Setup full disk encryption using LVM on LUKS (single drive) with remote SSH for an already setup/running Raspbian stretch system. Using this guide there is no need to connect a screen or keyboard to the rpi at any stage since we will setup remote SSH at the same time (at present no other guides available tell you that this is possible).
To be safe, backup SD card (using another computer is easiest in my case):
sudo dd bs=4M if=/dev/<rpi_sdcard> | gzip > rpibackup.img.gz
or use my fish shell function.
sudo apt update
sudo apt install cryptsetup lvm2 busybox
sudo reboot・Add initramfs initramfs.gz followkernel to end of file.
・Replace root=/dev/mmcblk0p2 with root=/dev/mapper/sdcard
・Add cryptdevice=/dev/mmcblk0p2:sdcard to end of file.
・Replace /dev/mmcblk0p2 with /dev/mapper/sdcard
・Add sdcard /dev/mmcblk0p2 none luks to end of file.
・Note: use tabs, not spaces!(TODO: check if this is actually matters)
sudo apt install dropbear dropbear-initramfs
echo 'DROPBEAR_OPTIONS="-p <your_ssh_port>"' >> /etc/dropbear-initramfs/config
echo "ssh-rsa <yourpublickey>" >> /etc/dropbear-initramfs/authorized_keys・Note: No need to write any unlock scripts as we can use cryptroot-unlock which comes with cryptsetup since stretch:
debian/initramfs/cryptroot-unlock(-hook): add initramfs hook and script to remotely unlock cryptroot devices. (closes: #782024, #697156)
・Note 2: Use a different port to your normal SSH port for this server to avoid clashes when StrictModes is enabled (since the SSH key for dropbear and the SSH key used after unlocking the device will be different, but the hostname will the same)
^^/.ssh >>> ssh 192.168.1.3 -p1788 20:17:33
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:5asd345345dfasdsdffasdfaA.
Please contact your system administrator.
Add correct host key in /home/client/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/client/.ssh/known_hosts:6
ECDSA host key for [192.168.1.3]:1788 has changed and you have requested strict checking.
Host key verification failed.
WIP
Since they are not passphrase protected, delete any host keys generated by the dropbear install and generate our own.
sudo rm -f /etc/dropbear/dropbear_*_host_key
create passphrase protected key using openssh then convert it to dropbear format
/usr/lib/dropbear/dropbearconvert <inputtype> <outputtype> <inputfile> <outputfile>
/usr/lib/dropbear/dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear_rsa_host_keydd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
sudo cryptsetup luksFormat /tmp/fakeroot.imgThis will overwrite data on /tmp/fakeroot.img irrevocably.
Are you sure? (Type uppercase yes):
・Make sure to type in capitals as it says (spent way too long debugging this since there is no error msg if you lowercase it)
・Enter passphrase for the encrypted filesystem
sudo cryptsetup luksOpen /tmp/fakeroot.img sdcard
sudo mkfs.ext4 /dev/mapper/sdcardsudo mkinitramfs -o /boot/initramfs.gz
lsinitramfs /boot/initramfs.gz | grep 'dropbear\|cryptsetup'・Note: Check for warnings and that cryptsetup and dropbear show up in the output!
sudo shutdown -t 0・Note you will need cryptsetup installed on your other PC
・Replace /dev/sdx as appropriate.
sudo dd bs=4M if=/dev/sdx of=pi.img
resize2fs -M pi.img
cryptsetup --cipher aes-cbc-essiv:sha256 luksFormat /dev/sdx
cryptsetup luksOpen /dev/sdx sdcard
sudo dd bs=4k if=pi.img of=/dev/mapper/sdcard
resize2fs -f /dev/mapper/sdcardssh root@yourpi -p sshport・Note that even if the root account is disabled on the machine, this root user is used only in the initrd for the purpose of unlocking the remote system.
Same problem here. IMHO this can't work because the whole SD car is being encrypted.