How to get this working on your Raspberry Pi (5)
Hello all. Thanks again, @MMGen, for offering this fantastic tutorial. As mentioned before, it was the foundation for me to encrypt my Raspi 5, although the tutorial wasn't intended for that. I hat to make the some adjustments to get it working. But first some reasoning.
What's the difference?
The Armbian image for Raspi comes with two partitions:
FAT32 for booting
ext4 as a root
Out of the box it already resembles the result that we try to achieve. I assume that this is due to the different booting process of a Raspi compared to other sige-board computers.
Download the desired image from:
https://www.armbian.com/rpi4b/
https://mirrors.dotsrc.org/armbian-dl/rpi4b/archive/ → more images
(I only tested my approach with the minimal Trixie image, kernel version 6.12.41 to .58, and would be delighted to know if somebody also got it working with other derrivates.)
Changes to the original tutorial:
Basically I followed the tutorial (versions Oct 25 to Jan 26) except for the steps below where I had to make some adjustments. If the original tutorial receives major updates (e.g. in its structure) please consider that, as I might not keep this post up to date.
Step 6:
As the type of the boot partition needs to be FAT32 instead of ext4, in fdisk change the partition type (hit t) to FAT32 (0b or just b in the partition list l). I also adjusted the size of this partition to +1G, just in case, but that shouldn't make a difference. Here's final partition table:
Device Boot Start End Sectors Size Id Type
/dev/<your-drive>p1 8192 2105343 2097152 1G b W95 FAT32
/dev/<your-drive>p2 2105344 3907029167 3904923824 1.8T 83 Linux
I'm using an NVME drive instead of a SD card. I guess that won't make a difference. I always repaced sda with nvme0n1 when I followed the tutorial. I also increased p1's size to a whole GB, just to be sure.
Step 7:
mkfs -t vfat /dev/<your-drive>p1
# NOT: mkfs.ext4 /dev/<your-drive>p1
# e2label /dev/sda1 CRYPTO_BOOT won't work on FAT32 partitions
Step 8:
Because there is no label on the FAT32 partition, just link it manually:
BOOT_PART=/dev/<your-device>p1
In my image, the resolv.conf was already present and symlinked to /run/systemd/resolve/stub-resolv.conf. I had to rename it to etc/resolv.conf.old and only then did:
cat /etc/resolv.conf > etc/resolv.conf
Step 9:
Now it gets a bit hairy. As already explained, the Armbian Raspi image works a bit differently. It holds the following partitions:
P1: is the boot partition. During (or after?) the boot process it will be mounted to P2:/boot/firmware. P2 contains a cmdline.txt (content covered below) which is the config file to make the adjustments from Step 9.1 for the boot partition.
P2: is our root partition. P1:/boot does contain an armbianEnv.txt but that is not the config file used during the initial boot process for the unlocking system
.
Step 9.1:
At this point in the tutorial P2 is mounted to root/boot, so you can nano boot/cmdline.txt and change its content to:
console=serial0,115200 console=tty1 loglevel=1 root=/dev/mapper/<custom-name-or-rootfs> rootdev=/dev/mapper/<custom-name-or-rootfs> rootfstype=ext4 fsck.repair=yes rootwait logo.nologo cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory
I was hesitant to make further changes besides the root and rootdev entries or break the line but probably that's also feasible.
Step 9.2:
Skipped.
Step 9.7:
As the boot partition is FAT32, etc/fstab has to know about it too. Also notice that commit=600 results in a failure to mount it to /boot/firmware after unlocking and rebooting (took me days before I could plug a display to my Raspi, read the boot log and figure out that line as the source of failure). Therefore I deleted the commit declaration.
/dev/mapper/<custom-name-or-rootfs> / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1
UUID=<BOOT_UUID> /boot/firmware vfat defaults,noatime,nodiratime,errors=remount-ro 0 2
tmpfs /tmp tmpfs defaults,nosuid 0 0
Step 10:
Add systemd-cryptsetup (when using Trixie or higher) to the install list in the chroot (thanks to @The Tall Man for mentioning; automatic install worked for me btw).
apt --yes install systemd cryptsetup cryptsetup-initramfs dropbear-initramfs
In principle that should be it and i just followed the rest of the tutorial. But after the initrd.img got generated I always had to make adjustments, after which I had to recreate it. update-initramfs is always suspiciously fast so I just used the approach from this tutorial:
KERNEL_VERSION=ls /lib/modules/
echo "CONFIG_RD_ZSTD=y" > /boot/config-$KERNEL_VERSION # to use the right decompression method
mkinitramfs -o /boot/initrd.img $KERNEL_VERSION
rm /boot/config-$KERNEL_VERSION # remove the config
If you want to keep the original initrd.img as a backup you can just copy it before running the above commands but of course it won't be work with our encrypted boot. You can give the .img output file a different name. Don't forget to change the line initramfs initrd.img followkernel in boot/config.txt accordingly.
Don't forget ssh-keygen -A.
That's it
Please let me know how if it worked for your Raspi. Good luck.
@MMGen: If you find this sub-tutorial helpful enough, please consider to link it in your original post or feel free to incorporate it. It took me quite some days to figure out all the necessary changes and borow from other sources. Would be nice to spare others and this thread is a top rank in search engines.
As you can see I used a name other than rootfs as my device name – the ability to change that could be a nice feature for the next version of your script
Cheers!
