DEV Community

Cover image for LUKS Encrypt 🔐 Raspberry PI 🍓🥧
F1LT3R
F1LT3R

Posted on

10

LUKS Encrypt 🔐 Raspberry PI 🍓🥧

Requirements

  1. Raspberry PI
  2. SDCard w/ Raspberry PI OS Lite installed
  3. Flash drive connected to the RPI (to copy data from root partition during encrypt)
  4. Bash scripts: https://github.com/F1LT3R/luks-encrypt-raspberry-pi

Install OS and Update Kernel

  1. Burn the Raspberry PI OS to the SDCard w/ Balenar Etcher or Raspberry PI Imager

  2. Copy install scripts into /boot/install/

  3. Boot into the Raspberry PI and run sudo /boot/install/1.update.sh

  4. sudo reboot to load the updated kernel

Install Enc Tools and Prep initramfs

  1. Run script /boot/install/2.disk_encrypt.sh

  2. sudo reboot to drop into the initramfs shell.

Mount and Encrypt

  1. Mount master block device to /tmp/boot/

    mkdir /tmp/boot
    mount /dev/mmcblk0p1 /tmp/boot/
    
  2. Run the encryption script, passing your flash drive descriptor:

    /tmp/boot/install/3.disk_encrypt_initramfs.sh [sda|sdb|etc] 
    
  3. When LUKS encrypts the root partition it will ask you to type YES (in uppercase).

  4. Create a decryption password (you will be asked twice).

  5. LUKS will ask for the decryption password again to copy the data back from the flash drive to the root partition.

  6. reboot -f to drop back into initramfs.

Unlock and Reboot to OS

  1. Mount master block device at /tmp/boot/

    mkdir /tmp/boot
    mount /dev/mmcblk0p1 /tmp/boot/
    
  2. Open the LUKS encrypted disk:

    /tmp/boot/install/4.luks_open.sh
    
  3. Type in your decryption password again.

  4. exit to quit BusyBox and boot normally.

Rebuild initramfs for Normal Boot

  1. Run script: /boot/install/5.rebuild_initram.sh

  2. sudo reboot into Raspberry PI OS.

  3. You should be asked for your decryption password every time you boot.

    Please unlock disc sdcard: _
    

References

AWS Security LIVE!

Join us for AWS Security LIVE!

Discover the future of cloud security. Tune in live for trends, tips, and solutions from AWS and AWS Partners.

Learn More

Top comments (4)

Collapse
 
r0t0r profile image
R0T0R

Great! Thank's for the clean and straight forward write up.

Do you know what additions would be necessery to unlock the luks encrypted raspberry pi with a key file located on a USB drive instead of the passphrase?

Collapse
 
f1lt3r profile image
F1LT3R

You're welcome.

Something like this may work for PI (link #1 below), not sure if PI has any special firmware considerations.

If I get it working, I'll do another write up.

1:

tqdev.com/2022-luks-with-usb-unlock

If you're serious about PI security, you may also want to consider using a TPM, like Let'sTrust:

letstrust.de/archives/48-Raspberry...

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay