(Almost) Full Disk Encryption - How to do it?

Hi. I recently started using DietPi and I love it already! However, there is this one major nagging issue: I haven’t been able to encrypt (most of) my DietPi system installation.

On my previous Raspberry Pi’s I have been using Berryboot as a simple way to encrypt my installations. Unfortunately, development was stopped years ago and the RPI Zero 2 W (which I have now) was never supported

Therefore, I have been looking for other means to encrypt the system. I found this great guide which I successfully tried on a regular Raspberry Pi OS installation, works like a charm.

I thought that I understood every step of the guide, I even made a few modifications by myself, but when I try using it on a DietPi installation it doesn’t work! The system hangs during the boot process, but whyyyyy?

Can someone skilled tell my why the guide isn’t working for DietPi and also suggest some modifications, PLEASE?

Did you complete the initial installation before performing the encryption? DietPi did not include encryption software on a new image. Something that may need to be installed first before encryption can be performed.

Joulinar:

Actually I believe I did install all relevant encryption software. After flashing the DietPi image to the SD card I booted it up, activated wifi, and installed “cryptsetup-initramfs” from terminal. This installs some important dependencies as well, i.e. “cryptsetup” which is needed.

After all operations are done the system actually gets pretty far into the boot process before suddently hanging without any abvious error(s) displayed. It just freezes.

EDIT: The boot process halts before it reaches the “initramfs shell” or whatever it is called.

Ok, I just played around with a very old guide for RPI SBC and it still works, even including decrypting the root partition via SSH (dropbear)

Guide: keks24/raspberry-pi-luks: encrypt the "root" partition of the raspberry pi stock image "raspberry pi os lite" - Codeberg.org
Hint 1: DietPi-Drive_Manager | Add dm-crypt/LUKS support · Issue #3377 · MichaIng/DietPi · GitHub
Hint 2: Update-initramfs fails due to no compression support of kernel - #3 by LeFish

Tested on: RPi4B, Kernel 6.1.21-v8+

root@DietPi4:~# lsblk -o name,fstype,label,size,ro,type,mountpoint
NAME          FSTYPE      LABEL  SIZE RO TYPE  MOUNTPOINT
sda                              3.8G  0 disk
├─sda1        vfat               128M  0 part  /boot
└─sda2        crypto_LUKS        3.6G  0 part
  └─cryptroot ext4               3.6G  0 crypt /
root@DietPi4:~#

Joulinar:

Thank you! I will try that.

However, I REALLY would like to know why the guide I linked to does not work since I thought I understood every step. Really annoying

Ok, I am giving up on this. In my opinion it is too complicated right now to encrypt DietPi compared to regular RPI OS so I will wait until it (hopefully) becomes somewhat easier. I spent almost two whole days on this. I am very patient but this is it for me

If somebody would like to go through all the steps involved and provide me with an image having the following specs I wouldn’t break his or her leg

1. No changes from a basic install except for ETH and WIFI modules turned off (no packages removed). Nothing else changed during setup.
2. Root partition encrypted with the password “unlock”. Even I know how to change that.

Thanks.

@KingBongo

Hello, author of keks24/raspberrypi-luks here!

I have read the instructions, which you provided in your first post and this part seems to be wrong:

cryptdevice=/dev/mmcblk0p2:sdcard

It will be decrypted as /dev/mapper/sdcard and not as /dev/mapper/rootfs.

It should have been:

cryptdevice=/dev/mmcblk0p2:rootfs

I would not recommend using /dev/mmcblk0p2 here, since it can change, if another SD card is connected to the Raspberry Pi. Better use the UUID of the partition.

You may want to check out my updated instructions for Raspberry Pi OS (Debian 12 Bookworm, ARM64).

I am also thinking of automising it via Docker.

-Keks

Thanks for stopping by @keks24