What are the general steps for configuring Zymkey/RPi SD card?


Is there a guide that lists the general steps for using Zymkey and encrypting an SD card?

I’ve read the getting started guides and the LUKS encryption tutorials but still not sure on the process from start to finish.


  1. Use pip to install Zymkey libraries
  2. ?
  3. ?
  4. ?


Per the guide (it’s kind of hidden with a drop down) (LUKS Encrypt Your Root File System on Raspberry Pi):

To convert your root file system to LUKS/dm-crypt, you will need to connect an external USB disk (as temporary storage). As mentioned previously, this is necessary because it is not possible to encrypt the partition in place, so the external disk is needed as temporary storage and a temporary root file system while the conversion takes place. The external disk needs to be at least twice as big as the root partition. Next, run the following script:

curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash

This script is parameterized, so if you have special requirements (e.g. root file system lives on /dev/mmcblk0p4), you can invoke it in the following fashion:

curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash -s – -x <path to external storage device (e.g. /dev/sdX> -m

In the above invocation with no parameters, the defaults are:

Original root file system located on /dev/mmcblk0p2
Temporary root file system/storage for original root tarball located on /dev/sda
Temporary root file system takes up entirety of new device
The very first run of this script on a new temporary external USB disk could take a long time. Also, two reboots are required before the script is complete.

One thing to note is that, if the external storage device has an ext4 formatted partition with the original root file system partition (e.g. /dev/mmcblk0p2) on it, this script will use what is already on the external storage device to convert the SD card. This cuts down time for converting lots of Pi root file systems and allows the script to be used in a mass production deployment.

On a Pi3 with an attached USB SSD as the external device on a bare Jessie “full” version (~4GB), the first run of this script requires about an hour to complete the first phase. The second phase takes around 15 minutes.

The same platform with a Jessie “lite” version (~1.6GB) takes around 20 minutes for phase 1 and 5 minutes for phase 2.

Based on the above, using the formatted external device to convert subsequent units should only take 15/5 minutes.


Thanks for replying. Is there a single document that goes step by step, how to encrypt the SSD and bind the 4i to my Pi? If not, I do have some questions.

Do I have to follow the LUKS guide or will the mk_encr_sd_rfs.sh do everything for me?

Where do I find the documentation for mk_encr_sd_rfs.sh? So I can see the parameters.

curl -G https://s3.amazonaws.com/zk-sw-repo/mk_encr_sd_rfs.sh | sudo bash -s – -x <path to external storage device (e.g. /dev/sdX> -m

My original Pi filesystem is ext4. How can I use this for bulk production? I thought the Zymkey 4i needed to bind to each Pi specifically.