I wrote a script to configure and transform images to an sd card to use them on an Raspberry Pi.
In line 418 of this script you will find the following code:
if [ "$encrypt_system" == "y" ]
then
# @see https://gist.github.com/gea0/4fc2be0cb7a74d0e7cc4322aed710d38
rescue_suffix=".$(date +%s).rescue"
search_hooks="HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)"
replace_hooks="HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)"
mkinitcpio_path="/etc/mkinitcpio.conf"
mkinitcpio_rescue_path="$mkinitcpio_path$rescue_suffix"
search_modules="MODULES=()"
replace_modules="MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)"
root_mapper_path="/dev/mapper/root"
fstab_path="/mnt/etc/fstab"
fstab_rescue_path="$fstab_path$rescue_suffix"
crypttab_path="/mnt/etc/crypttab"
crypttab_rescue_path="$crypttab_path$rescue_suffix"
boot_txt_path="/boot/boot.txt"
boot_txt_rescue_path="$boot_txt_path$rescue_suffix"
boot_txt_delete_line=$(echo "part uuid \${devtype} \${devnum}:2 uuid" | sed -e 's/[]\/$*.^[]/\\&/g')
boot_txt_setenv_origin=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=\${uuid} rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\"" | sed -e 's/[]\/$*.^[]/\\&/g')
boot_txt_setenv_replace=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 ip=::::$target_hostname:eth0:dhcp cryptdevice=$encrypted_partition_path:root root=$root_mapper_path rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\""| sed -e 's/[\/&]/\\&/g')
info "Setup encryption..." &&
question "Type in encryption password: " && read -r luks_password
question "Repeat encryption password:" && read -r luks_password_repeat
if [ "$luks_password" != "$luks_password_repeat" ]
then
error "Passwords didn't match."
fi
(
echo "pacman --noconfirm -S --needed $(get_packages "server/luks") &&"
echo "cp -v /home/$target_username/.ssh/authorized_keys /etc/dropbear/root_key &&"
echo "cp -v $mkinitcpio_path $mkinitcpio_rescue_path &&"
echo "sed -i 's/$search_modules/$replace_modules/g' $mkinitcpio_path &&"
echo "sed -i 's/$search_hooks/$replace_hooks/g' $mkinitcpio_path &&"
echo "echo \"Content of $mkinitcpio_path:\$(cat \"$mkinitcpio_path\")\" &&"
#Concerning mkinitcpio warning @see https://gist.github.com/imrvelj/c65cd5ca7f5505a65e59204f5a3f7a6d
echo "mkinitcpio -P &&"
echo "echo '$luks_password' | sudo cryptsetup -v luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 1000 $encrypted_partition_path &&"
echo "echo '$luks_password' | sudo cryptsetup -v luksOpen $encrypted_partition_path root &&"
echo "mkfs.ext4 $root_mapper_path &&"
echo "mount $root_mapper_path /mnt &&"
echo "rsync --info=progress2 -axHAX / /mnt/ &&"
echo "cp -v $fstab_path $fstab_rescue_path &&"
echo "echo $root_mapper_path' / ext4 defaults,noatime 0 1' >> $fstab_path &&"
echo "echo \"Content of $fstab_path:\$(cat \"$fstab_path\")\" &&"
echo "cp -v $crypttab_path $crypttab_rescue_path &&"
echo "echo 'root '$encrypted_partition_path' none luks' >> $crypttab_path &&"
echo "echo \"Content of $crypttab_path:\$(cat \"$crypttab_path\")\" &&"
#boot.txt just works with raspberry pi 3 @todo Needs to be implemented for arch raspbery pi 4
echo "cp -v $boot_txt_path $boot_txt_rescue_path &&"
echo "sed -i 's/$boot_txt_delete_line//g' $boot_txt_path &&"
echo "sed -i 's/$boot_txt_setenv_origin/$boot_txt_setenv_replace/g' $boot_txt_path &&"
echo "echo \"Content of $boot_txt_path:\$(cat \"$boot_txt_path\")\" &&"
echo "cd /boot/ && ./mkscr &&"
echo "umount $root_mapper_path &&"
echo "sudo cryptsetup -v luksClose root &&"
echo "exit || echo 'Error in chroot environment!' echo 'Trying to close decrypted root.'; sudo cryptsetup -v luksClose root"
) | chroot "$root_mount_path" /bin/bash || error
fi
This generates the following output:
[INFO]: Setup encryption...
