sobota, 12 listopada 2022

Raspberry Pi OS with LUKS

Short notes with setup for working remote LUKS decrypt. Unofrtunately after cryptroot-unlock success it shutdowns the system :) Maybe I will try again when will find some time.
    1. Burn Rasberry Pi OS Lite image

    2. Create additional partition for encrypted root partition.

    3. Update and restart: 
    apt-get update && apt-get upgrade
sudo shutdown -r now
    4. Install deps: 
    apt-get install busybox cryptsetup dropbear-initramfs lvm2
    5. Prepare partition: 
    cryptsetup -v -y --cipher aes-xts-plain64 --key-size 256 luksFormat <newroot>
cryptsetup -v luksOpen <newroot> sdcard
mkfs.ext4 /dev/mapper/sdcard
cryptsetup luksClose /dev/mapper/sdcard
    6. Configure partition in the system: check : 
    blkid | grep crypto_LUKS
    open /etc/crypttab and add: 
    sdcard    <newroot>    none    luks,initramfs
    open /etc/fstab and replace original root partition with: 
    /dev/mapper/sdcard      /       ext4    defaults        0       1
    open /boot/cmdline.txt and replace existing partition config with: 
    root=/dev/mapper/sdcard cryptdevice=<newroot>:sdcard
    also add at the end of the same file dhcp configuration: 
    ip=:::::eth0:dhcp
    7. Configure early decryption: 
    echo 'DROPBEAR_OPTIONS="-RFEsjk -c /bin/cryptroot-unlock"' > /etc/dropbear-initramfs/config
echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook
    8. Fix issue with short timeout for decryption: 
    sed -i 's/^TIMEOUT=.*/TIMEOUT=100/g' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
    9. Configure early remote access over SSH: 
    touch /boot/ssh
echo '<your_public_ssh_key>' > /etc/dropbear-initramfs/authorized_keys
    10. Copy files from original root partition to the new encrypted partition. 11. Generate initramfs: 
    sudo mkinitramfs -o /boot/initramfs.gz
echo "initramfs initramfs.gz" >> /boot/config.txt
    12. Reboot and try to connect remotely. Configs for ssh: 
    Host pi
    HostName <ip>
    User user
    PreferredAuthentications password

Host pi-enable
    HostName <ip>
    User root
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    IdentityFile ~/.ssh/<your_public_ssh_key>




Links:

https://github.com/ViRb3/pi-encrypted-boot-ssh

https://www.paxswill.com/encrypted-raspberry-pi/

https://www.kali.org/docs/arm/raspberry-pi-with-luks-full-disk-encryption/

https://www.arminpech.de/2019/12/23/debian-unlock-luks-root-partition-remotely-by-ssh-using-dropbear/

Autor: o
Etykiety: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)