Encrypting Your Root File System on Raspberry Pi - using LUKS & dm-crypt


#81

With this option can I completelly remove SDcard? I thought it was still necessary to for the /boot partition


#82

How can i recognized that The phace 2 is running?


#83

@Iker That’s correct, you still need the SD card for the /boot partition.


#84

@pico2183 The console that you started the script from will show 2 lines when phase 1 has completed:
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2...


#85

So, there is any chance I can remove completelly SDcard now that Rasperry Pi 3B+ is booted from USB?
Moving /boot from SDcard to a second USB might work?


#86

I’m sorry, but After reboot, how do i know that it started?
Reboot it’s very quickly


#87

Hello! We have 5 Raspberry 3B +, with their corresponding Zymkey 4i modules installed correctly, using the encryption of the operational SD and the blue LED flashing in a stable way in linked format. The first of these devices has turned off and removed electric power, removed the Zymkey 4i from the pi and has proceeded to cut the tabs from development mode to production mode.

After restarting the computer, does not longer start, getting a message from “cryptsetup (cryptrfs) failed, bad password or option?”
ALERT! / dev / mapper / cryptrfs does not exit "

The blue led flashes quickly, but when the start is started, the light is paid off.

Add that our base istalation was done in the following way, the SD of 32 has the following original partitions:
/ dev / mmcblk0p1 / boot
/ dev / mmcblk0p2 (encrypted) (6GB)

Later we used the free space of the 32GB card (27 GB) in a new partition / dev / mmcblk0p3 / data ext4

Our intention is to leave encrypted the partition where our developments are and that the partition where the data of the patient is housed can be recovered in case of failure of the raspberry pi.

In none of the teams have we had problems starting with this configuration
We have yet to send our other remaining equipment to our customers and I have no faith that this problem will not happen again.


#88

Can you please send us a picture image of the zymkey with cut tab.

If you prefer to have a private support channel, please email it to support@zymbit.com, and we will pick it up from there.

Thanks


#89

I’m using a RPi0W with Raspian Stretch Lite, a Zymkey 4i, and a USB flash drive (8GB). It’s a stock Raspian image on an 8GB SDCard. I installed the install_zk_sw.sh without issue and saw the Zymkey bind properly.

Then ran the LUKS/dm-crypt:

pi@raspberrypi:~ $ curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12437  100 12437    0     0  22105      0 --:--:-- --:--:-- --:--:-- 22169
No temporary volume name (/dev/...) specified. Defaulting to /dev/sda...
Hit:1 http://archive.raspberrypi.org/debian stretch InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease
Hit:3 https://zk-sw-repo.s3.amazonaws.com/apt-repo-stretch stretch InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
rsync is already the newest version (3.1.2-1+deb9u1).
zksaapps is already the newest version (1.0-8).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Stopping zkifc...done.
cp: cannot stat '/var/lib/zymbit/': No such file or directory
cp: '/etc/fstab' and '/mnt/tmproot/etc/fstab' are the same file
sed: -e expression #1, char 4: extra characters after command
done.
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2...
Connection to 192.168.1.120 closed by remote host.
Connection to 192.168.1.120 closed.

then ran sudo journalctl -u cfg_SD_crfs.service

pi@raspberrypi:~ $ sudo journalctl -u cfg_SD_crfs.service
-- Logs begin at Thu 2016-11-03 17:16:44 GMT, end at Mon 2018-11-26 19:27:12 GMT. --
Nov 26 19:19:36 raspberrypi systemd[1]: Started First time boot encrypted filesystem cfg service.
Nov 26 19:19:37 raspberrypi cfg_SD_crfs.sh[214]: Creating LUKS key...ERROR: no zymkeys installed.
Nov 26 19:19:38 raspberrypi systemd[1]: cfg_SD_crfs.service: Main process exited, code=exited, status=255/n/a
Nov 26 19:19:38 raspberrypi systemd[1]: cfg_SD_crfs.service: Unit entered failed state.
Nov 26 19:19:38 raspberrypi systemd[1]: cfg_SD_crfs.service: Failed with result 'exit-code'.

not sure what went wrong… seems the Zynkey is not blinking at all now and that is not right. Also seems that the RPi0W is booting from USB since the unit fails to boot if I remove the USB drive. Otherwise boots fine and I can SSH into it.

