Encrypting Your Root File System on Raspberry Pi - using LUKS & dm-crypt


#81

With this option can I completelly remove SDcard? I thought it was still necessary to for the /boot partition


#82

How can i recognized that The phace 2 is running?


#83

@Iker That’s correct, you still need the SD card for the /boot partition.


#84

@pico2183 The console that you started the script from will show 2 lines when phase 1 has completed:
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2...


#85

So, there is any chance I can remove completelly SDcard now that Rasperry Pi 3B+ is booted from USB?
Moving /boot from SDcard to a second USB might work?


#86

I’m sorry, but After reboot, how do i know that it started?
Reboot it’s very quickly


#87

Hello! We have 5 Raspberry 3B +, with their corresponding Zymkey 4i modules installed correctly, using the encryption of the operational SD and the blue LED flashing in a stable way in linked format. The first of these devices has turned off and removed electric power, removed the Zymkey 4i from the pi and has proceeded to cut the tabs from development mode to production mode.

After restarting the computer, does not longer start, getting a message from “cryptsetup (cryptrfs) failed, bad password or option?”
ALERT! / dev / mapper / cryptrfs does not exit "

The blue led flashes quickly, but when the start is started, the light is paid off.

Add that our base istalation was done in the following way, the SD of 32 has the following original partitions:
/ dev / mmcblk0p1 / boot
/ dev / mmcblk0p2 (encrypted) (6GB)

Later we used the free space of the 32GB card (27 GB) in a new partition / dev / mmcblk0p3 / data ext4

Our intention is to leave encrypted the partition where our developments are and that the partition where the data of the patient is housed can be recovered in case of failure of the raspberry pi.

In none of the teams have we had problems starting with this configuration
We have yet to send our other remaining equipment to our customers and I have no faith that this problem will not happen again.


#88

Can you please send us a picture image of the zymkey with cut tab.

If you prefer to have a private support channel, please email it to support@zymbit.com, and we will pick it up from there.

Thanks


#89

I’m using a RPi0W with Raspian Stretch Lite, a Zymkey 4i, and a USB flash drive (8GB). It’s a stock Raspian image on an 8GB SDCard. I installed the install_zk_sw.sh without issue and saw the Zymkey bind properly.

Then ran the LUKS/dm-crypt:

pi@raspberrypi:~ $ curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12437  100 12437    0     0  22105      0 --:--:-- --:--:-- --:--:-- 22169
No temporary volume name (/dev/...) specified. Defaulting to /dev/sda...
Hit:1 http://archive.raspberrypi.org/debian stretch InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease
Hit:3 https://zk-sw-repo.s3.amazonaws.com/apt-repo-stretch stretch InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
rsync is already the newest version (3.1.2-1+deb9u1).
zksaapps is already the newest version (1.0-8).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Stopping zkifc...done.
cp: cannot stat '/var/lib/zymbit/': No such file or directory
cp: '/etc/fstab' and '/mnt/tmproot/etc/fstab' are the same file
sed: -e expression #1, char 4: extra characters after command
done.
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2...
Connection to 192.168.1.120 closed by remote host.
Connection to 192.168.1.120 closed.

then ran sudo journalctl -u cfg_SD_crfs.service

pi@raspberrypi:~ $ sudo journalctl -u cfg_SD_crfs.service
-- Logs begin at Thu 2016-11-03 17:16:44 GMT, end at Mon 2018-11-26 19:27:12 GMT. --
Nov 26 19:19:36 raspberrypi systemd[1]: Started First time boot encrypted filesystem cfg service.
Nov 26 19:19:37 raspberrypi cfg_SD_crfs.sh[214]: Creating LUKS key...ERROR: no zymkeys installed.
Nov 26 19:19:38 raspberrypi systemd[1]: cfg_SD_crfs.service: Main process exited, code=exited, status=255/n/a
Nov 26 19:19:38 raspberrypi systemd[1]: cfg_SD_crfs.service: Unit entered failed state.
Nov 26 19:19:38 raspberrypi systemd[1]: cfg_SD_crfs.service: Failed with result 'exit-code'.

not sure what went wrong… seems the Zynkey is not blinking at all now and that is not right. Also seems that the RPi0W is booting from USB since the unit fails to boot if I remove the USB drive. Otherwise boots fine and I can SSH into it.

UPDATE: I rebooted again and got a different log from journalctl

pi@raspberrypi:~ $ sudo journalctl -u cfg_SD_crfs.service
-- Logs begin at Mon 2018-11-26 19:19:27 GMT, end at Mon 2018-11-26 19:35:14 GMT. --
Nov 26 19:28:27 raspberrypi systemd[1]: Started First time boot encrypted filesystem cfg service.
Nov 26 19:28:27 raspberrypi cfg_SD_crfs.sh[244]: Creating LUKS key...Could not read stage 1 salt file. read returned -1, errno = 9
Nov 26 19:28:28 raspberrypi systemd[1]: cfg_SD_crfs.service: Main process exited, code=exited, status=255/n/a
Nov 26 19:28:28 raspberrypi systemd[1]: cfg_SD_crfs.service: Unit entered failed state.
Nov 26 19:28:28 raspberrypi systemd[1]: cfg_SD_crfs.service: Failed with result 'exit-code'.

Help appreciated.

UPDATE: I was able to get this working. It seems the issue was related to the Zymkey adapter pins not making good contact with the RPi0W header. It was hard to determine given that the power pins were making good contact hence the LED blinking patterns indicating that the Zymkey was powered on. The I2C lines may have been the issue. I used a fine pick to bend the adapter springs a bit more towards the center to increase the pressure on the header pins and that seems to have solved the issue.


#90

Hi grundyoso,

Good to hear you have determined the root cause of your problem.

If you are willing to send us a picture of your zymkey to support@zymbit.com, that would be helpful feedback understand your use case and why you might have had electrical contact problems.

Thx


#91

Hi,
Is the /boot partition encrypted both in development and in production mode?

Thx


#92

Hi, i able to change my password by adding init=/bin/sh to cmdline.txt in boot partition


#93

Hi Pico,

The exploit your describe suggests that you have physical access to the SD card, or root access. Each can be mitigated as follows:

  1. Use perimeter detect feature of zymkey to physically secure you SD card: Learn More>
  2. Use unique sign in credentials for SSH connection.

If you prefer to continue the thread in a private channel, then email support@zymbit.com