Setup full disk encryption using LVM on LUKS (single drive) with remote SSH for an already setup/running Raspbian stretch system. Using this guide there is no need to connect a screen or keyboard to the rpi at any stage since we will setup remote SSH at the same time (at present no other guides available tell you that this is possible).
To be safe, backup SD card (using another computer is easiest in my case):
sudo dd bs=4M if=/dev/<rpi_sdcard> | gzip > rpibackup.img.gz
or use my fish shell function.
sudo apt update
sudo apt install cryptsetup lvm2 busybox
sudo reboot
・Add initramfs initramfs.gz followkernel
to end of file.
・Replace root=/dev/mmcblk0p2
with root=/dev/mapper/sdcard
・Add cryptdevice=/dev/mmcblk0p2:sdcard
to end of file.
・Replace /dev/mmcblk0p2
with /dev/mapper/sdcard
・Add sdcard /dev/mmcblk0p2 none luks
to end of file.
・Note: use tabs, not spaces!(TODO: check if this is actually matters)
sudo apt install dropbear dropbear-initramfs
echo 'DROPBEAR_OPTIONS="-p <your_ssh_port>"' >> /etc/dropbear-initramfs/config
echo "ssh-rsa <yourpublickey>" >> /etc/dropbear-initramfs/authorized_keys
・Note: No need to write any unlock scripts as we can use cryptroot-unlock
which comes with cryptsetup
since stretch:
debian/initramfs/cryptroot-unlock(-hook): add initramfs hook and script to remotely unlock cryptroot devices. (closes: #782024, #697156)
・Note 2: Use a different port to your normal SSH port for this server to avoid clashes when StrictModes is enabled (since the SSH key for dropbear and the SSH key used after unlocking the device will be different, but the hostname will the same)
^^/.ssh >>> ssh 192.168.1.3 -p1788 20:17:33
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:5asd345345dfasdsdffasdfaA.
Please contact your system administrator.
Add correct host key in /home/client/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/client/.ssh/known_hosts:6
ECDSA host key for [192.168.1.3]:1788 has changed and you have requested strict checking.
Host key verification failed.
WIP
Since they are not passphrase protected, delete any host keys generated by the dropbear install and generate our own.
sudo rm -f /etc/dropbear/dropbear_*_host_key
create passphrase protected key using openssh then convert it to dropbear format
/usr/lib/dropbear/dropbearconvert <inputtype> <outputtype> <inputfile> <outputfile>
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear_rsa_host_key
dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
sudo cryptsetup luksFormat /tmp/fakeroot.img
This will overwrite data on /tmp/fakeroot.img irrevocably.
Are you sure? (Type uppercase yes):
・Make sure to type in capitals as it says (spent way too long debugging this since there is no error msg if you lowercase it)
・Enter passphrase for the encrypted filesystem
sudo cryptsetup luksOpen /tmp/fakeroot.img sdcard
sudo mkfs.ext4 /dev/mapper/sdcard
sudo mkinitramfs -o /boot/initramfs.gz
lsinitramfs /boot/initramfs.gz | grep 'dropbear\|cryptsetup'
・Note: Check for warnings and that cryptsetup and dropbear show up in the output!
sudo shutdown -t 0
・Note you will need cryptsetup
installed on your other PC
・Replace /dev/sdx
as appropriate.
sudo dd bs=4M if=/dev/sdx of=pi.img
resize2fs -M pi.img
cryptsetup --cipher aes-cbc-essiv:sha256 luksFormat /dev/sdx
cryptsetup luksOpen /dev/sdx sdcard
sudo dd bs=4k if=pi.img of=/dev/mapper/sdcard
resize2fs -f /dev/mapper/sdcard
ssh root@yourpi -p sshport
・Note that even if the root account is disabled on the machine, this root user is used only in the initrd for the purpose of unlocking the remote system.
thanks for this. i followed your instructions and can ssh into initrd and unlock the disk with 'cryptsetup luksOpen /dev/mmcblk0p2 sdcard` but how can I boot that encrypted disk? feel like i'm missing a step and nothing i've tried so far has succeeded.