Encrypting Your Root File System on RASPBERRY PI - using LUKS & dm-crypt

ZYMKEY4 Encrypting File System
182

Hi Bob, I was doing some testing and stuff on this encrypted drive now. I found that if take the SD card to another system, it prompts to unlock with a password. That is expected. I cannot read the data. However if i edit cmdline.txt in boot and add “init=/bin/sh”, i can boot the system in the PI to a basic system and view the contents of /. I’m just trying to figure out, how do i prevent this? i’ll keep playing around with this.

183

Monitor the process from another host on the same LAN as the host undergoing the mk sd process with below.

#!/bin/bash
HOST=$1
USER=$2

wait_host_ssh () {
sleep 3
while ! nc -z ${HOST} 22; do

echo “…waiting for node to come online”

sleep 1
done
}

echo “phase 1 begin.”
wait_host_ssh
ssh {HOST} -l {USER}
-o StrictHostKeyChecking=no
-o UserKnownHostsFile=/dev/null
journalctl -efu amya_mk_encr_sd_rfs.service
echo “phase 1 complete.”
echo “”

echo “phase 2 begin”
wait_host_ssh
ssh {HOST} -l {USER}
-o StrictHostKeyChecking=no
-o UserKnownHostsFile=/dev/null
journalctl -efu cfg_SD_crfs
echo “phase 2 complete.”

184

Hi Chris, you can use perimeter detect to lock down physical access to the SD Card in the PI. Once you have properly set things up, perimeter detect can take action from doing nothing, to sending an alert, or self-destructing. Check out this page for options:

185

I can’t start the 2 run with “curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash -s – -x /dev/sda -m 7” on a Raspbery PI 3+ (Buster) full updated

log when I trying run script “mk_encr_sd_rfs.sh” again:

Stopping zkifc…done.
grep: /mnt/tmpboot/config.txt: Ingen sådan fil eller filkatalog
Distro tarball not found on tmp root fs. Installing crypto installer on /dev/sda.
Installing necessary packages…
done.
Formatting USB mass media on /dev/sda…

Making a tarball of original root file system image…done.
Creating installer partition on /dev/sda1…External device PARTUUID = xxxxxxx-xx
External device UUID = xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
sed: -e udtryk nr. 1, tegn 4: ekstra tegn efter kommando
done.
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2…

186

I’m having issues trying to encrypt the onboard SD.

  • I2C is correctly enabled
  • USB drive is empty and on sda
  • Using a good quality SD Card
  • Newest Clean Raspberry OS Lite img
  • Power Supply is Outputting in the normal range.

The first installation correctly binds the Zymkey 4i, the encryption phase just keeps rebooting every 15 minutes or so and never completes. Journal log as follows:

