I can’t seem to get this right…
Step 1: Set root password / login as root / Remove user pi and add new user e.g. ‘joe’. Add ‘joe’ to all groups that pi had belonged to include sudo.
Step 2: login as joe / su
Step 3: 'sudo curl -G https://s3.amazonaws.com/zk-sw-repo/install_zk_sw.sh | sudo bash’ —> So far so good. Binding is complete
No encrypt rootfs
Step 4: Login as ‘joe’ / su and run 'sudo curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash’
It is hard to know when this is done. I let it boot couple of times
Step 5: Led blinks in quick succession 8 times and then continuously blinks for few moments. Binding is lost. And so does ‘joe’. The user disappears, I am not longer able to login as ‘joe’
Step 6: So I login as root and cat /etc/passwd shows no ‘joe’ but ‘pi’ is back.
Certainly there is something not too good about non-pi users and zymkey.
I tried “joe” after deleting user “pi” with a buster32/desktop and it worked all the way through encryption.
My guess would be that the USB stick was previously used for an encryption run. If so, the encryption script will attempt to use the information from the previous run to save time, namely by looking for a file named original_zk_root.tgz, untarring and using the old rootfs files.
Try and run through the process one more time after you’ve created user “joe” and removed user “pi” using a newly formatted USB stick.
The whole process requires two reboots. After the first reboot, the second part runs as a systemd service. You can monitor the progress with journalctl. Include the -f to follow the operation:
journalctl -fu cfg_SD_crfs
If you see errors there, let me know. After the second reboot, you can use lsblk to see the cryptrfs listed.
Excellent! That must be it then! I formatted the external USB and it works now. I think this also explains why encryption used to happen too quickly. I presumed the install script would do mkfs.ext4 /dev/sda1 by default.
Is there a way to uninstall zymkey services and re-bind? I tried running install again and looks like it does no help.
What is the recommended way to deploy the final device? Install all custom software and then add zymkey services and encrypt the SD or start with installation of zymkey services, encrypt sd card and then install custom software?
I am using Buster 64-bit OS (20-Aug-2020 version) of Raspberry Pi OS.