I have a RPi 4 and am using a pretty basic configuration for cryptmypi. When booting, dropbear never starts, so I am unable to SSH to unlock the pi. The last line that I see in the boot log is:

Begin: Starting dropbear ... <pause of about 1 minute or so before the following> [ 204.893840] random: crng init done

Hi there!

Amazing that this project exists, loving it!

I've tried to create a profile for the current Pi OS release = "2022-09-22-raspios-bullseye-arm64-lite.img.xz", But all I got when I tried to boot the resulting microSD card was a blinking cursor without any text output on the screen, and nothing on the network.

How can I debug why it failed?

I've created a copy of the"pios-encrypted-basic-dropbear" profile and adapted the cryptmypi.conf file to this (includes generated passwords, but I'll simply generate new ones if I try again & have already reformatted the sd from my first try):
cryptmypi.conf.txt

Hi again.

I dont know if I should open another issue, but I have problems after make first apt update && apt upgrade.

Everything go well until reboot.

LUKS password is not working anymore. Key cant be recognized, same output as if I enter a wrong password.

I tried to copy the content of boot partition from a fresh install and I can log again, but if i make startx on tty1, system freeze and cant be recovered.

Image used is 2020.1a

want to suggest to modify hooks/1000-encryptpi.hook
to use torrent to download
wget ${_IMAGEURL} -O ${_BASEDIR}/config/${_IMAGENAME}

if our image is
export _IMAGEURL=https://images.offensive-security.com/arm-images/kali-linux-2020.2a-rpi3-nexmon-64.img.xz.torrent

step1: download it using aria2c:
aria2c ${_IMAGEURL} -d www/

this will automatically download torrent file and download torrent kali image to www/kali-linux-2020.2a-rpi3-nexmon-64/

step 2: torrent files have extra folder so we moving files to ${_BASEDIR}/config/:
mv ${_BASEDIR}/config/kali-linux-2020.2a-rpi3-nexmon-64/. ..

step 3: verify hash:
shasum -a 256 -c ${_IMAGENAME}.txt.sha256sum

step 4: check results and exit if failed
if [ $? != 0 ]; then
echo '${_IMAGENAME} checksum is not valid'
exit 1
fi

Issue reported by : Partitions are handled differently based on if the device is identified as regular card reader or usb card reader. A user can can change the name of the device but mmc and sda handle partitions differently, consider mmcblk0p1 vs sda1 . Script is hard coded {_BLKDEV}p1.

Add command line options to automate options.

Hi,
Regarding the cryptsetup encryption ciphers, is there a good reason why "aes-cbc-essiv:sha256" is the default in the example files when "aes-xts-plain64" appears to have better performance on Raspberry Pis? I know the cipher can be changed in the example files, of course, but just interested in hearing if there's any reason why it is used as default.

cryptsetup benchmark shows:

Algorithm | Key | Encryption | Decryption

    aes-cbc        128b        23.8 MiB/s        77.7 MiB/s
serpent-cbc        128b               N/A               N/A
twofish-cbc        128b        55.8 MiB/s        56.2 MiB/s
    aes-cbc        256b        17.4 MiB/s        58.9 MiB/s
serpent-cbc        256b               N/A               N/A
twofish-cbc        256b        55.8 MiB/s        56.1 MiB/s
    aes-xts        256b        85.0 MiB/s        74.9 MiB/s
serpent-xts        256b               N/A               N/A
twofish-xts        256b        61.1 MiB/s        60.4 MiB/s
    aes-xts        512b        65.4 MiB/s        57.4 MiB/s
serpent-xts        512b               N/A               N/A
twofish-xts        512b        61.3 MiB/s        60.3 MiB/s

cryptsetup failed,bad password or options
for pi4
cryptmypi-4.1-beta
./cryptmypi.sh examples/pios-encrypted-basic

Drear Richard Nelson,
Greetings!

Richard, I need to secure my Python and Bash codes and other things (Folders, Partisions, ... <==> Full Disk Encryption) on MicroSD and/or eMMC storage cards.

I don't want to follow the Dropbear/SSH method for the decryption process. I need a non-interactive (without user interaction) encryption/decryption method by the device itself.
I want the device (RPi-3) itself to check and validate hardware information (CPU/HDD Serials, MACs, etc...) and then auto to decrypt/encrypt and boot-up the device without user interaction.

i'm thankful if you help me and send me useful docs, guides, videos, practical tutorials,.............. :(

I have these devices: NanoPi M4, a RPi-3 B, a RPi-3 B+, a MicroSD / eMMC Card.

I read the instructions and tutorials below. But my need is something else :(
https://www.kali.org/docs/arm/raspberry-pi-with-luks-disk-encryption/
https://www.kali.org/docs/arm/raspberry-pi-full-encryption/
https://www.kali.org/tutorials/nuke-kali-linux-luks/
https://kali.training/topic/exercise-chapter-4-installing-kali-linux/
https://github.com/unixabg/cryptmypi

@stupidpupil
Thanks a lot.........

I got some improvements on the sys-ssh-jump service, I like to share this for improvement of the repo. The improvement will make sleeps obsolete and it will just wait for internet connection. Also added an extra function that seemed handy in my case because i used a USB LTE modem that sometimes lost it's connectivity and needed a power cycle. The following project is used for that https://github.com/mvp/uhubctl (Also installable with apt-get)

function is_online() {
    echo -e "GET http://google.com HTTP/1.0\n\n" | nc google.com 80 > /dev/null 2>&1

    if [ $? -eq 0 ]; then
        echo "Redpi has internet"
        result=1
    else
        result=0
    fi
}

function wait_for_internet() {
    is_online
    while [ $result -eq 0 ]; do
        is_online
    done
}

function reset_usb_lte() {
    is_online
    if [ $result -eq 0 ];then
        # Power cycle the usb ports on the pi
        uhubctl -a 2 -l 2
        # Loop till we got internet
        wait_for_internet
    fi
}

Hello @unixabg
If it possible modify initramfs-wifi.hook for Raspberry Pi 4?
With default options: "brcmfmac brcmutil cfg80211 rfkill" my Rpi 4 doesn't work...
Thx =)

Wishlist item to add a cryptsetup-nuke-password options in cryptmypi operations.

