The encryption script makes an initrd for booting into the encrypted root file system. The encrypted LUKS key is stored in the initrd as well as the target root file system at /var/lib/zymbit.

@iesplin
Thanks for chasing that down!
I think that things may have changed internally with Bionic because the PARTUUID method was known to work in the early days. Just goes to show you how quickly the landscape of Linux development development changes…

Anyway, we have tested your scripts on Ubuntu as well as Raspbian and have verified that things work. Your modifications are now available publicly.

Hello,

I managed to encrypt my partition /.
If I understood correctly, in case of loss of the Secure Element I could no longer decrypt the LUKS key.
Is it possible to recover this LUKS key in order to outsource it?

That is correct. It is not possible to recover the key, by design.

Hi
I am attempting for the first time to use option 1 to encrypt the SD card on my RPi3 running Raspbian. I used a 32Gb USB flashdrive as the external drive. I took approx 2.5hours to run first pass and rebooted. I had VNC running and was using it at the time so hope this didnt cause any issues. After the first reboot I could not log back in (VNC), so rebooted again. Still not able to login via VNC I connected a screen and KB&M, now I see the flash screen static and a window saying “Waiting for SD card (setting partition)”. Not sure what I should be doing from here. The steps above only indicate a single step from the user in inputting one line into the terminal, so assume everything should automate from there. Am I missing something? Should I have prepared the RPi in some way prior to running the command? The Zymbit module is flashing fast by the way. Perhaps I have turned my SD card into a vegetable

Edit;
So I have started over again, except with an image of Raspbien Buster on the SD (not Noobs). Reading through the early comments here I see that Noobs can be troublesome. Anyway, the process still took 2.5 hours for the 1st pass, but now the second pass is finished the process looks to be successfully complete. Zymkey is also flashing once every 3 secs

Hi, i can’t get to phase 2. Here is all i see. any idea?

root@raspberrypi:/home/pi# curl -G /mk_encr_sd_rfs.sh | sudo bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15428 100 15428 0 0 48062 0 --:–:-- --:–:-- --:–:-- 48062
No temporary volume name (/dev/…) specified. Defaulting to /dev/sda…
Hit’s remove because of post limitiation.
Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
rsync is already the newest version (3.1.3-6).
zksaapps is already the newest version (1.0-9).
The following package was automatically installed and is no longer required:
rpi-eeprom-images
Use ‘apt autoremove’ to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Stopping zkifc…done.
cp: cannot stat ‘/var/lib/zymbit/’: No such file or directory
cp: ‘/etc/hosts’ and ‘/mnt/tmproot/etc/hosts’ are the same file
cp: ‘/etc/hostname’ and ‘/mnt/tmproot/etc/hostname’ are the same file
cp: ‘/etc/ssh/ssh_host_dsa_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_dsa_key’ are the same file
cp: ‘/etc/ssh/ssh_host_dsa_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_dsa_key.pub’ are the same file
cp: ‘/etc/ssh/ssh_host_ecdsa_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ecdsa_key’ are the same file
cp: ‘/etc/ssh/ssh_host_ecdsa_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ecdsa_key.pub’ are the same file
cp: ‘/etc/ssh/ssh_host_ed25519_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ed25519_key’ are the same file
cp: ‘/etc/ssh/ssh_host_ed25519_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ed25519_key.pub’ are the same file
cp: ‘/etc/ssh/ssh_host_rsa_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_rsa_key’ are the same file
cp: ‘/etc/ssh/ssh_host_rsa_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_rsa_key.pub’ are the same file
External device PARTUUID = 8ce5d40e-01
External device UUID = 84b87adb-f83d-4c19-a725-3309c5a70752
cp: ‘/etc/fstab’ and ‘/mnt/tmproot/etc/fstab’ are the same file
done.
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2…

Hi Chris,

We have seen symptoms like this with Power Source problems, especially with the 3B+ and the Pi4 which require more power than the earlier models. The recommended supply for a Raspberry Pi4 should be at least 3 amps. It becomes critical when you have devices attached to the USB ports. Can you confirm that your power source is good? Which model Pi are you using and what’s the version of OS?

Bob

Hi Bob, It’s the Pi4 armHF and OS info is below. The power i think is good. I’m using the power cable that came with the unit. The power supply says DCAR-RSP-3A5C (come from canakit)

OS was loaded from this download from Raspberry PI site.
2020-05-27-raspios-buster-full-armhf.zip

PRETTY_NAME=“Raspbian GNU/Linux 10 (buster)”
NAME=“Raspbian GNU/Linux”
VERSION_ID=“10”
VERSION=“10 (buster)”
VERSION_CODENAME=buster

Is it possible to recover the encryption key ?
Is the encryption key generated randomly ? What is his size?

