Upgrading from Jessie to Stretch breaks encrypted pi?


Successfully encrypted a pi zero with a zymkey then locked it to device, however after performing an apt upgrade then reboot the device no longer unlucks the filesystem! is there another command that needs to be run after apt upgrade?




Just tried same thing on a pi3, exactly the same issue. now i have 2 useless zymkeys!!


Its very unlikely your zymkeys are rendereed useless. Cutting their tabs simply binds them to the specific Pi/SD card combination. You still have full access to cryptographic functions and services.

So, when you say “locked it to the device” do you mean your removed the ‘cut-2-lock’ tab and put the device into “production mode” ?


Yes, after successfully encrypting the sd cards on both pi’s, I cut the tab

  1. Can you clarify what apt upgrade you performed - was it from Jessie to Stretch ?
  2. Before you did he apt upgrade, did you verify the LUKS encrypted disc(s) worked - ie you could read them.


I just ran a standard apt upgrade for all new packages

I had verified that both the micro sds where encrypted

I had power cycled the pi’s many times before.

It was only after issuing the apt upgrade command that they both failed

Many thanks


OK… looking into this… .will come back shortly


Many thanks, can the zymkeys be used again on the same pi’s they are locked to I.e run the encryption on the sd card again?




After further analysis on our side, it looks like if you upgraded to Raspbian Stretch AFTER you cut the Lock tabs, then you may not be able to rebuild your system. Stretch is a major release update and there are too many variables - between Stretch and your application space - for us to be 100% sure what is going on in your specific application.

Internal testing results

When we performed an upgrade from Jessie to Stretch on an already encrypted file system, we did experience problems:

  1. Started with a bare Jessie Lite install
  2. Installed Zymkey software components
  3. Converted SD card root file system to LUKS encrypted volume using Zymkey locking on the LUKS key per community post
  4. Upgraded to Raspbian Stretch

Specifically the initramfs is complaining that it can’t find the necessary drivers due to the kernel version being different in Stretch. This is a kernel issue, not directly related to Zymkey.

RPi community does caution of upgrade issues from Jessie to Stretch. See the Raspberry Pi page which announces Stretch release (https://www.raspberrypi.org/blog/raspbian-stretch/):
Upgrading an existing Jessie image is possible, but is not guaranteed to work in every circumstance. If you wish to try upgrading a Jessie image to Stretch, we strongly recommend taking a backup first – we can accept no responsibility for loss of data from a failed update.

To save you further problems please contact Zymbit support directly, including your community handle, and we will try to take care of you.

In the interim we have added a Warning to the getting started guide to NOT cut the tab until after you have settled on a major code distribution. Also we will recommend Jessie for new apps, until Stretch has settled down. (next 4 to 6 weeks)