Open LeGuipo opened 10 months ago
At least in Raspberry Pi OS lite "cryptsetup-initramfs" is missing now and needs to be installed.
And KEYMAP=y needs to be set in /etc/initramfs-tools/initramfs.conf
Hello @LeGuipo @whyme12 I am currently trying this on raspberry pi 4 (OS: Bookworm 32-bit; Release date: March 15th 2024). However, I cannot boot into intramfs shell as described in the manual. My /boot/firmware/cmdline.txt
is
console=serial0,115200 console=tty1 root=/dev/mapper/sdcard rootfstype=ext4 fsck.repair=yes rootwait plymouth.ignore-serial-consoles cryptdevice=/dev/mmcblk0p2:sdcard
And /etc/fstab
entry:
proc /proc proc defaults 0 0
PARTUUID=265668ac-01 /boot/firmware vfat defaults 0 2
/dev/mapper/sdcard / ext4 defaults,noatime 0 1
The boot is stuck at:
.
.
[ 5.032932] vc4-drm gpu: [drm] Cannot find any crtc or sizes
[ 5.041245] vc4-drm gpu: [drm] Cannot find any crtc or sizes
[ 5.048063] vc4-drm gpu: [drm] Cannot find any crtc or sizes
[ 5.082477] NET: Registered PF_ALG protocol family
[ 5.226722] device-mapper: ioctl: 4.48.0-ioctl (2023-03-01) initialised: dm-devel@redhat.com
Do you know what is the issue here?
Thanks in advance
I don’t see the cause of your issue. It’s like no instruction to mount any partition does exist. Your fstab seems to be good. What about /etc/crypttab
? Do you use Rapsberry Pi OS or pure Debian ?
Also it takes time for the initramfs to switch to console mode but it should at least show it’s trying to find the root partition.
This is my /boot/firmware/cmdline.txt
:
console=serial0,115200 console=tty1 root=/dev/mapper/sdcard rootfstype=ext4 fsck.repair=yes rootwait cfg80211.ieee80211_regdom=FR cryptdevice=/dev/mmcblk0p2:sdcard
May it be possible that plymouth is the culprit ?
Hi @LeGuipo thanks for the update. I removed console=tty1
parameter and added break=premount
option to cmdline.txt
Then the initramfs shell is loaded.
I could also decrypt manually using luksOpen. Then I updated the initramfs using (removed break=premount
parameter in cmdline.txt)
sudo update-initramfs -u
Did a reboot expecting to get a passphrase prompt. However, the initramfs shell is loaded again and I have to decrypt manually.
/etc/crypttab:
# <target name> <source device> <key file> <options>
sdcard /dev/mmcblk0p2 none luks
Any idea why this is happening?
Since your crypttab seems fine, I don’t understand why your initramfs refuses to start to unlock sdcard automatically. I still suspect plymouth, because it’s clearly instructed to ignore-serial-consoles
(why this option ?), and it is not supposed to be preinstalled with Raspi OS.
At this point there might be a missed step, or your operating system is maybe too modified to be compatible with the procedure. The best I can do is to suggest you to redo it on a clean installation for better luck.
Yes, plymouth was the issue. I removed ignore-serial-consoles
option and it works fine now. I don't know either why this is added by default. Raspi OS is the latest official Bookworm release.
From my understanding, the encryption master key is encrypted again using a key derived from the passphrase. This is part of header and is essential to open the volume by recomputing the master key. Hence this is stored with the actual data itself (in filesystem). But is there any way to store the key that is used to encrypt the master key and also header file in a secure element or USB HSM device? Then while decrypting fetch the header file from secure element or USB HSM device.
Hi all,
Almost two years ago, I followed the procedure to the letter (except the infamous "-keysize" parameter) to successfully encrypt my root partition for my Debian 11 based Raspberry Pi OS installation.
Now that I’ve gained more experience with Linux stuff, I decided to be a little more adventurous during my upgrade to Debian 12 based RPi OS. Note that I’ve selected the standard, not lite, not full, official Raspberry Pi image.
So in the hope to help to streamline the procedure, there are my observations :
sudo update-initramfs -u
. It will include all the needed binaries and modules, and create the images with the appropriate filenames and all other components conforming with the distribution’s configuration. Notably, each installed kernel version will keep a dedicated image, and for the comfort of non-qwerty keyboard users like me, the proper keymap will be set for use during initramfs operations and passphrase input during boot.auto_initramfs=1
sudo update-initramfs -u
.Voilà :)