-- Logs begin at Tue 2020-08-11 14:03:38 BST. --
Aug 11 14:03:51 raspberrypi systemd[1]: Started First time boot encrypted filesystem cfg service.
Aug 11 14:03:54 raspberrypi cfg_SD_crfs.sh[772]: Creating LUKS key...done.
Aug 11 14:03:54 raspberrypi cfg_SD_crfs.sh[772]: Formatting crypto file system on /dev/mmcblk0p2...Device /dev/mmcblk0p2 is in use. Can not proceed with format operation.
Aug 11 14:03:54 raspberrypi cfg_SD_crfs.sh[772]: Device cryptrfs already exists.
Aug 11 14:03:54 raspberrypi cfg_SD_crfs.sh[772]: done.
Aug 11 14:03:54 raspberrypi cfg_SD_crfs.sh[772]: Creating ext4 partition on /dev/mmcblk0p2...mke2fs 1.44.5 (15-Dec-2018)
Aug 11 14:05:13 raspberrypi cfg_SD_crfs.sh[772]: done.
Aug 11 14:05:13 raspberrypi cfg_SD_crfs.sh[772]: Copying files to crypto fs...
Aug 11 14:19:08 raspberrypi cfg_SD_crfs.sh[772]: done.
Aug 11 14:19:26 raspberrypi cfg_SD_crfs.sh[772]: Copying /var/lib/zymbit to crypto fs...done.
Aug 11 14:19:26 raspberrypi cfg_SD_crfs.sh[772]: Copying hostname...done.
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: Copying ssh keys...Configuring fstab.../mnt/cryptrfs/etc /
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: /
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: done.
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: Configuring config.txt...done.
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: Configuring kernel cmd line...sed: couldn't edit /mnt/tmpboot/: not a regular file
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: sed: couldn't edit /mnt/tmpboot/: not a regular file
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: sed: couldn't edit /mnt/tmpboot/: not a regular file
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: /usr/local/bin/cfg_SD_crfs.sh: line 92: /tmp/: Is a directory
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: mv: inter-device move failed: '/tmp/' to '/mnt/tmpboot/tmp'; unable to remove target: Directory not empty
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: /usr/local/bin/cfg_SD_crfs.sh: line 94: /mnt/tmpboot/: Is a directory
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: done.
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: Configuring crypttab...done.
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: Adding i2c drivers to initramfs...done.
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: Building initramfs...update-initramfs: Generating /mnt/tmpboot//initrd.img-5.4.51-v7+
Aug 11 14:19:30 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/i2c/i2c-dev.ko
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/i2c/busses/i2c-bcm2835.ko
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/i2c/busses/i2c-bcm2708.ko
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Copying module directory kernel/drivers/usb/dwc2
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/usb/gadget/udc/udc-core.ko
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/usb/dwc2/dwc2.ko
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Copying module directory kernel/drivers/input/keyboard
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/input/keyboard/gpio_keys.ko
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/input/matrix-keymap.ko
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/input/keyboard/matrix_keypad.ko
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: Copying module directory kernel/drivers/hid
Aug 11 14:19:31 raspberrypi cfg_SD_crfs.sh[772]: (excluding hid-*ff.ko hid-a4tech.ko hid-cypress.ko hid-dr.ko hid-elecom.ko hid-gyration.ko hid-icade.ko hid-kensington.ko hid-kye.ko hid-lcpower.ko hid-magicmouse.ko hid-multitouch.ko hid-ntrig.ko hid-petalynx.ko hid-picolcd.ko hid-pl.ko hid-ps3remote.ko hid-quanta.ko hid-roccat-ko*.ko hid-roccat-pyra.ko hid-saitek.ko hid-sensor-hub.ko hid-sony.ko hid-speedlink.ko hid-tivo.ko hid-twinhan.ko hid-uclogic.ko hid-wacom.ko hid-waltop.ko hid-wiimote.ko hid-zydacron.ko)
..........
Aug 11 14:19:38 raspberrypi cfg_SD_crfs.sh[772]: Calling hook cryptroot
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: cryptsetup: WARNING: cryptrfs: ignoring unknown option 'timeout'
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /lib/cryptsetup/scripts/zk_get_key
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/md/dm-mod.ko
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/drivers/md/dm-crypt.ko
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /sbin/cryptsetup
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libm-2.28.so
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libm-2.28.so
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libcryptsetup.so.12.4.0
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libcryptsetup.so.12.4.0
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /usr/lib/arm-linux-gnueabihf/libpopt.so.0.0.0
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding library /usr/lib/arm-linux-gnueabihf/libpopt.so.0.0.0
Aug 11 14:19:39 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libuuid.so.1.3.0
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libuuid.so.1.3.0
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libblkid.so.1.1.0
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libblkid.so.1.1.0
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libdevmapper.so.1.02.1
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /usr/lib/arm-linux-gnueabihf/libssl.so.1.1
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /usr/lib/arm-linux-gnueabihf/libargon2.so.1
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/librt-2.28.so
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/librt-2.28.so
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /usr/lib/arm-linux-gnueabihf/libjson-c.so.3.0.1
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /usr/lib/arm-linux-gnueabihf/libjson-c.so.3.0.1
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libselinux.so.1
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libudev.so.1.6.13
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libudev.so.1.6.13
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libpcre.so.3.13.3
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libpcre.so.3.13.3
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /sbin/dmsetup
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /lib/cryptsetup/askpass
Aug 11 14:19:40 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /lib/arm-linux-gnueabihf/libgcc_s.so.1
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Copying module directory kernel/arch/arm/crypto
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/arch/arm/crypto/aes-arm.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/arch/arm/crypto/sha1-arm.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/arch/arm/crypto/sha1-arm-neon.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/cryptd.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/crypto_simd.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/arch/arm/crypto/aes-arm-bs.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Copying module directory kernel/crypto
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/arc4.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/async_tx/async_tx.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/async_tx/async_raid6_recov.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/async_tx/async_memcpy.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/async_tx/async_xor.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/async_tx/async_pq.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/af_alg.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/algif_skcipher.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/gf128mul.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/authenc.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/essiv.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/tgr192.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/ccm.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/zstd.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/jitterentropy_rng.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/ecc.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/ecdh_generic.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/lib/lz4/lz4_compress.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/lz4.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/cast_common.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/drbg.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/seqiv.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/crypto_user.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/michael_mic.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/sha1_generic.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/md5.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/lib/crypto/libsha256.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/sha256_generic.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/echainiv.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/wp512.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/ghash-generic.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/authencesn.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/cmac.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/deflate.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/cast5_generic.ko
Aug 11 14:19:41 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/xcbc.ko
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/gcm.ko
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/md4.ko
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/crypto/ctr.ko
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/cryptsetup/functions
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Calling hook cryptroot-unlock
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding script /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Calling hook fsck
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /sbin/fsck
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libmount.so.1.1.0
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libmount.so.1.1.0
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /sbin/logsave
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding binary-link /sbin/e2fsck
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /sbin/e2fsck
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libext2fs.so.2.4
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libext2fs.so.2.4
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libcom_err.so.2.1
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libcom_err.so.2.1
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libe2p.so.2.3
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libe2p.so.2.3
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Calling hook fuse
Aug 11 14:19:42 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /sbin/mount.fuse
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: Adding module /lib/modules/5.4.51-v7+/kernel/fs/fuse/fuse.ko
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: Calling hook keymap
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /bin/kbd_mode
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /bin/loadkeys
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: Calling hook kmod
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: Calling hook resume
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: I: Configuration sets RESUME=
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: Calling hook thermal
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: Calling hook udev
Aug 11 14:19:43 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /lib/systemd/systemd-udevd
Aug 11 14:19:44 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /usr/lib/arm-linux-gnueabihf/libkmod.so.2.3.4
Aug 11 14:19:44 raspberrypi cfg_SD_crfs.sh[772]: Adding library /usr/lib/arm-linux-gnueabihf/libkmod.so.2.3.4
Aug 11 14:19:44 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /usr/lib/arm-linux-gnueabihf/libacl.so.1.1.2253
Aug 11 14:19:44 raspberrypi cfg_SD_crfs.sh[772]: Adding library /usr/lib/arm-linux-gnueabihf/libacl.so.1.1.2253
Aug 11 14:19:44 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /usr/lib/arm-linux-gnueabihf/libattr.so.1.1.2448
Aug 11 14:19:44 raspberrypi cfg_SD_crfs.sh[772]: Adding library /usr/lib/arm-linux-gnueabihf/libattr.so.1.1.2448
Aug 11 14:19:44 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /bin/udevadm
Aug 11 14:19:45 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /lib/udev/ata_id
Aug 11 14:19:45 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /lib/udev/scsi_id
Aug 11 14:19:45 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /sbin/blkid
Aug 11 14:19:45 raspberrypi cfg_SD_crfs.sh[772]: Calling hook zz-busybox
Aug 11 14:19:45 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /bin/busybox
Aug 11 14:19:45 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libresolv-2.28.so
Aug 11 14:19:45 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libresolv-2.28.so
Aug 11 14:19:46 raspberrypi cfg_SD_crfs.sh[772]: Calling hook cryptpassdev
Aug 11 14:19:46 raspberrypi cfg_SD_crfs.sh[772]: Calling hook cryptopensc
Aug 11 14:19:46 raspberrypi cfg_SD_crfs.sh[772]: Calling hook cryptkeyctl
Aug 11 14:19:46 raspberrypi cfg_SD_crfs.sh[772]: Calling hook cryptgnupg-sc
Aug 11 14:19:46 raspberrypi cfg_SD_crfs.sh[772]: Calling hook cryptgnupg
Aug 11 14:19:46 raspberrypi cfg_SD_crfs.sh[772]: Calling hook ntfs_3g
Aug 11 14:19:46 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /bin/ntfs-3g
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: Adding library-link /lib/arm-linux-gnueabihf/libntfs-3g.so.883.0.0
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: Adding library /lib/arm-linux-gnueabihf/libntfs-3g.so.883.0.0
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: Calling hook dmsetup
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: Calling hook klibc-utils
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: Calling hook zymkey_cryptfs_cfg
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: Adding binary /sbin/zkunlockifs
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: /usr/share/initramfs-tools/scripts/init-top/ORDER ignored: not executable
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: /usr/share/initramfs-tools/scripts/local-premount/ORDER ignored: not executable
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: /usr/share/initramfs-tools/scripts/local-bottom/ORDER ignored: not executable
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: /usr/share/initramfs-tools/scripts/local-top/ORDER ignored: not executable
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: /usr/share/initramfs-tools/scripts/init-bottom/ORDER ignored: not executable
Aug 11 14:19:48 raspberrypi cfg_SD_crfs.sh[772]: /usr/share/initramfs-tools/scripts/local-block/ORDER ignored: not executable
Aug 11 14:19:49 raspberrypi cfg_SD_crfs.sh[772]: Building cpio /mnt/tmpboot/initrd.img-5.4.51-v7+.new initramfs
Aug 11 14:20:11 raspberrypi cfg_SD_crfs.sh[772]: umount: /mnt/cryptrfs/sys/fs/cgroup/unified: target is busy.
Aug 11 14:20:11 raspberrypi cfg_SD_crfs.sh[772]: done.
Aug 11 14:20:11 raspberrypi cfg_SD_crfs.sh[772]: Rebooting...