[QUESTION]: Type in encryption password:
test
[QUESTION]: Repeat encryption password:
test
warning: rsync-3.2.3-1 is up to date -- skipping
warning: autoconf-2.69-7 is up to date -- skipping
warning: automake-1.16.2-3 is up to date -- skipping
warning: binutils-2.35-1 is up to date -- skipping
warning: bison-3.6.4-1 is up to date -- skipping
warning: fakeroot-1.24-2 is up to date -- skipping
warning: file-5.39-1 is up to date -- skipping
warning: findutils-4.7.0-2 is up to date -- skipping
warning: flex-2.6.4-3 is up to date -- skipping
warning: gawk-5.1.0-1 is up to date -- skipping
warning: gcc-10.2.0-1 is up to date -- skipping
warning: gettext-0.21-1 is up to date -- skipping
warning: grep-3.4-1 is up to date -- skipping
warning: groff-1.22.4-3 is up to date -- skipping
warning: gzip-1.10-3 is up to date -- skipping
warning: libtool-2.4.6+44+gb9b44533-14 is up to date -- skipping
warning: m4-1.4.18-3 is up to date -- skipping
warning: make-4.3-3 is up to date -- skipping
warning: pacman-5.2.2-1 is up to date -- skipping
warning: patch-2.7.6-8 is up to date -- skipping
warning: pkgconf-1.7.3-1 is up to date -- skipping
warning: sed-4.8-1 is up to date -- skipping
warning: sudo-1.9.3.p1-1 is up to date -- skipping
warning: texinfo-6.7-3 is up to date -- skipping
warning: which-2.21-5 is up to date -- skipping
warning: uboot-tools-2020.04-1 is up to date -- skipping
warning: dropbear-2020.80-1 is up to date -- skipping
warning: mkinitcpio-utils-0.0.3-5 is up to date -- skipping
warning: mkinitcpio-netconf-0.0.5-2 is up to date -- skipping
warning: mkinitcpio-dropbear-0.0.3-6 is up to date -- skipping
there is nothing to do
'/home/alarm/.ssh/authorized_keys' -> '/etc/dropbear/root_key'
'/etc/mkinitcpio.conf' -> '/etc/mkinitcpio.conf.1601472644.rescue'
Content of /etc/mkinitcpio.conf:# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(piix ide_disk reiserfs)
MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=()
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H ' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No raid, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect block filesystems)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev block filesystems)
#
## This setup assembles a pata mdadm array with an encrypted root FS.
## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
# HOOKS=(base udev block mdadm encrypt filesystems)
#
## This setup loads an lvm2 volume group on a usb device.
# HOOKS=(base udev block lvm2 filesystems)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
==> Building image from preset: /etc/mkinitcpio.d/linux-aarch64.preset: 'default'
-> -k 5.8.9-2-ARCH -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 5.8.9-2-ARCH
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [autodetect]
-> Running build hook: [modconf]
-> Running build hook: [block]
-> Running build hook: [sleep]
-> Running build hook: [netconf]
-> Running build hook: [dropbear]
Generating dss host key for dropbear ...
Unknown key type 'dss'
Usage: /usr/sbin/dropbearkey -t -f [-s bits]
-t type Type of key to generate. One of:
rsa
ecdsa
ed25519
-f filename Use filename for the secret key.
~/.ssh/id_dropbear is recommended for client keys.
-s bits Key size in bits, should be a multiple of 8 (optional)
ECDSA has sizes 256 384 521
Ed25519 has a fixed size of 256 bits
-y Just print the publickey and fingerprint for the
private key in .
dropbear_rsa_host_key : sha1!! a1:7b:17:e0:43:2e:2c:d2:8e:d3:17:21:15:fb:45:4a:7f:7e:96:57
dropbear_ecdsa_host_key : sha1!! 14:7e:96:5c:1d:8e:60:bd:fb:70:21:93:d5:c7:1e:71:85:49:02:ef
-> Running build hook: [encryptssh]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
bsdtar: Failed to set default locale
bsdtar: Failed to set default locale
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux-aarch64.preset: 'fallback'
-> -k 5.8.9-2-ARCH -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 5.8.9-2-ARCH
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [modconf]
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
-> Running build hook: [sleep]
-> Running build hook: [netconf]
==> WARNING: Possibly missing firmware for module: rsi_sdio
==> WARNING: Possibly missing firmware for module: rsi_usb
==> WARNING: Possibly missing firmware for module: atmel
==> WARNING: Possibly missing firmware for module: at76c50x_usb
==> WARNING: Possibly missing firmware for module: rtl8723ae
==> WARNING: Possibly missing firmware for module: zd1201
==> WARNING: Possibly missing firmware for module: zd1211rw
==> WARNING: Possibly missing firmware for module: prism54
==> WARNING: Possibly missing firmware for module: p54pci
==> WARNING: Possibly missing firmware for module: p54usb
==> WARNING: Possibly missing firmware for module: orinoco_usb
==> WARNING: Possibly missing firmware for module: wcn36xx
==> WARNING: Possibly missing firmware for module: b43legacy
==> WARNING: Possibly missing firmware for module: b43
==> WARNING: Possibly missing firmware for module: ipw2100
==> WARNING: Possibly missing firmware for module: ipw2200
==> WARNING: Possibly missing firmware for module: mt7603e
-> Running build hook: [dropbear]
Generating dss host key for dropbear ...
