rfs.sh and mk_encr_ext_rfs.sh.

  • Ubuntu hangs during boot up when using root=PARTUUID in the kernel command line, however will boot ok when using UUID. Affects mk_encr_sd_rfs.sh.

Below are modified versions of the scripts that implement changes for these issues:

mk_encr_sd_rfs.sh
mk_encr_ext_rfs.sh

Where(path) are the encrypted keys located in the boot partition ? If I load the boot section of SD card on a computer, where would I find them ?
If I understand correctly, the encrypted keys should be present somewhere in the boot partition, since the bootloader needs to present it to zymkey module to get the plaintext keys.

The encryption script makes an initrd for booting into the encrypted root file system. The encrypted LUKS key is stored in the initrd as well as the target root file system at /var/lib/zymbit.

@iesplin
Thanks for chasing that down!
I think that things may have changed internally with Bionic because the PARTUUID method was known to work in the early days. Just goes to show you how quickly the landscape of Linux development development changes…

Anyway, we have tested your scripts on Ubuntu as well as Raspbian and have verified that things work. Your modifications are now available publicly.

Hello,

I managed to encrypt my partition /.
If I understood correctly, in case of loss of the Secure Element I could no longer decrypt the LUKS key.
Is it possible to recover this LUKS key in order to outsource it?

That is correct. It is not possible to recover the key, by design.

Hi
I am attempting for the first time to use option 1 to encrypt the SD card on my RPi3 running Raspbian. I used a 32Gb USB flashdrive as the external drive. I took approx 2.5hours to run first pass and rebooted. I had VNC running and was using it at the time so hope this didnt cause any issues. After the first reboot I could not log back in (VNC), so rebooted again. Still not able to login via VNC I connected a screen and KB&M, now I see the flash screen static and a window saying “Waiting for SD card (setting partition)”. Not sure what I should be doing from here. The steps above only indicate a single step from the user in inputting one line into the terminal, so assume everything should automate from there. Am I missing something? Should I have prepared the RPi in some way prior to running the command? The Zymbit module is flashing fast by the way. Perhaps I have turned my SD card into a vegetable :frowning:

Edit;
So I have started over again, except with an image of Raspbien Buster on the SD (not Noobs). Reading through the early comments here I see that Noobs can be troublesome. Anyway, the process still took 2.5 hours for the 1st pass, but now the second pass is finished the process looks to be successfully complete. Zymkey is also flashing once every 3 secs :slight_smile:

Hi, i can’t get to phase 2. Here is all i see. any idea?

root@raspberrypi:/home/pi# curl -G /mk_encr_sd_rfs.sh | sudo bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15428 100 15428 0 0 48062 0 --:–:-- --:–:-- --:–:-- 48062
No temporary volume name (/dev/…) specified. Defaulting to /dev/sda…
Hit’s remove because of post limitiation.
Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
rsync is already the newest version (3.1.3-6).
zksaapps is already the newest version (1.0-9).
The following package was automatically installed and is no longer required:
rpi-eeprom-images
Use ‘apt autoremove’ to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Stopping zkifc…done.
cp: cannot stat ‘/var/lib/zymbit/’: No such file or directory
cp: ‘/etc/hosts’ and ‘/mnt/tmproot/etc/hosts’ are the same file
cp: ‘/etc/hostname’ and ‘/mnt/tmproot/etc/hostname’ are the same file
cp: ‘/etc/ssh/ssh_host_dsa_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_dsa_key’ are the same file
cp: ‘/etc/ssh/ssh_host_dsa_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_dsa_key.pub’ are the same file
cp: ‘/etc/ssh/ssh_host_ecdsa_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ecdsa_key’ are the same file
cp: ‘/etc/ssh/ssh_host_ecdsa_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ecdsa_key.pub’ are the same file
cp: ‘/etc/ssh/ssh_host_ed25519_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ed25519_key’ are the same file
cp: ‘/etc/ssh/ssh_host_ed25519_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ed25519_key.pub’ are the same file
cp: ‘/etc/ssh/ssh_host_rsa_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_rsa_key’ are the same file
cp: ‘/etc/ssh/ssh_host_rsa_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_rsa_key.pub’ are the same file
External device PARTUUID = 8ce5d40e-01
External device UUID = 84b87adb-f83d-4c19-a725-3309c5a70752
cp: ‘/etc/fstab’ and ‘/mnt/tmproot/etc/fstab’ are the same file
done.
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2…

Hi Chris,

We have seen symptoms like this with Power Source problems, especially with the 3B+ and the Pi4 which require more power than the earlier models. The recommended supply for a Raspberry Pi4 should be at least 3 amps. It becomes critical when you have devices attached to the USB ports. Can you confirm that your power source is good? Which model Pi are you using and what’s the version of OS?

Bob

Hi Bob, It’s the Pi4 armHF and OS info is below. The power i think is good. I’m using the power cable that came with the unit. The power supply says DCAR-RSP-3A5C (come from canakit)

OS was loaded from this download from Raspberry PI site.
2020-05-27-raspios-buster-full-armhf.zip

PRETTY_NAME=“Raspbian GNU/Linux 10 (buster)”
NAME=“Raspbian GNU/Linux”
VERSION_ID=“10”
VERSION=“10 (buster)”
VERSION_CODENAME=buster

Is it possible to recover the encryption key ?
Is the encryption key generated randomly ? What is his size?

We can work with you to come up with a solution regarding recovering an encryption key. Can you give us a little more information on your use case? If you’d like to move this out of the Community forums, you can talk to us directly via support@zymbit.com.

As far as the next questions, yes the encryption key is generated randomly and the size is 512 bytes.

Chris,

That Canakit supply should work fine. Could I maybe take a look at /boot/cmdline.txt and /boot/config.txt? Also, output from lsblk.

Thanks,

Bob