We can work with you to come up with a solution regarding recovering an encryption key. Can you give us a little more information on your use case? If you’d like to move this out of the Community forums, you can talk to us directly via support@zymbit.com.

As far as the next questions, yes the encryption key is generated randomly and the size is 512 bytes.

Chris,

That Canakit supply should work fine. Could I maybe take a look at /boot/cmdline.txt and /boot/config.txt? Also, output from lsblk.

Thanks,

Bob

Yep, this is currently a vanilla build.

pi@raspberrypi:~ $ cat /boot/cmdline.txt
console=serial0,115200 console=tty1 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait quiet splash plymouth.ignore-serial-consoles root=PARTUUID=8ce5d40e-01

pi@raspberrypi:~ $ cat /boot/config.txt

For more options and information see

http://rpf.io/configtxt

Some settings may impact device functionality. See link above for details

uncomment if you get no picture on HDMI for a default “safe” mode

#hdmi_safe=1

uncomment this if your display has a black border of unused pixels visible

and your display can output without overscan

disable_overscan=1

uncomment the following to adjust overscan. Use positive numbers if console

goes off screen, and negative if there is too much border

#overscan_left=16
#overscan_right=16
#overscan_top=16
#overscan_bottom=16

uncomment to force a console size. By default it will be display’s size minus

overscan.

#framebuffer_width=1280
#framebuffer_height=720

uncomment if hdmi display is not detected and composite is being output

#hdmi_force_hotplug=1

uncomment to force a specific HDMI mode (this will force VGA)

#hdmi_group=1
#hdmi_mode=1

uncomment to force a HDMI mode rather than DVI. This can make audio work in

DMT (computer monitor) modes

#hdmi_drive=2

uncomment to increase signal to HDMI, if you have interference, blanking, or

no display

#config_hdmi_boost=4

uncomment for composite PAL

#sdtv_mode=2

#uncomment to overclock the arm. 700 MHz is the default.
#arm_freq=800

Uncomment some or all of these to enable the optional hardware interfaces

#dtparam=i2c_arm=on
#dtparam=i2s=on
#dtparam=spi=on

Uncomment this to enable infrared communication.

#dtoverlay=gpio-ir,gpio_pin=17
#dtoverlay=gpio-ir-tx,gpio_pin=18

Additional overlays and parameters are documented /boot/overlays/README

Enable audio (loads snd_bcm2835)

dtparam=audio=on

[pi4]

Enable DRM VC4 V3D driver on top of the dispmanx display stack

dtoverlay=vc4-fkms-v3d
max_framebuffers=2

[all]
#dtoverlay=vc4-fkms-v3d

pi@raspberrypi:~ $ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 465.8G 0 disk
└─sda1 8:1 0 465.8G 0 part /
sdb 8:16 0 465.8G 0 disk
mmcblk0 179:0 0 29.8G 0 disk
├─mmcblk0p1 179:1 0 256M 0 part /boot
└─mmcblk0p2 179:2 0 29.6G 0 part

Thank you for sending in the info. We can see in /boot/config.txt that the line that enables the i2c bus is commented out. The i2c bus needs to be enabled for the Zymkey to work.

is:
#dtparam=i2c_arm=on

should be:
dtparam=i2c_arm=on

You can either uncomment that line or follow the steps in the Getting Started with the Zymkey 4i topic to enable the i2c bus:

1. Log in to your pi and run sudo raspi-config
2. Select Interfacing Options -> I2C ->
   Would you like the ARM I2C interface to be enabled? select (Yes), enter, enter
3. Arrow Right to Finish

Your I2C bus is now configured and ready to talk to the Zymkey. Next install the Zymkey interface software (ZKIFC) onto your Pi.

You may want to start fresh following the steps here:
https://community.zymbit.com/t/getting-started-with-zymkey-4i/202

If you successfully complete the installation and binding you will see the blue LED flash once every three seconds. That needs to happen prior to attempting to encrypt the root file system.

Bob

Thanks, after enabling I2C and running the script, the light does not blink at all. I ran the script a few more times after but no change. Should i reload the OS and start from beginning? Below is the latest output.