I just installed cryptmypi on a Raspberry Pi 4 using kali-linux-2021.2-rpi4-nexmon-64.img.xz and found that in order to get dropbear SSH server running in initramfs I had to update the dropbear hook (2700-stage1-dropbear.hook) as follows:
Find & Replace: /etc/dropbear-initramfs/config -> /etc/dropbear/initramfs/config

hello,

thank you for much for tool. I am testing the next-4.x branch if that's ok.

I am testing it on the RPi3 Raspberry Pi 3 B+ (B Plus) with 1.4 GHz 64-bit Quad-Core Processor, 1 GB RAM + 32gb sd card.

i use config export _KERNEL_VERSION_FILTER="v8+" and everything else default, config is below.

when i unlock remotely i get the following error
kali@kali ~> ssh [email protected] -i /home/kali/.ssh/burner24 -p 2222
The authenticity of host '[192.168.0.21]:2222 ([192.168.0.21]:2222)' can't be established.
ECDSA key fingerprint is SHA256:Q6viG9yNfjVXFfrTcDIxQ3zJmricBXUQxiGwTYNHfzU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.0.21]:2222' (ECDSA) to the list of known hosts.
Enter passphrase for /dev/mmcblk0p2:
Not enough available memory to open a keyslot.
Connection to 192.168.0.21 closed.

i tried googling for the answer and cannot find anything, is something i can fix in the tool?

here the config used:
export _KERNEL_VERSION_FILTER="v8+"
export _HOSTNAME="pikali"
export _BLKDEV="/dev/sdb"
export _LUKSCIPHER="aes-cbc-essiv:sha256"
export _LUKSPASSWD="luks"
export _IMAGEURL=https://images.offensive-security.com/arm-images/kali-linux-2020.2a-rpi3-nexmon-64.img.xz

export _PKGSPURGE=""
export _PKGSINSTALL="macchanger"
export _SSH_LOCAL_KEYFILE="/home/kali/.ssh/key"
stage1_hooks(){
myhooks "stage1"
}
stage1_optional_hooks(){
myhooks "optional-initramfs-luksnuke"
myhooks "optional-sys-gpugovernor-ondemand"
myhooks "optional-sys-dns"
}
_SETUP_SCRIPT='setup.sh'
stage2_optional_hooks(){
myhooks "optional-sys-rootpassword"
}
export _LUKSNUKEPASSWD="nuke"
export _DNS1='1.1.1.1'
export _DNS2='8.8.8.8'
export _ROOTPASSWD="toor"

thank you in advance

Hello - I am having some issues getting cryptmypi working properly. I am using a Raspberry Pi 4B 8GB with a 128GB SD card.

I am using the latest next-4.x branch of code and I have the kernel version set as follows:
export _KERNEL_VERSION_FILTER="l+"

I am using the following hooks in my configuration:
stage1_optional_hooks(){ myhooks "optional-initramfs-luksnuke" myhooks "optional-sys-gpugovernor-ondemand" myhooks "optional-sys-dns" myhooks "optional-sys-docker" }

stage2_optional_hooks(){ myhooks "optional-sys-rootpassword" myhooks "optional-sys-vpnclient" }

I am following the process to unlock LUKS via SSH:
ssh -i /home/user/.ssh/id_rsa -p2222 [email protected]

I am then presented with the password prompt to unlock the LUKS partition:
Enter passphrase for /dev/mmcblk0p2:

And then get the following error:
No key available with this passphrase.

I know the password that I am typing is correct - I have tried both typing manually and copy/paste. Any help in troubleshooting this would be greatly appreciated.

@unixabg Thank you for your work on this valuable project.

Hi, i'm desperately trying to set up an encrypted Kali with a dropbear unlock

After RPI connects to the WiFi and I enter all the passwords, the output looks like that:
(OCR text, not perfect)

done.

Begin: Mounting root file system ... Begin: Starting dropbear ... Begin: Running: /scripts/local-top
[ 46.045253]1 cam-dummy-reg: disabling
Killed.
done.

Begin: Running /scripts/local-premount ... done.
Nothing to read on input.
Begin: Waiting for root file system ... Begin: Running /scripts/local-block ... done.
done.
Gave up waiting for root file system device. Common problemms:

- Boot args (cat /proc/cmdline)

— Check rootdelay= (did the system wait long enough?)
— Missing modules (cat /proc/modules: ls /dev)
ALERT! PARTUUID=71fc311b-02 does not exist. Dropping to a shell!


BusyBox v1.36.1 (Debian 1:1.36.1-3.1) built-in shell (ash)
Enter "help" for a list of built-in commands.

(initramfs)

After editing the script from #56 and commenting lines 117-120, my output looks the same before the error with the addition of endlessly repeating lines:

Begin: Running /scripts/local-block ... done.

Have tried ssh'ing into a newly created Dropbear ssh image on an rpi0w but frankly I cannot figure out trough what medium. I have tried setting it up heedlessly to connect to a Wifi network and even to use g_ether to use a computer's ability to create a bridged network with an RNDIS gadget but the computer refuses to see any device.

Hi! Congratulations for the great project.

Im trying to get it working but im having some troubles.

I have a Rpi4.
The .img used is: kali-linux-2020.2a-rpi3-nexmon-64.img.xz
Using kali-encrypted-basic-nuke, conf file is by default except by export _KERNEL_VERSION_FILTER="8l+", export _LUKSPASSWD="xxxx", export _ROOTPASSWD="xxxx", export _LUKSNUKEPASSWD="xxxx".

