Encrypting Your Root File System on Raspberry Pi - using LUKS & dm-crypt


Can you please send us a picture image of the zymkey with cut tab.

If you prefer to have a private support channel, please email it to support@zymbit.com, and we will pick it up from there.



I’m using a RPi0W with Raspian Stretch Lite, a Zymkey 4i, and a USB flash drive (8GB). It’s a stock Raspian image on an 8GB SDCard. I installed the install_zk_sw.sh without issue and saw the Zymkey bind properly.

Then ran the LUKS/dm-crypt:

pi@raspberrypi:~ $ curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12437  100 12437    0     0  22105      0 --:--:-- --:--:-- --:--:-- 22169
No temporary volume name (/dev/...) specified. Defaulting to /dev/sda...
Hit:1 http://archive.raspberrypi.org/debian stretch InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease
Hit:3 https://zk-sw-repo.s3.amazonaws.com/apt-repo-stretch stretch InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
rsync is already the newest version (3.1.2-1+deb9u1).
zksaapps is already the newest version (1.0-8).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Stopping zkifc...done.
cp: cannot stat '/var/lib/zymbit/': No such file or directory
cp: '/etc/fstab' and '/mnt/tmproot/etc/fstab' are the same file
sed: -e expression #1, char 4: extra characters after command
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2...
Connection to closed by remote host.
Connection to closed.

then ran sudo journalctl -u cfg_SD_crfs.service

pi@raspberrypi:~ $ sudo journalctl -u cfg_SD_crfs.service
-- Logs begin at Thu 2016-11-03 17:16:44 GMT, end at Mon 2018-11-26 19:27:12 GMT. --
Nov 26 19:19:36 raspberrypi systemd[1]: Started First time boot encrypted filesystem cfg service.
Nov 26 19:19:37 raspberrypi cfg_SD_crfs.sh[214]: Creating LUKS key...ERROR: no zymkeys installed.
Nov 26 19:19:38 raspberrypi systemd[1]: cfg_SD_crfs.service: Main process exited, code=exited, status=255/n/a
Nov 26 19:19:38 raspberrypi systemd[1]: cfg_SD_crfs.service: Unit entered failed state.
Nov 26 19:19:38 raspberrypi systemd[1]: cfg_SD_crfs.service: Failed with result 'exit-code'.

not sure what went wrong… seems the Zynkey is not blinking at all now and that is not right. Also seems that the RPi0W is booting from USB since the unit fails to boot if I remove the USB drive. Otherwise boots fine and I can SSH into it.

UPDATE: I rebooted again and got a different log from journalctl

pi@raspberrypi:~ $ sudo journalctl -u cfg_SD_crfs.service
-- Logs begin at Mon 2018-11-26 19:19:27 GMT, end at Mon 2018-11-26 19:35:14 GMT. --
Nov 26 19:28:27 raspberrypi systemd[1]: Started First time boot encrypted filesystem cfg service.
Nov 26 19:28:27 raspberrypi cfg_SD_crfs.sh[244]: Creating LUKS key...Could not read stage 1 salt file. read returned -1, errno = 9
Nov 26 19:28:28 raspberrypi systemd[1]: cfg_SD_crfs.service: Main process exited, code=exited, status=255/n/a
Nov 26 19:28:28 raspberrypi systemd[1]: cfg_SD_crfs.service: Unit entered failed state.
Nov 26 19:28:28 raspberrypi systemd[1]: cfg_SD_crfs.service: Failed with result 'exit-code'.

Help appreciated.

UPDATE: I was able to get this working. It seems the issue was related to the Zymkey adapter pins not making good contact with the RPi0W header. It was hard to determine given that the power pins were making good contact hence the LED blinking patterns indicating that the Zymkey was powered on. The I2C lines may have been the issue. I used a fine pick to bend the adapter springs a bit more towards the center to increase the pressure on the header pins and that seems to have solved the issue.


Hi grundyoso,

Good to hear you have determined the root cause of your problem.

If you are willing to send us a picture of your zymkey to support@zymbit.com, that would be helpful feedback understand your use case and why you might have had electrical contact problems.



Is the /boot partition encrypted both in development and in production mode?



Hi, i able to change my password by adding init=/bin/sh to cmdline.txt in boot partition


Hi Pico,

The exploit your describe suggests that you have physical access to the SD card, or root access. Each can be mitigated as follows:

  1. Use perimeter detect feature of zymkey to physically secure you SD card: Learn More>
  2. Use unique sign in credentials for SSH connection.