UPDATE: I rebooted again and got a different log from journalctl

pi@raspberrypi:~ $ sudo journalctl -u cfg_SD_crfs.service
-- Logs begin at Mon 2018-11-26 19:19:27 GMT, end at Mon 2018-11-26 19:35:14 GMT. --
Nov 26 19:28:27 raspberrypi systemd[1]: Started First time boot encrypted filesystem cfg service.
Nov 26 19:28:27 raspberrypi cfg_SD_crfs.sh[244]: Creating LUKS key...Could not read stage 1 salt file. read returned -1, errno = 9
Nov 26 19:28:28 raspberrypi systemd[1]: cfg_SD_crfs.service: Main process exited, code=exited, status=255/n/a
Nov 26 19:28:28 raspberrypi systemd[1]: cfg_SD_crfs.service: Unit entered failed state.
Nov 26 19:28:28 raspberrypi systemd[1]: cfg_SD_crfs.service: Failed with result 'exit-code'.

Help appreciated.

UPDATE: I was able to get this working. It seems the issue was related to the Zymkey adapter pins not making good contact with the RPi0W header. It was hard to determine given that the power pins were making good contact hence the LED blinking patterns indicating that the Zymkey was powered on. The I2C lines may have been the issue. I used a fine pick to bend the adapter springs a bit more towards the center to increase the pressure on the header pins and that seems to have solved the issue.


#90

Hi grundyoso,

Good to hear you have determined the root cause of your problem.

If you are willing to send us a picture of your zymkey to support@zymbit.com, that would be helpful feedback understand your use case and why you might have had electrical contact problems.

Thx


#91

Hi,
Is the /boot partition encrypted both in development and in production mode?

Thx


#92

Hi, i able to change my password by adding init=/bin/sh to cmdline.txt in boot partition


#93

Hi Pico,

The exploit your describe suggests that you have physical access to the SD card, or root access. Each can be mitigated as follows:

  1. Use perimeter detect feature of zymkey to physically secure you SD card: Learn More>
  2. Use unique sign in credentials for SSH connection.

If you prefer to continue the thread in a private channel, then email support@zymbit.com


#94

I’m having the same problem others have reported

When I run the SD card conversion, it completes correctly however in the end when it boots up off of the SD card it falls to the initramfs shell. Before that, the /scripts/local-block script is called multiple times. There is also a call out of “ALERT! /dev/mapper/cryptrfs does not exist”.

commandline.txt
dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 elevator=deadline fsck.repair=yes rootwait noswap ro root=/dev/mapper/cryptrfs cryptdevice=/dev/mmcblk0p2:cryptrfs

When I check the SD card in my laptop I can see /dev/sda1 is encrypted (used GParted to check)

I’m not sure if it’s a power issue, but the system seems quite stable (no power loss). I’m using a 3A power supply. I have a keyboard plugged in and the HDMI to my TV.

Any help would be greatly appreciated.


#95

@cudacuda can you give us a little more context for you application:

  1. do you have anything else plugged in to you GPIO or I2C bus ?
  2. if you are using an external USB drive, can you confirm the size and how it was formatted prior to running the encryption process.
  3. confirm that you have rebooted your system TWO times after completion of the script.

Thx


#96
  1. Nothing is plugged into the GPIO. Just the Zymkey
  2. Using external USB, it was formatted using Windows Fat32
  3. Once the process completes it automatically reboots, I cannot reboot from the prompt as it drops into initramfs

Thanks!


#97

Hi @cudacuda, I have a few more questions for you:

  • What is the status of the Zymkey LED when you boot up now? Is it flashing rapidly constantly or does it have a very rapid preamble followed by a slow sequence?
  • Have you cut the lock tab on the Zymkey? If so, did you have tamper detect self destruct mode enabled?
  • During the boot sequence, do you see a lightning bolt image in the upper right hand corner? This can be caused on the RPi when HDMI is connected to a monitor regardless of the strength of your power supply and could be related to grounding issues between the monitor and pi. Make sure that your TV monitor is plugged into the same power strip as the pi power supply.

#98

Sorry for the delay:

Zymkey LED on flashing rapidly constantly.

Zymkey lock tab is still intact. I did not have tamper detect enabled

I don’t see a lightning bolt. The TV and Pi are plugged are plugged into the same power strip.

Thanks!


#99

Rapid flashing of the Zymkey LED indicates that Zymkey is not communicating with the host RPi. (This is true whether you have an encrypted volume or not).

  1. Before you started the file system encrypted, did you follow the Getting Started Guide and did zymkey successfully complete the binding process in developer mode - (blue LED flashes once every 3 seconds).

  2. If you were successful in completing the binding process in developer mode, please confirm that you then kept the same exact hardware components (Pi + Zymkey + SDcard).

Thanks


#100

I can confirm that I did the Getting Started Guide. I assume the binding took place because it did blink once every three seconds. That being said, it wasn’t constant.

It would blink once every three seconds (does it twice) then rapid flashing. Then once every three seconds (does it twice) then rapid flashing.

It is the same hardware (Pi + Zymkey + SD card). I completed the Getting Started then immediately did the encryption on this page.