Im using my Rpi on local so i dont need ssh. At boot, it prompt the crypt pass. This is the output:

cryptsetup: crypt: set up successfully
done.
Begin: Running /scripts/local-premount ... done.
Warning: fsck not present, so skipping root file system
mount: mounting /dev/mapper/crypt on /root failed: Invalid argument
Failed to mount /dev/mapper/crypt as root file system.

BusyBox v1.30.1 (Debian 1:1.30.1-4) built-in shell (ash)
Enter 'help' for a list of built-in commands.
(initramfs)

Feature request to add unlock through hostapd.

I have tried to use the "Complete" example a couple of times to create a headless Kali RPI0w build.

Each time I run into issues with initramfs wifi.

The common error messages are:

Failed to connect to non-global ctrl_ifname: wlan0  error: No such file or directory
sh: wpa_state=COMPLETED: unknown operand
Success: WLAN Online

Then:

ipconfig: wlan0: SIOCGIFINDEX: No such devices
ipconfig: no devices to configure

Then:

/scripts/init-premount/a_enable_wireless: .: line 275: can't open 'run/net-wlan0.conf': No such file or directory
done.

Any ideas on where to start for troubleshooting? I started from scratch with the config file, and still have the same result.

In

Hello,
thank you for the great project.

I am testing RPi4 and I get the following error
config: export _KERNEL_VERSION_FILTER="l+"
everything else is default.

both stages were successfully completed.

When i connect RPi to network and connect power, I ssh to dropbear and enter my luks passphrase and press enter:

unlocking through ssh:
ssh [email protected] -p 2222 -i ~/.ssh/id_rsa
Enter passphrase for /dev/mmcblk0p2:
Connection to 192.168.0.100 closed.

looking at the monitor, have the following output:
Begin: Starting dropbear ... [ 11.4410601 random: dropbear: uninitialized urandom
20 .6747371 random: dropbear: uninitialized urandom read (32 byte
30 .0756261 random: dropbear: uninitialized urandom read (32 sg eben
30 .1682271 random: dropbear: uninitialized urandom read (32 bytes read)
30 .1951641 random: cryuptsetup: uninitialized urandom read (4 bytes read)
58 .0970761 random: cryptsetup: uninitialized urandom read (2 bytes read)
58 .1084071 device—mapper: crypt: cbc(aes) using implementation “cbc—aes—neonbs”
Terminated
done.
Begin: Running /scripts/local—premount ... done.
Warning: fsck not present, so skipping root file system
mount: mounting “/dev/mapper/crypt on /root failed: Invalid argument
Failed to mount /dev/mapper/crypt as root file system.
error: unexpectedly disconnected from boot status daemon

ERROR: no password supplied
Nothing to read on input.
BusyBox v1.30.1 (Debian 1:1.30.1-4) built-in shell (ash)
Enter “’help’ for a list of built-in commands

(initramfs)

Is anything i am doing wrong?

Firstly, I want to say thanks for putting this together, it simplifies an otherwise long and tedious process tremendously.

With Pi's now being able to boot from USB, it would be great if Cryptmypi had support for USB storage devices, such as an external SSD, as it can provide performance benefits over SD cards (if using USB3.0). SD cards are also prone to failure. To enable USB boot on the Pi, one must first update the bootloader. another link

I've successfully used Cryptmypi to create an encrypted Kali image on an SD card but haven't yet been able to get Cryptmypi working for USB devices in my testing.

The first attempt with Cryptmypi to create the image on my SSD drive resulted in it not booting at all. I couldn't see if there were any errors showing as I'm going headless, but I figured it was because of the references to /dev/mmcblk0pX devices, which the Pi seems to give to SD cards, whereas a USB device would get /dev/sdaX. I updated the reference in boot/initramfs-tools/update.sh in the build dir (before Stage2) and after flashing I mounted the partitions and edited the references in cmdline.txt, fstab, and crypttab.

I also downloaded the latest *.dat and *.elf files from the Raspberry Pi firmware repo and copied them to the SSD boot partition. I suppose the Kali ARM image doesn't have the latest versions of those yet.

Next attempt was more successful. Trying to SSH in, I reach the LUKS prompt that asks me to unlock my device and enter the password, and the connection closes. But when SSH'ing back in again it immediately drops the connection. This tells me that the boot is successful but it hangs after providing the LUKS password.

Just want to see if anyone has gotten this to work or can see if I've missed anything that I should test?

OS: Linux Mint (fully updated)
Command Ran: sudo ./cryptmypi.sh examples/pios-encrypted-basic
Errors:
chroot: failed to run command ‘apt-get’: No such file or directory
chroot: failed to run command ‘/bin/bash’: No such file or directory

Full Log:

main@htpc:~/cryptmypi$ sudo ./cryptmypi.sh examples/pios-encrypted-basic

###############################################################################
                               C R Y P T M Y P I
###############################################################################

Loading functions...
./cryptmypi.sh: line 257: [: /home/main/cryptmypi/functions/chroot: binary operator expected
- Loading chroot.fns ...
  ... chroot.fns loaded!
- Loading echo.fns ...
  ... echo.fns loaded!
- Loading files.fns ...
  ... files.fns loaded!
- Loading hooks.fns ...
  ... hooks.fns loaded!
- Loading misc.fns ...
  ... misc.fns loaded!
- Loading ssh.fns ...
  ... ssh.fns loaded!
- Loading stage1profiles.fns ...
  ... stage1profiles.fns loaded!

Attempting to run preconditions hooks ...
- Calling 0000-preconditions-root.hook ...
    ... 0000-preconditions-root.hook completed!

- Calling 0200-preconditions-rsync.hook ...
    ... 0200-preconditions-rsync.hook completed!