Any help would be greatly appriciated as we are needing to set up multiple units.

many thanks in advance

187

@taospartan - Your log looks like the entire process completed without error. It appears that it is still booting off the USB device, though. Can you post the contents of /boot/cmdline.txt and /boot/config.txt, as well as the output from lsblk?

cat /boot/cmdline.txt
cat /boot/config.txt
lsblk

Also, I don’t think you said which PI you are using but can we double-check the boot sequence?

For PI4b,
vcgencmd bootloader_config

For PI3b+ and earlier,
vcgencmd otp_dump | grep 17

Regards,
Bob

189

@Bob_of_Zymbit - its 3b+

The info is as follows:

cat /boot/cmdline.txt

dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait root=PARTUUID=f0ef7857-01

cat /boot/config.txt

# For more options and information see

# http://rpf.io/configtxt

# Some settings may impact device functionality. See link above for details

# uncomment if you get no picture on HDMI for a default "safe" mode

#hdmi_safe=1

# uncomment this if your display has a black border of unused pixels visible

# and your display can output without overscan

#disable_overscan=1

# uncomment the following to adjust overscan. Use positive numbers if console

# goes off screen, and negative if there is too much border

#overscan_left=16

#overscan_right=16

#overscan_top=16

#overscan_bottom=16

# uncomment to force a console size. By default it will be display's size minus

# overscan.

#framebuffer_width=1280

#framebuffer_height=720

# uncomment if hdmi display is not detected and composite is being output

#hdmi_force_hotplug=1

# uncomment to force a specific HDMI mode (this will force VGA)

#hdmi_group=1

#hdmi_mode=1

# uncomment to force a HDMI mode rather than DVI. This can make audio work in

# DMT (computer monitor) modes


#hdmi_drive=2

# uncomment to increase signal to HDMI, if you have interference, blanking, or

# no display

#config_hdmi_boost=4

# uncomment for composite PAL

#sdtv_mode=2

#uncomment to overclock the arm. 700 MHz is the default.

#arm_freq=800

# Uncomment some or all of these to enable the optional hardware interfaces


dtparam=i2c_arm=on

#dtparam=i2s=on

#dtparam=spi=on

# Uncomment this to enable the lirc-rpi module

#dtoverlay=lirc-rpi

# Additional overlays and parameters are documented /boot/overlays/README

# Enable audio (loads snd_bcm2835)

dtparam=audio=on

[pi4]

# Enable DRM VC4 V3D driver on top of the dispmanx display stack

dtoverlay=vc4-fkms-v3d

max_framebuffers=2

[all]

#dtoverlay=vc4-fkms-v3d

initramfs initrd.img followkernel


lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 1 118G 0 disk
└─sda1 8:1 1 118G 0 part /
mmcblk0 179:0 0 29.7G 0 disk
├─mmcblk0p1 179:1 0 256M 0 part /boot
└─mmcblk0p2 179:2 0 29.5G 0 part
└─cryptrfs 254:0 0 29.5G 0 crypt /mnt/cryptrfs

vcgencmd otp_dump | grep 17
**17** :1020000a

It just keeps looping like in never finishes the second encryption process

Many thanks for your help

Tao

190

@Bob_of_Zymbit

Encrypting 2019-06-20-raspbian-buster-lite.img after

apt update
apt upgrade

encryption Fails however running the process without updating results in successful encryption

Tao

191

@taospartan

Thank you for that clue. That is an earlier version of buster lite than we normally start our testing from. I’ll try and reproduce upgrading from that version.

