Encrypted root on Raspberry Pi

I’m a paranoid guy. Therefore all my disks, connections and mails are encrypted as much as possible.

While building a file storage and backup machine using one of my Raspberry Pis I was playing around with encrypted USB hard disks. While they are working very well on the Pi, I started thinking about encryption of the root partition.

On all my machines the root partition is encrypted and contains a folder with all the key required to decrypt all other hard disks. To do so, I install my system into the encryption container and create a initrd which is able to prompt for the password for the root partition and do the encryption before the kernel is loaded.

As the arch linux image for the Raspberry Pi comes pre-installed and ready to run, the process to create an encrypted root partition for the Pi is a little more complicated.

First step is to download and transfer the latest arch linux image from the interweb:

pv /path/to/archlinux-hf-*img > /dev/mmcblk0; sync

The SD card can be put into the Raspberry Pi the thing can be booted for the first time. As the current image does not use a initrd, the tools to create one are missing and must be installed:

pacman -Syu && pacman -S binutils cryptsetup gzip mkinitcpio

The config file for creating a initrd, /etc/mkinitcpio.conf must be changed to include support for crypted root:

MODULES=""
BINARIES=""
FILES=""
HOOKS="base udev autodetect modconf block filesystems keyboard fsck encrypt"
COMPRESSION="gzip"

Finally, the initrd can be created:

mkinitcpio -g /boot/initrd -v

The next two step is about modifying the boot configuration to use the created initrd while booting and specify the decryption parameters. Therefore the following line must be appended to the file /boot/config.txt in order to load the initrd into the RAM while booting:

initamfs initrd 0x00f00000

The file /boot/cmdline.txt must be changed to use the loaded initrd and to encrypt the root partition during boot:

ipv6.disable=1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=Y dwc_otg.lpm_enable=0 console=ttyAMA0,115200 kgdboc=ttyAMA0,115200 console=tty1 cryptdevice=/d
ev/mmcblk0p2:root:allow-discards root=/dev/mapper/root rootfstype=ext4 elevator=noop initrd=0x00f00000 rw rootwait

As our kernel and booting system is now able to handle encrypted root partitions, it is time to encrypt the root partition. Therefor the SD card must be removed from the Raspberry Pi and placed back in a PC. There we can create a backup of the data, repartition the SD card, encrypt the root partition and restore the backup:

pv /dev/mmcblk0p5 > rpi.root.img

parted /dev/mmcblk0 rm 5
parted /dev/mmcblk0 rm 2
parted /dev/mmcblk0 mkpart primary 95.4M 100%
 
cryptsetup luksFormat /dev/mmcblk0p2
cryptsetup luksOpen /dev/mmcblk0p2 cryptedpi
 
pv rpi.root.img > /dev/mapper/cryptedpi; sync
 
cryptsetup luksClose cryptedpi; sync

Now the SD card can be put back in the Raspberry Pi. While booting it asks for the Password to decrypt the root partition.