- Calling 0300-preconditions-dns.hook ...
Primary DNS server _DNS1 is not set on config: Setting default value 1.1.1.1
Secondary DNS server _DNS2 is not set on config: Setting default value 8.8.8.8
    ... 0300-preconditions-dns.hook completed!

# Executing both stages #######################################################
###############################################################################
                               C R Y P T M Y P I
                               ---- Stage 1 ----
v4.5-beta
###############################################################################

--- Custom STAGE1 SELECTED
    stage1profile_encryption

--- Executing:

Attempting to run stage1-sanity hooks ...
- Calling 1100-stage1-sanity-qemu.hook ...
    ... 1100-stage1-sanity-qemu.hook completed!


Attempting to run stage1-image-download hooks ...
- Calling 2000-stage1-image-download.hook ...
ARM image 2020-08-20-raspios-buster-armhf-lite.zip already exists!
Validating image checksum...
Done: Image is valid!
    ... 2000-stage1-image-download.hook completed!


Attempting to run stage1-image-extract hooks ...
- Calling 2100-stage1-image-extract.hook ...
Extracting image: 2020-08-20-raspios-buster-armhf-lite.zip ...
Mounting loopback ...
Syncing image/root to /home/main/cryptmypi/examples/pios-encrypted-basic/build/root ...
Syncing image/root/boot to /home/main/cryptmypi/examples/pios-encrypted-basic/build/root/boot ...
Cleaning loopback ...
    ... 2100-stage1-image-extract.hook completed!


Attempting to run stage1-setup-chroot hooks ...
- Calling 2200-stage1-setup-chroot.hook ...
- Copying qemu emulator to chroot ...
Preparing RPi chroot mount structure at '/home/main/cryptmypi/examples/pios-encrypted-basic/build/root'.
Mounting '/home/main/cryptmypi/examples/pios-encrypted-basic/build/root/dev/' ...
Mounting '/home/main/cryptmypi/examples/pios-encrypted-basic/build/root/dev/pts' ...
Mounting '/home/main/cryptmypi/examples/pios-encrypted-basic/build/root/sys/' ...
Mounting '/home/main/cryptmypi/examples/pios-encrypted-basic/build/root/proc/' ...
Fixing ld.so.preload
/home/main/cryptmypi/examples/pios-encrypted-basic/build/root/etc/resolv.conf exists and appears to be not empty.
Updating apt-get
chroot: failed to run command ‘apt-get’: No such file or directory
    ... 2200-stage1-setup-chroot.hook completed!


Attempting to run stage1-locale hooks ...
- Calling 2300-stage1-locale.hook ...
Configuring system locale...
_LOCALE not set, using default value 'en_US.UTF-8'
Uncommenting locale 'en_US.UTF-8' for inclusion in generation
Updating /etc/default/locale
Installing locales
- Installing locales
chroot: failed to run command ‘apt-get’: No such file or directory
apt-get failed: Trying to recover...
chroot: failed to run command ‘/bin/bash’: No such file or directory
ERROR: Could not install locales correctly... Exiting.
Tearing down RPi chroot mount structure at '/home/main/cryptmypi/examples/pios-encrypted-basic/build/root'.
Reverting ld.so.preload fix
Unmounting binds
umount: /dev/sdb: not mounted.
umount: /mnt/cryptmypi: no mount point specified.
umount: /mnt/cryptmypi: no mount point specified.
umount: /dev/mapper/crypt: no mount point specified.
Device crypt is not active.

Hi @unixabg
How I can unlock my encrypted kali-complete Rpi4B via LTE\3G USB modem (eg. Huawei E3372h-153)?

IF its possible to load this USB modem to initframs?
Thx?

Hello! First, thanks for the scripts and work; the project is impressive. I have done the manual setup referenced on Kali's blog (https://www.kali.org/blog/secure-kali-raspberry-pi/), and that's how I arrived here.

Secondly: I'm very interested in being able to produce a Kali ARM encrypted environment to run with my RPi4, which is unlockable and operational without having to rely on either wifi or ethernet connection, through an interactive session with a direct keyboard connection, similar to the boot USB drive created through this post here: https://www.kali.org/docs/usb/usb-standalone-encrypted/. That said, I wouldn't mind having the ssh port over wifi LAN as an optional way to unlock and operate; it's just not my primary use case.

Is there a particular configuration I can use to achieve this, using one of the examples?

Thank you very much for your attention; I would appreciate any help or guidance, for I'm a little bit lost.

My plan is to ship Raspberry Pi 4s out to the wild, but I don't want people to easily reverse engineer the proprietary software on them.

According to https://github.com/raspberrypi/usbboot/blob/master/secure-boot-recovery/README.md Raspberry Pi 4 supports secure boot.
Also there seem to be user-burnable fuses / OTP registers in the CPU: https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#otp-registers

So the plan is to:

1. setup secure boot, save public signing key in OTP registers 47-55

2. burn fuses to disallow bootloader downgrade, disable boot JTAG, disable boot loader HDMI output, set strict boot order

-> prevents anyone from booting a different system than our own or changing boot-args to gain root access, I guess?
-> also prevents anyone from then reading OTP register values, as they can't boot anything to read the register and can't use JTAG?

3. burn in a decryption key in the user defined OTP register 36-43 (or use cpu serial number?) for encrypted rootFS that resides on the SD card
   -> prevents access to proprietary software on the encrypted volume, even if the SD card is read somewhere else

4. decryption key is different on every shipped Pi
   -> prevents cloning the SD card and use in another Pi

What am I missing here or why did nobody do this yet?