The cmdline.txt and lsblk output show that the PI is still using the USB stick as /. Looking back at your original log I see that I glanced over an error editing cmdline.txt. Let me figure out what is different when starting from that old version and upgrading as opposed to just using the old version without upgrading, or using the newer version and I’ll get back to you.

Bob

192

@taospartan,

We had some issues with an upgrade to our community site. I sent you email directly on this issue. I am working on reproducing.

Bob

193

Hi Bob,

i haven’t found any informations in the data sheet. So maybe you can give me the info here. Zymbit provides differents chiper suits. How can i check which chiper suite is currently used on my installation?

And second question. Have the Zymbit solution any security certification from an official auditor so we can use this in the communication with possible customers?

Thank you for your support and best greetings,
Mike

194

There is a little more information than on just the datasheet regarding encryption support here:
https://www.zymbit.com/zymkey/
See the section titled, “Cryptographic Primitives”.

We have not had any security certifications completed by an official auditor.

195

Hi Bob,

thank you for your informations.
I understand that zymkey support many different cryptographic standards. But how can i check, wich standard my installation is currenty using? During the setup i have no possibility to select one from those shown options. Where can I configure and check this?

Do you plan to audit your solutions by an official auditor in the next time?

Thank you for your support and best regards,
Mike

196

The keys on the Zymkey 4i use ECDSA NIST P-256. There is no option to choose a different crypto standard.

197

I’m having trouble getting this to work on Ubuntu 20 on a Raspberry Pi 4 and I was hoping you could help. Running the script seems to work fine and all my partitions are in the default spot, however after rebooting I get a bunch of failures. I am also unable to login after the reboot. Attached is a pastebin with the truncated output from running the script along with some pictures showing the failures during reboot.

username@ubuntu:~$ sudo fdisk -l
Disk /dev/loop0: 232.33 MiB, 243605504 bytes, 475792 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop1: 48.46 MiB, 50798592 bytes, 99216 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop2: 62.9 MiB, 65105920 bytes, 127160 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop3: 48.8 MiB, 51154944 bytes, 99912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop4: 60.66 MiB, 63586304 bytes, 124192 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop5: 26.88 MiB, 28168192 bytes, 55016 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop6: 25.96 MiB, 27201536 bytes, 53128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop7: 63.62 MiB, 66695168 bytes, 130264 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop8: 149.54 MiB, 156786688 bytes, 306224 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/mmcblk0: 59.49 GiB, 63864569856 bytes, 124735488 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x87c6153d

Device         Boot  Start       End   Sectors  Size Id Type
/dev/mmcblk0p1 *      2048    526335    524288  256M  c W95 FAT32 (LBA)
/dev/mmcblk0p2      526336 124735454 124209119 59.2G 83 Linux


Disk /dev/sda: 223.58 GiB, 240057409536 bytes, 468862128 sectors
Disk model:                 
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0xa724904c

Device     Boot Start       End   Sectors   Size Id Type
/dev/sda1        2048 468860927 468858880 223.6G 83 Linux
username@ubuntu:~$ curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100 15517  100 15517    0     0  63334      0 --:--:-- --:--:-- --:--:-- 63334
No temporary volume name (/dev/...) specified. Defaulting to /dev/sda...

0% [Working]
            
Hit:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease

0% [Waiting for headers]
                        
Hit:2 https://zk-sw-repo.s3.amazonaws.com/apt-repo-focal-aarch64 focal InRelease

0% [Waiting for headers]
                        
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [111 kB]

0% [3 InRelease 12.3 kB/111 kB 11%]
0% [3 InRelease 111 kB/111 kB 100%]
                                   
0% [Waiting for headers]
                        
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [98.3 kB]

0% [4 InRelease 5584 B/98.3 kB 6%]
                                  
0% [Working]
            
Get:5 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [107 kB]

0% [5 InRelease 5583 B/107 kB 5%]
                                 
0% [Working]
0% [Working]
0% [Working]
0% [Working]
100% [Working]
              
Fetched 317 kB in 2s (164 kB/s)

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 0%

Reading package lists... 5%

Reading package lists... 93%

Reading package lists... 93%

Reading package lists... 93%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... 99%