Thanks
Chris

rsync is already the newest version (3.1.3-6).
zksaapps is already the newest version (1.0-9).
The following package was automatically installed and is no longer required:
rpi-eeprom-images
Use ‘apt autoremove’ to remove it.
0 upgraded, 0 newly installed, 0 to remove and 8 not upgraded.
Stopping zkifc…done.
cp: cannot stat ‘/var/lib/zymbit/’: No such file or directory
cp: ‘/etc/hosts’ and ‘/mnt/tmproot/etc/hosts’ are the same file
cp: ‘/etc/hostname’ and ‘/mnt/tmproot/etc/hostname’ are the same file
cp: ‘/etc/ssh/ssh_host_dsa_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_dsa_key’ are the same file
cp: ‘/etc/ssh/ssh_host_dsa_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_dsa_key.pub’ are the same file
cp: ‘/etc/ssh/ssh_host_ecdsa_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ecdsa_key’ are the same file
cp: ‘/etc/ssh/ssh_host_ecdsa_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ecdsa_key.pub’ are the same file
cp: ‘/etc/ssh/ssh_host_ed25519_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ed25519_key’ are the same file
cp: ‘/etc/ssh/ssh_host_ed25519_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_ed25519_key.pub’ are the same file
cp: ‘/etc/ssh/ssh_host_rsa_key’ and ‘/mnt/tmproot/etc/ssh/ssh_host_rsa_key’ are the same file
cp: ‘/etc/ssh/ssh_host_rsa_key.pub’ and ‘/mnt/tmproot/etc/ssh/ssh_host_rsa_key.pub’ are the same file
External device PARTUUID = 8ce5d40e-01
External device UUID = 84b87adb-f83d-4c19-a725-3309c5a70752
cp: ‘/etc/fstab’ and ‘/mnt/tmproot/etc/fstab’ are the same file
done.
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2…

I think starting over with a clean OS might be best at this point. I would also recommend reformatting your USB drive (ext4) to start clean when running the encryption script.

This seems to also be what is happening to me: Does not enter developer mode - temporary binding

Hi Cameron,

That is a possibility. I’m going to research what happens if you try and encrypt after initially having something misconfigured that led to an improper installation. It’ll take me a little time.

I verified in my setup with stretch and a 3B+ that encryption completed with everything installed correctly to start with. If you have the ability to start with a fresh OS with I2C enabled and 1-Wire disabled that may save some time to get you up and running. Just a reminder that the encryption takes some time and two reboots to complete.

Bob

Hi Bob, Thanks for your time. I figured out i didn’t follow directions properly after you pointed out the IC2 such as enabling IC2 and running the install script. I have run the script to convert the SD card to encrypted. It seemed to be done with phase 1 but i cannot determine where it is in the process at this point. How can i check to see what i need to do next? i have only run the encrypt process 1 time at this point.

12 bytes copied, 0.0197508 s, 25.9 kB/s
Partition #1 contains a ext4 signature.
mke2fs 1.44.5 (15-Dec-2018)
Making a tarball of original root file system image…tar: Removing leading /' from member names tar: Removing leading /’ from hard link targets
done.
Created symlink /etc/systemd/system/multi-user.target.wants/cfg_SD_crfs.service → /etc/systemd/system/cfg_SD_crfs.service.
Removed /etc/systemd/system/multi-user.target.wants/zkifc.service.
Removed /etc/systemd/system/multi-user.target.wants/zkbootrtc.service.
5,848,151,658 90% 21.72MB/s 0:04:16 (xfr#147946, to-chk=0/187202)
External device PARTUUID = 078e2fb6-01
External device UUID = 2ac5bcf5-b432-470a-805c-c8f426c29647
done.
root file sys conversion phase 1 complete.
Rebooting to installer partition to start phase 2…

It all happens on its own. You don’t have to do anything. It can take 30 minutes or so for the first reboot, and then another 10 minutes before the second reboot. It’s a little difficult to see what is going on after the first reboot as the next process runs within systemd. The best way is by observing the blue LED. It will flash rapidly until the whole process is done. Once done, it should return to the one flash every three seconds. If you look at ‘lsblk’ output once the process is done you’ll see cryptrfs. Likewise, if you ‘cat /boot/cmdline.txt’ it should reference the root file system boots encrypted.

Thanks Bob, it think it looks good! (see below)
I got a couple of questions.
-Is it possible to store a password in the luks keys as a backup?
-Once it is cut to take to production, Can i reload the OS as long as i keep the same PI / SD combo and still get it to encrypt again?
-Can the key hold keys for other drives? For example i’ll boot from SD but will access data from a second USB drive. Can that second USB drive be luks encrypted and the key stored on the zymkey?

Thanks Again!

oot@raspberrypi:/home/pi# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 465.8G 0 disk
└─sda1 8:1 0 465.8G 0 part
sdb 8:16 0 465.8G 0 disk
mmcblk0 179:0 0 29.8G 0 disk
├─mmcblk0p1 179:1 0 256M 0 part /boot
└─mmcblk0p2 179:2 0 29.6G 0 part
└─cryptrfs 254:0 0 29.6G 0 crypt /
root@raspberrypi:/home/pi#
root@raspberrypi:/home/pi# cat /boot/cmdline.txt
console=serial0,115200 console=tty1 elevator=deadline fsck.repair=yes rootwait root=/dev/mapper/cryptrfs cryptdevice=/dev/mmcblk0p2:cryptrfs rng_core.default_quality=1000
root@raspberrypi:/home/pi#