sobota, 12 listopada 2022

Raspberry Pi OS with LUKS

Short notes with setup for working remote LUKS decrypt. Unofrtunately after cryptroot-unlock success it shutdowns the system :) Maybe I will try again when will find some time.
    1. Burn Rasberry Pi OS Lite image

    2. Create additional partition for encrypted root partition.

    3. Update and restart:
    apt-get update && apt-get upgrade
    sudo shutdown -r now
    4. Install deps:
    apt-get install busybox cryptsetup dropbear-initramfs lvm2
    5. Prepare partition:
    cryptsetup -v -y --cipher aes-xts-plain64 --key-size 256 luksFormat <newroot>
    cryptsetup -v luksOpen <newroot> sdcard
    mkfs.ext4 /dev/mapper/sdcard
    cryptsetup luksClose /dev/mapper/sdcard
    6. Configure partition in the system: check :
    blkid | grep crypto_LUKS
    open /etc/crypttab and add:
    sdcard    <newroot>    none    luks,initramfs
    open /etc/fstab and replace original root partition with:
    /dev/mapper/sdcard      /       ext4    defaults        0       1
    open /boot/cmdline.txt and replace existing partition config with:
    root=/dev/mapper/sdcard cryptdevice=<newroot>:sdcard
    also add at the end of the same file dhcp configuration:
    7. Configure early decryption:
    echo 'DROPBEAR_OPTIONS="-RFEsjk -c /bin/cryptroot-unlock"' > /etc/dropbear-initramfs/config
    echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook
    8. Fix issue with short timeout for decryption:
    sed -i 's/^TIMEOUT=.*/TIMEOUT=100/g' /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
    9. Configure early remote access over SSH:
    touch /boot/ssh
    echo '<your_public_ssh_key>' > /etc/dropbear-initramfs/authorized_keys
    10. Copy files from original root partition to the new encrypted partition. 11. Generate initramfs:
    sudo mkinitramfs -o /boot/initramfs.gz
    echo "initramfs initramfs.gz" >> /boot/config.txt
    12. Reboot and try to connect remotely. Configs for ssh:
    Host pi
        HostName <ip>
        User user
        PreferredAuthentications password
    Host pi-enable
        HostName <ip>
        User root
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null
        IdentityFile ~/.ssh/<your_public_ssh_key>


Brak komentarzy:

Prześlij komentarz