Requirements
- Raspberry PI
- SDCard w/ Raspberry PI OS Lite installed
- Flash drive connected to the RPI (to copy data from root partition during encrypt)
- Bash scripts: https://github.com/F1LT3R/luks-encrypt-raspberry-pi
Install OS and Update Kernel
Burn the Raspberry PI OS to the SDCard w/
Balenar Etcher
orRaspberry PI Imager
Copy install scripts into
/boot/install/
Boot into the Raspberry PI and run
sudo /boot/install/1.update.sh
sudo reboot
to load the updated kernel
Install Enc Tools and Prep initramfs
Run script
/boot/install/2.disk_encrypt.sh
sudo reboot
to drop into the initramfs shell.
Mount and Encrypt
-
Mount master block device to
/tmp/boot/
mkdir /tmp/boot mount /dev/mmcblk0p1 /tmp/boot/
-
Run the encryption script, passing your flash drive descriptor:
/tmp/boot/install/3.disk_encrypt_initramfs.sh [sda|sdb|etc]
When LUKS encrypts the root partition it will ask you to type
YES
(in uppercase).Create a decryption password (you will be asked twice).
LUKS will ask for the decryption password again to copy the data back from the flash drive to the root partition.
reboot -f
to drop back into initramfs.
Unlock and Reboot to OS
-
Mount master block device at
/tmp/boot/
mkdir /tmp/boot mount /dev/mmcblk0p1 /tmp/boot/
-
Open the LUKS encrypted disk:
/tmp/boot/install/4.luks_open.sh
Type in your decryption password again.
exit
to quit BusyBox and boot normally.
Rebuild initramfs
for Normal Boot
Run script:
/boot/install/5.rebuild_initram.sh
sudo reboot
into Raspberry PI OS.-
You should be asked for your decryption password every time you boot.
Please unlock disc sdcard: _
References
- Source: https://forums.raspberrypi.com/viewtopic.php?t=219867
- https://github.com/johnshearing/MyEtherWalletOffline/blob/master/Air-Gap_Setup.md#setup-luks-full-disk-encryption
- https://robpol86.com/raspberry_pi_luks.html
- https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile
Top comments (2)
Great! Thank's for the clean and straight forward write up.
Do you know what additions would be necessery to unlock the luks encrypted raspberry pi with a key file located on a USB drive instead of the passphrase?
You're welcome.
Something like this may work for PI (link #1 below), not sure if PI has any special firmware considerations.
If I get it working, I'll do another write up.
1:
tqdev.com/2022-luks-with-usb-unlock
If you're serious about PI security, you may also want to consider using a TPM, like Let'sTrust:
letstrust.de/archives/48-Raspberry...