Failed to build also notice the update-initramfs: Generating /boot/initrd.img-5.10.0-3-arm64 line

256 SHA256:MPXGEWVQXPfZODBuXpoKZEtkwFk8ptPzsDIWrfnojEs /etc/dropbear-initramfs/dropbear_ed25519_host_key (ED25519)
+--[ED25519 256]--+
|     ..== +**.. .|
|      o++o +.o o+|
|      o=+.+ o +.o|
|      +*=o o + . |
|       =S=  +    |
|      * ....     |
|    E. =  .      |
|   . o. .        |
|    ooo          |
+----[SHA256]-----+
update-initramfs: deferring update (trigger activated)
Dropbear has been added to the initramfs. Don't forget to check
your "ip=" kernel bootparameter to match your desired initramfs
ip configuration.

Processing triggers for libc-bin (2.31-9) ...
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
dpkg: error processing package libc-bin (--configure):
 installed libc-bin package post-installation script subprocess returned error exit status 139
Processing triggers for initramfs-tools (0.139) ...
update-initramfs: Generating /boot/initrd.img-5.10.0-3-arm64
cryptsetup: WARNING: Couldn't determine root device
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
dropbear: WARNING: Invalid authorized_keys file, SSH login to initramfs won't work!
W: Couldn't identify type of root file system for fsck hook
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
/usr/bin/grep: /proc/device-tree/model: No such file or directory
Errors were encountered while processing:
 libc-bin
E: Sub-process /usr/bin/dpkg returned an error code (1)
apt-get failed: Trying to recover...
+ sleep 5
+ apt-get update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Reading package lists... Done
+ apt-get -y install dropbear
Reading package lists... Done
Building dependency tree
Reading state information... Done
dropbear is already the newest version (2020.81-3).
0 upgraded, 0 newly installed, 0 to remove and 18 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = "en_GB:en",
        LC_ALL = (unset),
        LANG = "en_GB.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
/usr/bin/locale: Cannot set LC_CTYPE to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_MESSAGES to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_ALL to default locale: No such file or directory
Setting up libc-bin (2.31-9) ...
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Segmentation fault
dpkg: error processing package libc-bin (--configure):
 installed libc-bin package post-installation script subprocess returned error exit status 139
Errors were encountered while processing:
 libc-bin
E: Sub-process /usr/bin/dpkg returned an error code (1)
+ exit 1
ERROR: Could not install dropbear correctly... Exiting.
Tearing down RPi chroot mount structure at '/home/notroot/cryptmypi/examples/debian-encrypted-basic-dropbear/build/root'.
Unmounting binds
umount: /dev/sdb*: no mount point specified.
umount: /mnt/cryptmypi: no mount point specified.
umount: /mnt/cryptmypi: no mount point specified.
umount: /dev/mapper/crypt: no mount point specified.
Device crypt is not active.

Hi @unixabg !
Thx for your cool stuff, but I have some problem: I want to use "examples/kali-complete" example with full encryption and remote Drop-Bear SSH via sshhub.de, but for Now sshhub.de doesn't work, and I cannot login and unlock my "drop-box", I begin to modify your script, but I am stuck: I cannot configured proprely work your script with My Jump SSH server, I want to use my VPS (Ubuntu 18.04 with ssh server) as Jump SSH Server such as You used sshub.de.
Can You help me Plz.... I want to use Rpi4 with full disk encryption + Drop Bear SSH for remote unlocking + own VPS with Jump SSH Server.
Cheers!

Hi there!

I've used your project to setup a Pi4 with an encrpyted PiOS system a few months ago, which worked fine until now. Today I've ran apt upgrade and after repairing my initramfs (because the idiot I am and the long timespans in between me doing updates of my servers I've forgot to do it the easy way before rebooting) I now managed to boot my Pi4 again.

But I had to connect a screen to find out why it didn't work initially: Something in the new initramfs timeouts if I don't unlock a few seconds and drops to a shell and prevents the unlock script to boot the system.

So I can still boot if I'm "really fast" at connecting via ssh & entering the keyphrase, but that's a very suboptimal situation, which would prevent me from booting the system from a distance after a power outage or even just rebooting remote if the connection is not perfect enough to allow me to do it fast enough.

Anybody knows how to get rid of this timeout in the initramfs and get back to the previous behaviour (= unlimited time to unlock)?

When I'm not fast enough, the screen reads:

Begin: Running /scripts/local-block ... done.
... [repeats 21 times]
Begin: Running /scripts/local-block ... done.
done.
Gave up waiting for root file system device. Common problems:
 - Boot args (cat /proc/cmdline)
   - Check rootdelay= (did the system wait long enough?)
 - Missing modules (cat /proc/modules; ls /dev)
ALERT! /dev/mapper/crypt does not exist. Dropping to a shell!


BusyBox v1.30.1 (Debian 1:1.30.1-6+b3) built-in shell (ash)
Enter ´help´ for a list of built-in commands.

(initramfs) _

I can connect to the initramfs Dropbear on port 2222 even after that and enter the passphrase, but the system doesn't boot and the screen's output doesn't change when I do. Dropbear keeps running and can be connected to again, but disconnects immediately.

UPDATE: okey, so I found here:
https://unix.stackexchange.com/questions/67199/whats-the-point-of-rootwait-rootdelay

rootwait is provided to wait indefinitely. It's not always desirable, for example a system may want to fall back to a different root filesystem if the normal one takes too long to respond.

And on my Pi4:

# cat /proc/cmdline 
coherent_pool=1M 8250.nr_uarts=1 snd_bcm2835.enable_compat_alsa=0 snd_bcm2835.enable_hdmi=1 video=HDMI-A-1:3840x2160M@30,margin_left=64,margin_right=64,margin_top=64,margin_bottom=64 smsc95xx.macaddr=DC:A6:32:74:F2:8D vc_mem.mem_base=0x3ec00000 vc_mem.mem_size=0x40000000  console=ttyAMA0,115200 console=tty1 root=/dev/mapper/crypt rootfstype=btrfs rootflags=subvol=subvolumes/linux_root fsck.repair=no rootwait

It seems like it should do that. Somehow it doesn't. No idea why though...