Unknown key type 'dss'
Usage: /usr/sbin/dropbearkey -t -f [-s bits]
-t type Type of key to generate. One of:
rsa
ecdsa
ed25519
-f filename Use filename for the secret key.
~/.ssh/id_dropbear is recommended for client keys.
-s bits Key size in bits, should be a multiple of 8 (optional)
ECDSA has sizes 256 384 521
Ed25519 has a fixed size of 256 bits
-y Just print the publickey and fingerprint for the
private key in .
dropbear_rsa_host_key : sha1!! a1:7b:17:e0:43:2e:2c:d2:8e:d3:17:21:15:fb:45:4a:7f:7e:96:57
dropbear_ecdsa_host_key : sha1!! 14:7e:96:5c:1d:8e:60:bd:fb:70:21:93:d5:c7:1e:71:85:49:02:ef
-> Running build hook: [encryptssh]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
bsdtar: Failed to set default locale
bsdtar: Failed to set default locale
==> Image generation successful
Unknown host QEMU_IFLA type: 54
Unknown host QEMU_IFLA type: 54
WARNING: Device /dev/mmcblk1p3 already contains a 'crypto_LUKS' superblock signature.
Existing 'crypto_LUKS' superblock signature (offset: 0 bytes) on device /dev/mmcblk1p3 will be wiped.
Existing 'crypto_LUKS' superblock signature (offset: 16384 bytes) on device /dev/mmcblk1p3 will be wiped.
Key slot 0 created.
Command successful.
Unknown host QEMU_IFLA type: 54
Unknown host QEMU_IFLA type: 54
Key slot 0 unlocked.
Command successful.
mke2fs 1.45.6 (20-Mar-2020)
Creating filesystem with 14724352 4k blocks and 3686400 inodes
Filesystem UUID: da0071a7-ef0d-4051-9461-145add2be871
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424
Allocating group tables: done
Writing inode tables: done
Creating journal (65536 blocks): done
Writing superblocks and filesystem accounting information: done
1,924,493,579 99% 5.42MB/s 0:05:38 (xfr#32483, to-chk=0/43361)
'/mnt/etc/fstab' -> '/mnt/etc/fstab.1601472644.rescue'
Content of /mnt/etc/fstab:# Static information about the filesystems.
# See fstab(5) for details.
#
/dev/mmcblk0p1 /boot vfat defaults 0 0
/dev/mapper/root / ext4 defaults,noatime 0 1
'/mnt/etc/crypttab' -> '/mnt/etc/crypttab.1601472644.rescue'
Content of /mnt/etc/crypttab:# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
#
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/sdb7 none
root /dev/mmcblk1p3 none luks
'/boot/boot.txt' -> '/boot/boot.txt.1601472644.rescue'
Content of /boot/boot.txt:# After modifying, run ./mkscr
# Set root partition to the second partition of boot device
setenv bootargs console=ttyS1,115200 console=tty0 ip=::::home-server:eth0:dhcp cryptdevice=/dev/mmcblk1p3:root root=/dev/mapper/root rw rootwait smsc95xx.macaddr="${usbethaddr}"
if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} /Image; then
if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} /dtbs/${fdtfile}; then
if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} /initramfs-linux.img; then
booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
else
booti ${kernel_addr_r} - ${fdt_addr_r};
fi;
fi;
fi
Image Name: U-Boot boot script
Created: Wed Sep 30 13:43:18 2020
Image Type: ARM Linux Script (uncompressed)
Data Size: 668 Bytes = 0.65 KiB = 0.00 MiB
Load Address: 00000000
Entry Point: 00000000
Contents:
Image 0: 660 Bytes = 0.64 KiB = 0.00 MiB
Unknown host QEMU_IFLA type: 54
Unknown host QEMU_IFLA type: 54
Command successful.
When I start the raspberry pi and try to connect to it I get the following output on the terminal:
ssh [email protected]
cat: can't open '/.cryptdev': No such file or directory
Command requires device and mapped name as arguments.
Connection to 192.168.178.61 closed.
I would be glad if somebody could tell me where the bug is and how I solve this problem! :)
The question is solved. The mistake was using a different device name on the compiling and the productive system. See https://bbs.archlinux.de/viewtopic.php?pid=377823