Reading package lists... Done


Reading package lists... 0%

Reading package lists... 100%

Reading package lists... Done


Building dependency tree... 0%

Building dependency tree... 0%

Building dependency tree... 50%

Building dependency tree... 50%

Building dependency tree       


Reading state information... 0%

Reading state information... 0%

Reading state information... Done

rsync is already the newest version (3.1.3-8).
rsync set to manually installed.
zksaapps is already the newest version (1.0-14).
0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Stopping zkifc...done.
Distro tarball not found on tmp root fs. Installing crypto installer on /dev/sda.
Installing necessary packages...
done.
Formatting USB mass media on /dev/sda...1+0 records in
1+0 records out
512 bytes copied, 0.00112918 s, 453 kB/s
Partition #1 contains a ext4 signature.
mke2fs 1.45.5 (07-Jan-2020)
Making a tarball of original root file system image...tar: Removing leading `/' from member names
tar: /var/snap/lxd/common/lxd/unix.socket: socket ignored
tar: Removing leading `/' from hard link targets
done.
Created symlink /etc/systemd/system/multi-user.target.wants/cfg_SD_crfs.service → /etc/systemd/system/cfg_SD_crfs.service.
Removed /etc/systemd/system/multi-user.target.wants/zkifc.service.
Removed /etc/systemd/system/multi-user.target.wants/zkbootrtc.service.
Creating installer partition on /dev/sda1...
             11   0%    0.00kB/s    0:00:00  
             11   0%    0.00kB/s    0:00:00 (xfr#1, ir-chk=1010/1033)
             11   0%    0.00kB/s    0:00:00 (xfr#1, ir-chk=1010/1033)
      4,156,802   4%   34.47MB/s    0:00:00 (xfr#2, ir-chk=1023/1047)
      8,321,535   9%   34.21MB/s    0:00:00 (xfr#3, ir-chk=1022/1047)
      8,541,492  10%   33.66MB/s    0:00:00 (xfr#4, ir-chk=1021/1047)
      8,760,301  10%   33.15MB/s    0:00:00 (xfr#5, ir-chk=1020/1047)
     35,040,237  41%   33.42MB/s    0:00:01  
     38,305,450  44%   33.55MB/s    0:00:01 (xfr#6, ir-chk=1015/1047)
     67,602,746  79%   33.35MB/s    0:00:01 (xfr#7, ir-chk=1014/1047)
     69,667,130  81%   33.24MB/s    0:00:00  
     75,983,751  89%   33.33MB/s    0:00:02 (xfr#8, ir-chk=1011/1047)
     85,009,342  98%   30.06MB/s    0:00:02 (xfr#348, ir-chk=1001/1639)
     85,009,533  98%   30.05MB/s    0:00:02 (xfr#349, ir-chk=1000/1639)
  2,323,226,533  99%   12.75MB/s    0:02:53 (xfr#92246, ir-chk=1002/116865)
  2,323,227,695  99%   12.75MB/s    0:02:53 (xfr#92247, ir-chk=1001/116865)
  2,323,229,907  99%   12.75MB/s    0:02:53 (xfr#92248, ir-chk=1000/116865)
  2,323,230,254  99%   12.75MB/s    0:02:53 (xfr#92249, ir-chk=1000/116866)
  2,323,230,447  99%   12.75MB/s    0:02:53 (xfr#92250, ir-chk=1000/116867)
  2,323,231,582  99%   12.75MB/s    0:02:53 (xfr#92251, ir-chk=1005/116873)
  2,323,232,456  99%   12.74MB/s    0:02:53 (xfr#92252, ir-chk=1004/116873)
  2,323,233,025  99%   12.74MB/s    0:02:53 (xfr#92253, ir-chk=1003/116873)
  2,323,234,309  99%   12.74MB/s    0:02:53 (xfr#92254, ir-chk=1002/116873)
  2,323,235,110  99%   12.74MB/s    0:02:53 (xfr#92255, ir-chk=1001/116873)
  2,323,235,626  99%   12.74MB/s    0:02:53 (xfr#92256, ir-chk=1000/116873)
  2,323,235,682  99%   12.74MB/s    0:02:53 (xfr#92257, ir-chk=1000/116874)
  2,323,242,384  99%   12.74MB/s    0:02:53 (xfr#92258, ir-chk=1001/116876)
  2,323,245,042  99%   12.74MB/s    0:02:53 (xfr#92259, ir-chk=1000/116876)
  2,323,245,513  99%   12.74MB/s    0:02:53 (xfr#92260, ir-chk=1000/116877)
  2,323,820,137  99%   12.73MB/s    0:02:54 (xfr#92453, ir-chk=1199/117283)
  2,323,820,344  99%   12.73MB/s    0:02:54 (xfr#92454, ir-chk=1198/117283)
  2,323,823,712  99%   12.73MB/s    0:02:54 (xfr#92455, ir-chk=1197/117283)
  2,323,825,600  99%   12.73MB/s    0:02:54 (xfr#92456, ir-chk=1196/117283)
  2,323,825,949  99%   12.73MB/s    0:02:54 (xfr#92457, ir-chk=1195/117283)
  2,323,826,176  99%   12.73MB/s    0:02:54 (xfr#92458, ir-chk=1194/117283)
  2,323,830,500  99%   12.73MB/s    0:02:54 (xfr#92459, ir-chk=1193/117283)
  2,323,830,909  99%   12.73MB/s    0:02:54 (xfr#92460, ir-chk=1192/117283)
  2,323,831,458  99%   12.73MB/s    0:02:54 (xfr#92461, ir-chk=1191/117283)
  2,323,841,425  99%   12.73MB/s    0:02:54 (xfr#92462, ir-chk=1190/117283)
  2,323,841,591  99%   12.73MB/s    0:02:54 (xfr#92463, ir-chk=1189/117283)
  2,323,842,009  99%   12.73MB/s    0:02:54 (xfr#92464, ir-chk=1188/117283)
  2,323,843,167  99%   12.73MB/s    0:02:54 (xfr#92465, ir-chk=1187/117283)
  2,323,843,572  99%   12.73MB/s    0:02:54 (xfr#92466, ir-chk=1186/117283)
  2,323,844,077  99%   12.73MB/s    0:02:54 (xfr#92467, ir-chk=1185/117283)
  2,323,847,423  99%   12.73MB/s    0:02:54 (xfr#92468, ir-chk=1184/117283)
  2,323,850,570  99%   12.73MB/s    0:02:54 (xfr#92469, ir-chk=1183/117283)
  2,323,850,801  99%   12.73MB/s    0:02:54 (xfr#92470, ir-chk=1182/117283)
  2,323,854,417  99%   12.73MB/s    0:02:54 (xfr#92471, ir-chk=1181/117283)
  2,323,857,057  99%   12.73MB/s    0:02:54 (xfr#92472, ir-chk=1180/117283)
  2,323,860,521  99%   12.73MB/s    0:02:54 (xfr#92473, ir-chk=1179/117283)
  2,323,860,828  99%   12.73MB/s    0:02:54 (xfr#92474, ir-chk=1178/117283)
  2,323,861,026  99%   12.73MB/s    0:02:54 (xfr#92475, ir-chk=1177/117283)
  2,323,866,089  99%   12.73MB/s    0:02:54 (xfr#92476, ir-chk=1176/117283)
  2,323,866,328  99%   12.73MB/s    0:02:54 (xfr#92477, ir-chk=1175/117283)
  2,323,869,969  99%   12.73MB/s    0:02:54 (xfr#92478, ir-chk=1174/117283)
  2,323,877,996  99%   12.73MB/s    0:02:54 (xfr#92479, ir-chk=1173/117283)
  2,323,878,211  99%   12.73MB/s    0:02:54 (xfr#92480, ir-chk=1172/117283)
  2,323,879,422  99%   12.73MB/s    0:02:54 (xfr#92481, ir-chk=1171/117283)
  2,323,881,844  99%   12.73MB/s    0:02:54 (xfr#92482, ir-chk=1170/117283)
  2,323,882,059  99%   12.73MB/s    0:02:54 (xfr#92483, ir-chk=1169/117283)
  2,323,882,411  99%   12.73MB/s    0:02:54 (xfr#92484, ir-chk=1168/117283)
  2,323,882,834  99%   12.73MB/s    0:02:54 (xfr#92485, ir-chk=1167/117283)
  2,323,883,041  99%   12.73MB/s    0:02:54 (xfr#92486, ir-chk=1166/117283)
  2,323,883,179  99%   12.73MB/s    0:02:54 (xfr#92487, ir-chk=1165/117283)
  2,323,884,322  99%   12.73MB/s    0:02:54 (xfr#92488, ir-chk=1164/117283)
  2,323,884,549  99%   12.73MB/s    0:02:54 (xfr#92489, ir-chk=1163/117283)
  2,323,885,170  99%   12.73MB/s    0:02:54 (xfr#92490, ir-chk=1162/117283)
  2,323,886,946  99%   12.73MB/s    0:02:54 (xfr#92491, ir-chk=1161/117283)