UPDATE2: this seems related:
https://stackoverflow.com/questions/14806294/linux-kernel-parameter-rootwait-being-ignored

The answer there says:

The rootwait kernel parameter only affects the first stage of boot, while the kernel is waiting for its initial root device. From what you're describing, the kernel has already mounted some sort of root device (either a stub root or an initramfs) and started executing startup scripts, so the rootwait parameter no longer applies -- whatever timeout is firing is specified somewhere else. You'll need to look at the startup scripts that are handling this and modify them appropriately.

So I guess the issue I'm seeing is caused by some startup script modified by the latest updates in PiOS.

UPDATE3: found it: /usr/share/initramfs-tools/scripts/local has a function local_device_setup() in lines 45-142, with lines 117-120 breaking out of the waiting loop if more than 30 seconds have elapsed.

I've commented out that if, which gave me back the functionality of the pi4 waiting "forever" on me logging into the initramfs dropbear and supplying the luks keyphrase.

Hi, great project, although I couldn't manage get it working 😁
Not sure if it's still working, and want to know if I should continue trying to set it up and use it the future 🫡

As the title states, first boot after flashing an SD card gets to the "Please unlock disk crypt" prompt, at which point the LUKS password doesn't work and is met with

Cannot initialize device mapper. Is dm_mod kernel module loaded?
Cannot use device crypt, name is invalid or still in use

Used pios-encrypted-basic example, didn't change anything in the config file except for the device to flash to. Built on Ubuntu 22.04 LTS.

Hello,
I would like to propose improvement and can test it and will try implement it myself, just not sure how correctly integrate it with your hooks:

The below project designed to fetch key with url or enter manually if url is not accessible:
Allow a machine with an encrypted boot drive to passwordlessly boot by fetching a key over HTTPS.

https://github.com/stupidpupil/https-keyscript

the releases section has latest binary:
https://github.com/stupidpupil/https-keyscript/releases/download/v1.0.3/https-keyscript_1.0.3_all.deb

thank you

As I had multiple failures building the sdcard on native kali and with stable wifi, i would like to recommend to add error checking:

Example:

echo "Installing tools"
apt-get install -y cryptsetup >> $LOGFILE 2>&1
ERROR=$?
if [ $ERROR -ne 0 ]; then
echoerror "Could not install tools (Error Code: $ERROR)."
fi

Hello,

when I try to run ./cryptmypi.sh examples/debian-encrypted-basic-dropbear/ it fails at this point:

Calling 2300-stage1-locale.hook ..
...
+ apt-get -y install locales
...
E: Package 'locales' has no installation candidate
+ exit 1
ERROR: Could not install locales correctly... Exiting.

But I think that the root error is that apt update fails before that because /etc/resolv.conf has the wrong permissions:

- Calling 2200-stage1-setup-chroot.hook ...
...
/tmp/cryptmypi/examples/debian-encrypted-basic-dropbear//build/root/etc/resolv.conf does not exists or is empty.
Setting nameserver to 1.1.1.1 and 8.8.8.8 in /tmp/cryptmypi/examples/debian-encrypted-basic-dropbear//build/root/etc/resolv.conf
Updating apt-get
Err:1 http://deb.debian.org/debian bullseye InRelease
  Temporary failure resolving 'deb.debian.org'
Reading package lists... Done
W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease  Temporary failure resolving 'deb.debian.org'

When I look in the RPi chroot I find this:

ls -lah /etc/resolv.conf 
-rw------- 1 root root 38 2021-04-07 19:45 /etc/resolv.conf

And inside the chroot "apt update" fails.

When I change /etc/resolv.conf to the imho correct 644 permission "apt update" works inside the chroot.

It also works again if I add this line in functions/chroot.fns (after the resolv.conf is created)
chmod 644 "${CHROOTDIR}/etc/resolv.conf"

Btw, thanks for this great project!

After updating my pi the Luks unlock broke

Whenever I try to unlock the disk I get this error:

Enter passphrase for /dev/disk/by-uuid/----:
Cannot initialize device-mapper. Is dm_mod kernel module loaded?
Cannot use device crypt, name is invalid or still in use.
Enter passphrase for /dev/disk/by-uuid/----:

Hi there @unixabg
First of all thx for the GREAT work with this project, BUT now I have some Big problem and I am stuck on these:
I'm trying to use examples/pios-encrypted-basic-dropbear on a Raspberry Pi (4 Model B Rev 1.2 4 GB Ram):

rooy@pi-home:/home# cat /proc/cpuinfo
processor       : 0
model name      : ARMv7 Processor rev 3 (v7l)
BogoMIPS        : 108.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd08
CPU revision    : 3

processor       : 1
model name      : ARMv7 Processor rev 3 (v7l)
BogoMIPS        : 108.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd08
CPU revision    : 3

processor       : 2
model name      : ARMv7 Processor rev 3 (v7l)
BogoMIPS        : 108.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd08
CPU revision    : 3

processor       : 3
model name      : ARMv7 Processor rev 3 (v7l)
BogoMIPS        : 108.00
Features        : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32 
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x0
CPU part        : 0xd08
CPU revision    : 3

Hardware        : BCM2711
Revision        : c03112
Serial          : 10000000f4031d51
Model           : Raspberry Pi 4 Model B Rev 1.2

and it boots and accepts the SSH connect but the following messages show up instead of the LUKS password prompt:

Device /dev/disk/by-uuid/609fe123-f56d-4125-ba8d-986a77033580 does not exist or access denied.
Device /dev/disk/by-uuid/609fe123-f56d-4125-ba8d-986a77033580 does not exist or access denied.
Device /dev/disk/by-uuid/609fe123-f56d-4125-ba8d-986a77033580 does not exist or access denied.

