![]() ![]() Problems may occur when upgrading the kernel. If it doesn’t, open a ssh shell and kill all sh processes. It may show a warning but as long as it boots, it’s fine. That’s all! Now, after booting Raspberry Pi, wait a few seconds and then connect to it via ssh using the dracut-specific ssh key and run the unlock command: ssh -p 22 -i /path/to/ssh_dracut_rsa_key unlock < your_luks_passphrase You will also need to have cryptsetup installed on this Linux machine. We are going to backup the SD card, create the LUKS volume and then put the files back on the SD card. Now poweroff the Raspberry Pi and insert the SD card into another Linux machine. You can finally generate a dracut image: dracut /boot/initrd.img -force ![]() cryptdevice=/dev/mmcblk0p2:crypt root=/dev/mapper/cryptĪdd this to config.txt: initramfs initrd.img followkernel I am not sure if the order matters or not. Now let’s update the files on boot partition to reflect the changes: add this to cmdline.txt rd.neednet=1 ip=dhcpĪnd change the value of root and add a cryptdevice entry before it. While /etc/crypttab says that you should not have the root partition listed, it is needed for crypt-ssh module to work: crypt /dev/mmcblk0p2 none luks Put the following into /etc/fstab: /dev/mapper/crypt / ext4 defaults,noatime 0 1 Configuring LUKSīefore you generate a dracut image, we need to adjust fstab for this change. I blacklisted btrfs because it was spamming my dmesg log. We shouldn’t even need a shell in dracut, because there will only be one command to execute over ssh. I blacklisted bash and dash because I prefer busybox so why have them. I also used the following dracut configuration, which you can place in nf: omit_dracutmodules+="bash dash btrfs" # cat /root/.dracut/ssh_dracut_ecdsa_key.pub > /root/.dracut/authorized_keys # cat /root/.dracut/ssh_dracut_rsa_key.pub > /root/.dracut/authorized_keys # chmod 700 /root/.dracut/authorized_keys Now add the key(s) to authorized keys: # touch /root/.dracut/authorized_keys Using passphrases made dropbear_convert fail for me, so do not use them. # ssh-keygen -t ecdsa -f /root/.dracut/ssh_dracut_ecdsa_key # ssh-keygen -t rsa -f /root/.dracut/ssh_dracut_rsa_key We generate ssh keys like so: # umask 0077 Similarly, dropbear_acl can be left as is, but I strongly recommend creating a separate authorized_keys file because these can be easily extracted from initrd later on. I also changed the port to 22, you can leave the default 222. Change the values in crypt-ssh module’s configuration file /etc//nf: dropbear_port="22"ĭropbear_rsa_key="/root/.dracut/ssh_dracut_rsa_key"ĭropbear_ecdsa_key="/root/.dracut/ssh_dracut_ecdsa_key"ĭropbear_acl="/root/.dracut/authorized_keys" Let’s configure dracut now following the tutorial at the project’s github site. Install the required packages for LUKS and ssh in initrd, as well as the crypt-ssh module: # xbps-install -S cryptsetup dropbear dracut-crypt-ssh busybox It was enabled by default on my system, so just check that it is running with sv status ntpd. Void Linux wiki also tells you to start ntpd with sv start ntpd for https certificates to work (required for xbps to download packages). Set your hostname with the command hostname your-hostname and also put this hostname in /etc/hostname. ![]() Connect via ssh (user: root, password: voidlinux). Insert the SD card to your Raspberry Pi and boot it up. # echo '/dev/mmcblk0p1 /boot vfat defaults 0 0' > rootfs/etc/fstab (parted) mkpart primary fat32 2048s 256MB Remember to replace sdX with your SD card’s path in /dev which you can look up with the command fdisk -l. Alternatively, you can follow the commands I used below. Install Void Linux like you normally would by following these steps on an existing Linux machine. You can skip the first step if you have Void Linux already running on your Raspberry Pi. I found multiple tutorials, which I made work together in this one. I have a strong belief that all offline storage should be encrypted today. I was trying to find a tutorial on how to make an encrypted root partition work with Raspberry Pi. One of the advantages for me was the absence of systemd and the presence of musl libc, my admiration for which I shared in a recent blog post about Alpine Linux. So I have decided to go Void Linux on all my machines. #linux #luks #raspberrypi #howto #installation #voidlinux ![]()
0 Comments
Leave a Reply. |