Raspberry pi4-B: not able to Encrypt "rootfs"

Hi,
I’ve bought a Zymbit Zymkey 4i and followed every step for setup mentioned in quick start.
But when I try to encrypt the root, it’s not happening.

I’ve used both the options
Option 1 - Convert existing SD Card to LUKS.
Option 2 - Migrate existing SD card to external LUKS storage device.

In 1’st option what happens is my SD card works only with the USB device in which it stores the data after encryption, It doesn’t work otherwise.

In 2’nd option my SD card and my external USB stops working none of them loads and when I insert the SD card in another system it asks for password which I don’t have.

What we want is no one should access the Root fs of the SD Card not in Linux or in Windows, also with restrictions in accessing through “cmdline,txt”, no one should access the root using “cmdline.txt”.

Thanks in advance.
Any help will be appreciated.

@Hardik - There are some hints in our Troubleshooting Guide that you can review here:
Encryption Troubleshooting
Can you tell me which PI model and which OS you are using?

Hi @Bob_of_Zymbit ,
I’m using Raspberry Pi 4 B and OS is Raspbian Buster.

A couple of other things:

  • Power. As basic as it sounds, many of the issues people encounter are due to a poor power supply. A “phone charger” is inadequate. You need a good supply that can provide at least 2.5 amps, preferably 3+ amps. The Canakit and official RPI supplies are recommended.

  • Start fresh. Reformat/Erase your USB stick. The process will re-use data from a previous run if the file original_zk_root.tgz exists on the USB stick.

  • It is possible that the USB stick is automounting in the background. The encryption script will unmount the device (usually /dev/sda1) but sometimes with the desktop it will re-automount. You can check with “lsblk”, or also by monitoring the second phase (after the first reboot) with journalctl -fu cfg_SD_crfs. Watch for errors, like “already mounted”. A simple, sudo umount /dev/sda1 might fix.

  • Be patient. Make sure the process completes including two reboots.

Hi @Bob_of_Zymbit

Thank you for your help.
It worked initially but got this after executing encryption command.