And that's all I can't log in and unlock my RPi
I am using the next config files (I have just updated img url and sha256, and change KERNEL_VERSION_FILTER to v8l+ ):

###############################################################################
## cryptmypi profile ##########################################################


# EXAMPLE OF A SIMPLE ENCRYPTED Raspberry Pi OS CONFIGURATION
#   Will create a encrypted pios system:
#   - during boot the encryption password will be prompted both
#       via the console and ssh on port 2222
#   - with ssh server (available after boot)
#       The id_rsa.pub public key will be added to authorized_keys
#
#   Some optional hooks are defined on stage2:
#   - "optional-sys-rootpassword" that sets root password


# General settings ------------------------------------------------------------
# You need to choose a kernel compatible with your RPi version.
#   - Re4son+ is for armv6 devices (ie. RPi1, RPi0, and RPi0w)
#   - v7+ and v8+ are for the 32bit and 64bit armv7 devices (ie. RPi 3)
#   - l+ is mostly for the RPi4 since one can have 4GB or 8GB versions
#     The l in l+ actually means lpae (Large Physical Address Extensions)
export _KERNEL_VERSION_FILTER="v8l+"

# HOSTNAME
#   Each element of the hostname must be from 1 to 63 characters long and
#   the entire hostname, including the dots, can be at most 253
#   characters long.  Valid characters for hostnames are ASCII(7) letters
#   from a to z, the digits from 0 to 9, and the hyphen (-)
export _HOSTNAME="pi-home"

# BLOCK DEVICE
#   The SD card or USD SD card reader block device
#   - USB drives will show up as the normal /dev/sdb, /dev/sdc, etc.
#   - MMC/SDcards may show up the same way if the card reader is USB-connected.
#   - Internal card readers normally show up as /dev/mmcblk0, /dev/mmcblk1, ...
#   You can use the lsblk command to get an easy quick view of all block
#   devices on your system at a given moment.
export _BLKDEV="/dev/sdc"


# LUKS ENCRYPTION -------------------------------------------------------------
## Encryption Cypher
export _LUKSCIPHER="aes-cbc-essiv:sha256"

## Encryption Password
export _LUKSPASSWD="password"

## Stage2 regenerate luks uuid
# A value of yes generates a new luks uuid for deployment
export _NEWLUKSUUID="yes"

## Encryption Extra
# On rpi0-1-2-3 you may want to reduce the required memory to unlock
#  _LUKSEXTRA="--pbkdf-memory 131072"
export _LUKSEXTRA=""


# LINUX IMAGE FILE ------------------------------------------------------------
export _IMAGEURL=https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2022-01-28/2022-01-28-raspios-bullseye-armhf-lite.zip
export _IMAGESHA="f6e2a3e907789ac25b61f7acfcbf5708a6d224cf28ae12535a2dc1d76a62efbc"


# PACKAGE ACTIONS -------------------------------------------------------------
export _PKGSPURGE=""
export _PKGSINSTALL="tree htop"


# MINIMAL SSH CONFIG ----------------------------------------------------------
#   Keyfile to be used to access the system remotelly through ssh.
#   Its public key will be added to the system's root .ssh/autorized_keys
export _SSH_LOCAL_KEYFILE="$_USER_HOME/.ssh/id_rsa"


###############################################################################
## Stage 1 Settings ###########################################################

# Custom Stage1 Profile
#   Check functions/stage1profiles.fns for reference. You may instruct hooks
#   here or you may call one predefined stage1profile functions.
#   Optional function:
#   - if stage1_hooks is not defined, you will be prompted
#   - declare it if you want to skip script prompt predefining it
stage1_hooks(){
    stage1profile_complete
}

###############################################################################
## Stage-2 Settings ###########################################################

# Optional stage 2 hooks
#   If declared, this function is called during stage2 build by the
#   stage2-runoptional hook.
#
#   Optional function: can be ommited.
stage2_optional_hooks(){
    myhooks "optional-sys-rootpassword"
}


###############################################################################
##Optional Hook Settings #####################################################


# ROOT PASSWORD CHANGER settings ----------------------------------------------
# Hooks
#   optional-sys-rootpassword
#       Changes the system root password

## The new root password
export _ROOTPASSWD="root_password"

P.S.
Mostly of all I am using default config file with changes:
change export _NEWLUKSUUID="yes" to export _NEWLUKSUUID="no" in this way have to error like this issue:
#46
If use Your default config file like here:
https://github.com/unixabg/cryptmypi/blob/master/examples/pios-encrypted-basic-dropbear/cryptmypi.conf
That's all ok, but after apt update -y && apt upgrade -y, I have this error:
#46

Plz help =)
And have a nice day @unixabg

I'm trying to use examples/pios-encrypted-basic-dropbear on a Raspberry Pi 4 Model B 8GB and it boots and accepts the SSH connect but the following messages show up instead of the LUKS password prompt:

Device /dev/mmcblk0p2 doesn't exist or access denied.
Device /dev/mmcblk0p2 doesn't exist or access denied.
Device /dev/mmcblk0p2 doesn't exist or access denied.
Device /dev/mmcblk0p2 doesn't exist or access denied.
...

The image in question is https://raspi.debian.net/verified/20201112_raspi_4.img.xz. I tracked it down to the generated initramfs:

etc/unlock.sh:7:    test -e /dev/mapper/crypt && break || cryptsetup luksOpen /dev/mmcblk0p2 crypt

which comes from the encryption hook:

3000-stage1-setup-encryption.hook:67:    test -e /dev/mapper/crypt && break || cryptsetup luksOpen /dev/mmcblk0p2 crypt

In the boot messages I see that the SD card is detected as mmcblk1, so this explains the error. Is this particular to the Pi 4?