  2,323,887,173  99%   12.73MB/s    0:02:54 (xfr#92492, ir-chk=1160/117283)
  2,323,887,343  99%   12.73MB/s    0:02:54 (xfr#92493, ir-chk=1159/117283)
  2,323,888,889  99%   12.73MB/s    0:02:54 (xfr#92494, ir-chk=1158/117283)
  2,323,895,647  99%   12.73MB/s    0:02:54 (xfr#92495, ir-chk=1157/117283)
  2,323,896,224  99%   12.73MB/s    0:02:54 (xfr#92496, ir-chk=1156/117283)
  2,323,908,681  99%   12.73MB/s    0:02:54 (xfr#92497, ir-chk=1155/117283)
  2,323,910,571  99%   12.73MB/s    0:02:54 (xfr#92498, ir-chk=1154/117283)
  2,323,931,398  99%   12.73MB/s    0:02:54 (xfr#92499, ir-chk=1153/117283)
  2,323,935,264  99%   12.73MB/s    0:02:54 (xfr#92500, ir-chk=1152/117283)
  2,323,935,627  99%   12.73MB/s    0:02:54 (xfr#92501, ir-chk=1151/117283)
  2,323,944,081  99%   12.73MB/s    0:02:54 (xfr#92502, ir-chk=1150/117283)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=372/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=371/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=371/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=371/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=370/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=370/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=361/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=360/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=360/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=282/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=280/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=279/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=275/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=274/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=273/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=272/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=269/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=247/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=246/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=240/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=230/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=221/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=214/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=208/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=208/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=207/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=196/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=195/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=195/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=195/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=194/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=178/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=169/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=169/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=168/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=162/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=161/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=161/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=161/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=160/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=159/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=159/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=156/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=154/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=153/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=153/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=153/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=108/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=101/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=101/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=100/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=52/132571) 
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=51/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=51/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=51/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=42/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=42/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=42/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=37/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=33/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=33/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=33/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=33/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=29/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=29/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=29/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=29/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=26/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=26/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=26/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=22/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=22/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=22/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=20/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=19/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=15/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=15/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=15/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=15/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=12/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=9/132571) 
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=8/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=8/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=8/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=8/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=4/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=3/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=3/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=2/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=2/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=1/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=1/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=0/132571)
  3,944,878,003  89%   15.90MB/s    0:03:56 (xfr#106088, to-chk=0/132571)
External device UUID = 9d73b4f2-01
sed: -e expression #1, char 0: no previous regular expression
done.
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2...
username@ubuntu:~$

