Cant unlock the disk about cryptmypi HOT 15 OPEN

Greetings,

Which example are you using and what hardware? Also please know I only test pristine runs, but I can take a look next time I am updating images.

from cryptmypi.

I am using the pios-encrypted-basic-dropbear config on an raspberry pi 3

from cryptmypi.

I just updated image links and nothing obvious showed up for me. The only thing I can offer is testing that you can unlock and mount the sdcard. If that works then luks is ok and something else broke. I would put new build on and move forward. Will leave open for a few days.

from cryptmypi.

So one thing I did notice while testing when testing the ubuntu-encrypted-basic image was that I could not unlock on pi 3b, but could unlock the same image on pi 4. So if you had a pi 4 you could try that also.

from cryptmypi.

I currently cant test the new image but everytime after a kernel update on the old image I always got the error from the issue

from cryptmypi.

I currently cant test the new image but everytime after a kernel update on the old image I always got the error from the issue

i have encountered this problem before, you have to rebuild initramfs after the kernel update and before reboot

sudo apt update && sudo apt upgrade -y
# check kernel version
ls /lib/modules
update-initramfs -u
# replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command
sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+
sudo reboot

from cryptmypi.

I currently cant test the new image but everytime after a kernel update on the old image I always got the error from the issue

i have encountered this problem before, you have to rebuild initramfs after the kernel update and before reboot

sudo apt update && sudo apt upgrade -y
# check kernel version
ls /lib/modules
update-initramfs -u
# replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command
sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+
sudo reboot

Hi @gemesa
Can You help me:
I have the same error. I published it here: #49
I try different methods, but I don't understand when I must use this:

sudo apt update && sudo apt upgrade -y
# check kernel version
ls /lib/modules
update-initramfs -u
# replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command
sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+
sudo reboot

I must this code when my custom image is built with chroot?

from cryptmypi.

Hi @gemesa Can You help me: I have the same error. I published it here: #49 I try different methods, but I don't understand when I must use this:

sudo apt update && sudo apt upgrade -y
# check kernel version
ls /lib/modules
update-initramfs -u
# replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command
sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+
sudo reboot

I must this code when my custom image is built with chroot?

The easy way would be running these commands while you are still logged in. But if you see this error message it means of course you have already rebooted and are locked out currently so yes, you have to use chroot now. Refer to these links for more info:
Raspbian: dm_mod missing after mkinitramfs on luks encrypted partition
initramfs, LUKS and dm_mod can't boot after upgrade

Or you could also just create a clean image and download it to the SD card and keep in mind from now on that you have to rebuild the initramfs after each kernel update.

from cryptmypi.

@gemesa Thx for the fast answer, I am going to work with this!

from cryptmypi.

@gemesa Can You help me:
When I begin to modify my .img file I use next few commands:

# Replace /dev/sdg with your SD card block device.
# Use `lsblk` to help you find where this is.

# Link "mmcblk" block device so chroot later sees the expected device block names.
test -L /dev/mmcblk0p1 || ln -s /dev/sdg1 /dev/mmcblk0p1
test -L /dev/mmcblk0p2 || ln -s /dev/sdg2 /dev/mmcblk0p2

# Mount SD card.
cryptsetup -v luksOpen /dev/mmcblk0p2 sdcard
mount /dev/mapper/sdcard /mnt; mount /dev/mmcblk0p1 /mnt/boot; mount -o bind /dev /mnt/dev; mount -o bind /dev/pts /mnt/dev/pts; mount -t sysfs none /mnt/sys; mount -t proc  none /mnt/proc

# Comment out ld.so.preload.
sed -i 's/^/#/g' /mnt/etc/ld.so.preload

# Copy qemu binary.
cp /usr/bin/qemu-arm-static /mnt/usr/bin/

# chroot to Raspbian to update and rebuild initramfs.
chroot /mnt /bin/bash
    rm -rf /var/tmp/mkinitramfs*
    apt update && apt upgrade && apt dist-upgrade && apt autoremove
    apt install --reinstall raspberrypi-bootloader raspberrypi-kernel
    test -L /sbin/fsck.luks || ln -s /sbin/e2fsck /sbin/fsck.luks
    update-initramfs -u
    # IMPORTANT: Replace "5.10.52-v7l+" with the correct kernel from "/lib/modules".
    # Doing `$(ls -t /lib/modules | tail -1)` here doesn't always give you the right one!!!
    mkinitramfs -o /boot/initramfs.gz 5.10.52-v7l+
    exit