I am able to get it working by updating the hook to refer to mmcblk1p2 and by modifying /etc/fstab, /etc/crypttab, and /boot/cmdline.txt because the patterns in those files are not matched by the sed commands looking for /dev/mmcblk0p2. This is caused by references to filesystem labels:

This line in /etc/fstab

LABEL=RASPIROOT / ext4 rw 0 1

becomes:

/dev/mapper/crypt / ext4 rw 0 1

This line in /etc/crypttab

crypt    /dev/mmcblk0p2    none    luks

becomes:

crypt    /dev/mmcblk1p2    none    luks

And /boot/cmdline.txt

console=tty0 console=ttyS1,115200 root=LABEL=RASPIROOT rw elevator=deadline fsck.repair=yes net.ifnames=0 rootwait

becomes:

console=tty0 console=ttyS1,115200 root=/dev/mapper/crypt cryptdevice=/dev/mmcblk1p2:crypt rootfstype=ext4 rw elevator=deadline fsck.repair=yes net.ifnames=0 rootwait

I'm submitting this issue so that others can use this workaround.

As said in title the scripts fails when it's trying to install dropbear because it cannot resolve hosts, my guess would be incorrect DNS name server names in the /etc/resolv.conf file, I've got no clue how to fix it with the script so sadly cant make any pull requests. To add: Running rasp pi 4 with nightly build of the kali image.

Hi great work and thanks.

I have been trying for a few days now to get a new encrypted system up and running from a already known working non encrypted one.

The problem is under experimental-initramfs-wifi the wifi driver loads but i never comes up. 

Below is the following errors i get with putty when i follow via tty

[    7.268685] usb 1-1.2: new high-speed USB device number 4 using dwc_otg
[    7.411153] usb 1-1.2: New USB device found, idVendor=07d1, idProduct=3303, bcdDevice= 2.00
[    7.128655] usb 1-1.2: new high-speed USB device number 4 using dwc_otg
[    7.271137] usb 1-1.2: New USB device found, idVendor=07d1, idProduct=3303, bcdDevice= 2.00
[    7.286048] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[    7.296796] usb 1-1.2: Product: 11n Adapter
[    7.304363] usb 1-1.2: Manufacturer: Manufacturer Realtek
[    7.313270] usb 1-1.2: SerialNumber: 00e04c000001
[   18.408087] Freeing unused kernel memory: 1024K
[   18.416401] Run /init as init process
[   19.739581] r8712u: module is from the staging directory, the quality is unknown, you have been warned.
[   19.752709] smsc95xx 1-1.1:1.0 enxb827eb18d407: renamed from eth0
[   19.786472] r8712u: register rtl8712_netdev_ops to netdev_ops
[   19.795871] usb 1-1.2: r8712u: USB_SPEED_HIGH with 4 endpoints
[   19.810473] usb 1-1.2: r8712u: Boot from EFUSE: Autoload OK
[   20.314131] random: crng init done
[   20.766779] usb 1-1.2: r8712u: CustomerID = 0x0000
[   20.774589] usb 1-1.2: r8712u: MAC Address from efuse = 28:10:7b:b6:d4:ac
[   20.784337] usb 1-1.2: r8712u: Loading firmware from "rtlwifi/rtl8712u.bin"
[   20.796091] usbcore: registered new interface driver r8712u
[   20.816163] r8712u 1-1.2:1.0 wlx28107bb6d4ac: renamed from wlan0
[   20.919333] device-mapper: ioctl: 4.41.0-ioctl (2019-09-16) initialised: [email protected]
[   21.026821] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   21.122972] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   21.133118] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[   21.151337] cfg80211: failed to load regulatory.db
[   21.204630] usbcore: registered new interface driver brcmfmac

please also see screenshot of monitor output

Here is also my config file

export _KERNEL_VERSION_FILTER="v7+"

export _HOSTNAME="encrypted-pi"

export _LOCALE="en_GB.UTF-8"

export _BLKDEV="/dev/sdb"

export _LUKSCIPHER="aes-cbc-essiv:sha256"

export _LUKSPASSWD="berry"

export _LUKSEXTRA=""

export _IMAGEURL=https://downloads.raspberrypi.org/raspios_lite_armhf/images/raspios_lite_armhf-2020-08-24/2020-08-20-raspios-buster-armhf-lite.zip
export _IMAGESHA="4522df4a29f9aac4b0166fbfee9f599dab55a997c855702bfe35329c13334668"

export _PKGSPURGE=""
export _PKGSINSTALL=""

export _SSH_LOCAL_KEYFILE="$_USER_HOME/.ssh/id_rsa"

stage1_hooks(){
    stage1profile_complete
}

stage1_optional_hooks(){
    myhooks "experimental-initramfs-wifi"
}

stage2_optional_hooks(){
    myhooks "optional-sys-rootpassword"
}

export _DNS1='1.1.1.1'

export _DNS2='1.0.0.1'

export _WIFI_SSID='testwifi'

export _WIFI_PASS='testwifipassword'

export _WIFI_INTERFACE='wlan0'

export _INITRAMFS_WIFI_INTERFACE='wlan0'

export _INITRAMFS_WIFI_IP=":::::${_INITRAMFS_WIFI_INTERFACE}:dhcp:${_DNS1}:${_DNS2}"


### ** NOTE r8712u is a driver already in raspios-buster-armhf-lite **
export _INITRAMFS_WIFI_DRIVERS='brcmfmac brcmutil cfg80211 rfkill r8712u'


export _ROOTPASSWD="raspberry"

I have also been able to compile in a a new wifi module 8821cu that also loads but i get the same error.

Unit: Raspberry pi 2
OS: as in config file
WIFI: wifi card DWA-131 r8712u
WIFI: wifi card cudy WU650 8821cu

any advise would be great.
Thanks