Description of encrypting root partition of already installed ArchLinux running on Raspberry. I assume that ArchLinux is already installed on SD card and Pi is booting correctly.
- Kernel 4.1.6 (it may not work with much older kernel)
- Raspberry model B revision 2
Best is to start on some actions that need to be done on raspberry. We need to install mkinitcpio and create initram file.
pacman -S mkinitcpio cp /etc/mkinitcpio.conf ~/mkinitcpio.ripi.conf vi ~/mkinitcpio.ripi.conf
Make sure that in the configuration file you have HOOKS and MODULES variables changed as below:
MODULES="dm_mod hid usbhid usbcore" HOOKS="base udev autodetect modconf block filesystems keyboard encrypt fsck"
In MODULES most important is dm_mod and in HOOKS encrypt. Also order is very important in HOOKS. Once done generate new init-ram.
mkinitcpio -k `uname -r` -c ~/mkinitcpio.ripi.conf -g /boot/initrd-crypt
Creating encrypted volume
This must be done on PC. Insert SD card, mount root partition and copy it’s content to some temporary location. Don’t forget trailing / after
temporary_location, it is important.
mount /dev/mmcblk0p2 /media mkdir /temporary_location rsync --progress -axv /media /temporary_location/
Next step is to create encrypted volume, format it and copy back root partition content:
cryptsetup luksFormat /dev/mmcblk0p2 cryptsetup luksOpen /dev/mmcblk0p2 root-raspberry mkfs.ext4 /dev/mapper/root-raspberry mount /dev/mapper/root-raspberry /mnt rsync --progress -axv /temporary_location/ /mnt
Modification in /etc/fstab, /mnt/boot/config.txt and /mnt/boot/cmdline.txt file
Watch out here - many sources on internet says that you need to specify and address on which initram is loaded (something like initramfs initrd-crypt 0x0a000000, in config.txt). This doesn’t work with kernel 4.1. It’s enough to specify name of the init-ram file in config.txt and cmdline.txt
/mnt/etc/fstab: Change device that mounts on /. File must have following entry (remove entry that starts with
/dev/mapper/root / ext4 defaults,discard,commit=120 0 1
/mnt/boot/config.txt: Set initramfs. This file needs to have following line
/mnt/boot/cmdline.txt: Add following kernel command line arguments:
cryptdevice=/dev/mmcblk0p2:root:allow-discards root=/dev/mapper/root rootwait rootfstype=ext4 initrd=initrd-crypt
Unmount and close crypto device:
sync unmount /mnt cryptsetup luksClose root-raspberry
Now you can put back SD card to raspberry and boot device. It should ask for password while booting.
Password on USB key
Raspberry can also read a password directly from file on USB key while booting. In order to do it, create a file with password:
dd if=/dev/urandom of=/mnt/sdb1/ripi.txt cryptsetup luksAddKey /dev/mmcblk0p2 /mnt/sdb1/ripi.txt
And add following entry to cmdline.txt
Where value for ABCD-EFGH you get by running blkid on partition of USB key that contains password:
blkid /dev/sdb1 /dev/sda: UUID="ABCD-EFGH" TYPE="vfat"