If you prefer to continue the thread in a private channel, then email support@zymbit.com


I’m having the same problem others have reported

When I run the SD card conversion, it completes correctly however in the end when it boots up off of the SD card it falls to the initramfs shell. Before that, the /scripts/local-block script is called multiple times. There is also a call out of “ALERT! /dev/mapper/cryptrfs does not exist”.

dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 elevator=deadline fsck.repair=yes rootwait noswap ro root=/dev/mapper/cryptrfs cryptdevice=/dev/mmcblk0p2:cryptrfs

When I check the SD card in my laptop I can see /dev/sda1 is encrypted (used GParted to check)

I’m not sure if it’s a power issue, but the system seems quite stable (no power loss). I’m using a 3A power supply. I have a keyboard plugged in and the HDMI to my TV.

Any help would be greatly appreciated.


@cudacuda can you give us a little more context for you application:

  1. do you have anything else plugged in to you GPIO or I2C bus ?
  2. if you are using an external USB drive, can you confirm the size and how it was formatted prior to running the encryption process.
  3. confirm that you have rebooted your system TWO times after completion of the script.


  1. Nothing is plugged into the GPIO. Just the Zymkey
  2. Using external USB, it was formatted using Windows Fat32
  3. Once the process completes it automatically reboots, I cannot reboot from the prompt as it drops into initramfs



Hi @cudacuda, I have a few more questions for you:

  • What is the status of the Zymkey LED when you boot up now? Is it flashing rapidly constantly or does it have a very rapid preamble followed by a slow sequence?
  • Have you cut the lock tab on the Zymkey? If so, did you have tamper detect self destruct mode enabled?
  • During the boot sequence, do you see a lightning bolt image in the upper right hand corner? This can be caused on the RPi when HDMI is connected to a monitor regardless of the strength of your power supply and could be related to grounding issues between the monitor and pi. Make sure that your TV monitor is plugged into the same power strip as the pi power supply.


Sorry for the delay:

Zymkey LED on flashing rapidly constantly.

Zymkey lock tab is still intact. I did not have tamper detect enabled

I don’t see a lightning bolt. The TV and Pi are plugged are plugged into the same power strip.



Rapid flashing of the Zymkey LED indicates that Zymkey is not communicating with the host RPi. (This is true whether you have an encrypted volume or not).

  1. Before you started the file system encrypted, did you follow the Getting Started Guide and did zymkey successfully complete the binding process in developer mode - (blue LED flashes once every 3 seconds).

  2. If you were successful in completing the binding process in developer mode, please confirm that you then kept the same exact hardware components (Pi + Zymkey + SDcard).



I can confirm that I did the Getting Started Guide. I assume the binding took place because it did blink once every three seconds. That being said, it wasn’t constant.

It would blink once every three seconds (does it twice) then rapid flashing. Then once every three seconds (does it twice) then rapid flashing.

It is the same hardware (Pi + Zymkey + SD card). I completed the Getting Started then immediately did the encryption on this page.


So it looks like the binding process did NOT correctly complete in the first Getting Started phase. (The rapid flashing indicates a communication error). When correctly bound it will flash every three seconds, continuously, no intermittent rapid flashing.

To move forward, lets take a few steps back and collect some information about your app:

  • What OS distro/version are you using ?
  • What API/language are you programming Zymkey in ?
  • What SD card size/brand are you using ?


Was there supposed to be a URL here? What specific things is the fingerprint composed of?


I am using Raspbian Jessie 4.9
I’m not using any API at the moment., I’m simply trying to 1)Bind the Zymkey and 2) encrypt the root fs.
Sandisk 32GB SD card


Hello there,

I am running Stretch on a RPi 3 Model B with a Scandisk 16 GB SD. I recently purchased a Zymkey 4i. I’ve successful gone through the getting start steps and have confirmed that the Zymkey 4i is bound to the RPi (via the slow blinks).

My goal was to then encrypt the Root partition via Option 1. I first confirmed that 7 is the root partition and dev/sda is the FAT32 formatted USB key (32 GB). While running the Script for Option 1, it takes some time to complete (as the walkthrough suggests), but partway through, the Zymkey begins blinking rapidly (so it appears unbound). Also, once the script completes and the reboots have occurred, the Zymkey continues to blink rapidly. Additionally, I verified the device was no longer bound by shutting down the RPi, removing the Zymkey, and then booting up the device. I assumed if the encryption and binding was successful, the boot would fail without the zymkey, but everything booted fine. Again, the Zymkey WAS successfully bound prior to starting the encryption process, but seems to have become unbounded somewhere during the process.

Can someone provide some guidance on this?




@Gtewksbury were you able to run your application in the “encrypted volume”, after boot ?
Also, in the scenario you describe, is the zymkey lock tab cut ? (placing it into production mode).


@cudacuda Can you post a short video of the blink pattern - either in this community, or email to support@zymbit.com. Thx


I will have to try to rebind the Zymkey to the Pi. I’ll start with a fresh image and go from there.