COOLDays 2022 - Berlin

This year Collabora Productivity organized hybrid conference in Berlin. I've participated virtually by presenting video with recent improvements in JSDialogs which provides dialogs knwon from the LibreOffice for Collabora Online. Second talk was a short case study / tutorial how to add new component based on a mentioned framework.

Raspberry Pi OS with LUKS

Short notes with setup for working remote LUKS decrypt. Unofrtunately after cryptroot-unlock success it shutdowns the system :) Maybe I will try again when will find some time.

1. Burn Rasberry Pi OS Lite image

2. Create additional partition for encrypted root partition.

3. Update and restart:

apt-get update && apt-get upgrade
sudo shutdown -r now

4. Install deps:

apt-get install busybox cryptsetup dropbear-initramfs lvm2

5. Prepare partition:

cryptsetup -v -y --cipher aes-xts-plain64 --key-size 256 luksFormat <newroot>
cryptsetup -v luksOpen <newroot> sdcard
mkfs.ext4 /dev/mapper/sdcard
cryptsetup luksClose /dev/mapper/sdcard

6. Configure partition in the system: check :

blkid | grep crypto_LUKS

open /etc/crypttab and add:

sdcard    <newroot>    none    luks,initramfs

open /etc/fstab and replace original root partition with:

/dev/mapper/sdcard      /       ext4    defaults        0       1

open /boot/cmdline.txt and replace existing partition config with:

root=/dev/mapper/sdcard cryptdevice=<newroot>:sdcard

also add at the end of the same file dhcp configuration:

ip=:::::eth0:dhcp

7. Configure early decryption:

echo 'DROPBEAR_OPTIONS="-RFEsjk -c /bin/cryptroot-unlock"' > /etc/dropbear-initramfs/config
echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook

8. Fix issue with short timeout for decryption:

sed -i 's/^TIMEOUT=.*/TIMEOUT=100/g' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock

9. Configure early remote access over SSH:

touch /boot/ssh
echo '<your_public_ssh_key>' > /etc/dropbear-initramfs/authorized_keys

10. Copy files from original root partition to the new encrypted partition. 11. Generate initramfs:

sudo mkinitramfs -o /boot/initramfs.gz
echo "initramfs initramfs.gz" >> /boot/config.txt

12. Reboot and try to connect remotely. Configs for ssh:

Host pi
    HostName <ip>
    User user
    PreferredAuthentications password

Host pi-enable
    HostName <ip>
    User root
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    IdentityFile ~/.ssh/<your_public_ssh_key>

Links:

https://github.com/ViRb3/pi-encrypted-boot-ssh

https://www.paxswill.com/encrypted-raspberry-pi/

https://www.kali.org/docs/arm/raspberry-pi-with-luks-full-disk-encryption/

https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/