part1
part1480×640 65.7 KB
part2
part2480×640 138 KB
part3
part3480×640 145 KB
part4
part4480×640 126 KB
part5
part5480×640 108 KB

198

@Kin

I ran through the process and didn’t get errors like that. It’s almost as if a previous apt-get update; apt-get upgrade didn’t complete. Sometimes the unattended-upgrades interferes with manual apt-get upgrades and leaves you in a weird state. You can disable the unattended-upgrades by removing the package.

sudo apt-get remove unattended-upgrades

I’m assuming the system had been updated earlier and the Zymkey was properly installed and binding completed prior to attempting encryption.
One question: The encryption process reboots twice. Did you see this after the first reboot and before the second or after the second?

If you get to the second phase and can login, you can monitor progress with,

journalctl -fu cfg_SD_crfs

Bob

1 Like
199

It only reboots the one time and presumably fails to do anything from there. I retried with unattended-upgrades removed and got the same result.

200

Bob,

Thank you for PMing me and helping me with the troubleshooting process. My issue was I was using a USB 3.0 port for my external SSD instead of a 2.0. After switching to the 2.0 port everything went perfectly.

201

Glad you determined the problem! Thanks for getting back.

Bob

202

@Scott_of_Zymbit, I am running ubuntu 20.04 on raspberry pi 4. After completion of 2 reboots, it gives me an error that /dev/mapper/cryptrfs does not exist and open a initrafms terminal and stuck there. What can be the issue?