# Undo damage to our local recovery system.
sed -i 's/^#//g' /mnt/etc/ld.so.preload

# Force flushing write buffers and unmount SD card.
sync
umount /mnt/{dev/pts,dev,sys,proc,boot} /mnt
cryptsetup -v luksClose sdcard

# Unlink "mmcblk" block device.
test ! -L /dev/mmcblk0p1 || rm /dev/mmcblk0p1
test ! -L /dev/mmcblk0p2 || rm /dev/mmcblk0p2

# All done. Eject the SD card and attempt boot in your Pi.

Then I plugin my SD-card to Raspberry Pi and have some error:

sh: not found /etc/unlock.sh

I found this script here:
https://github.com/unixabg/cryptmypi/blob/07669f8c3b25aa4da8a8f61b7daa1258ca46079b/hooks/2700-stage1-dropbear.hook
How I can complete the step with an upgrade with already done image file?
How I must prepare all scripts for this?

from cryptmypi.

Then I plugin my SD-card to Raspberry Pi and have some error:

sh: not found /etc/unlock.sh

I found this script here: https://github.com/unixabg/cryptmypi/blob/07669f8c3b25aa4da8a8f61b7daa1258ca46079b/hooks/2700-stage1-dropbear.hook How I can complete the step with an upgrade with already done image file? How I must prepare all scripts for this?

Its hard to tell what went wrong/is missing to be honest as cryptmypi contains a lot of hooks and I dont know their prerequisites and dependencies.
Edit: I have checked quickly tho and to me it looks like the initramfs has not been rebuilt properly. Has your script raised any errors?

Do you have some important files on your SD card you want to save? In that case you can just plug the card into your workstation, unlock and mount it:

lsblk
# replace /dev/sda2 with the correct device
cryptsetup luksOpen /dev/sda2 sdcard
mount /dev/mapper/sdcard /mnt/sdcard

Then the files on your encrypted partition will be visible to you, you can back them up and do a clean cryptmypi install.

from cryptmypi.

@gemesa Can You help me: When I begin to modify my .img file I use next few commands:

# Replace /dev/sdg with your SD card block device.
# Use `lsblk` to help you find where this is.

# Link "mmcblk" block device so chroot later sees the expected device block names.
test -L /dev/mmcblk0p1 || ln -s /dev/sdg1 /dev/mmcblk0p1
test -L /dev/mmcblk0p2 || ln -s /dev/sdg2 /dev/mmcblk0p2

# Mount SD card.
cryptsetup -v luksOpen /dev/mmcblk0p2 sdcard
mount /dev/mapper/sdcard /mnt; mount /dev/mmcblk0p1 /mnt/boot; mount -o bind /dev /mnt/dev; mount -o bind /dev/pts /mnt/dev/pts; mount -t sysfs none /mnt/sys; mount -t proc  none /mnt/proc

# Comment out ld.so.preload.
sed -i 's/^/#/g' /mnt/etc/ld.so.preload

# Copy qemu binary.
cp /usr/bin/qemu-arm-static /mnt/usr/bin/

# chroot to Raspbian to update and rebuild initramfs.
chroot /mnt /bin/bash
    rm -rf /var/tmp/mkinitramfs*
    apt update && apt upgrade && apt dist-upgrade && apt autoremove
    apt install --reinstall raspberrypi-bootloader raspberrypi-kernel
    test -L /sbin/fsck.luks || ln -s /sbin/e2fsck /sbin/fsck.luks
    update-initramfs -u
    # IMPORTANT: Replace "5.10.52-v7l+" with the correct kernel from "/lib/modules".
    # Doing `$(ls -t /lib/modules | tail -1)` here doesn't always give you the right one!!!
    mkinitramfs -o /boot/initramfs.gz 5.10.52-v7l+
    exit

# Undo damage to our local recovery system.
sed -i 's/^#//g' /mnt/etc/ld.so.preload

# Force flushing write buffers and unmount SD card.
sync
umount /mnt/{dev/pts,dev,sys,proc,boot} /mnt
cryptsetup -v luksClose sdcard

# Unlink "mmcblk" block device.
test ! -L /dev/mmcblk0p1 || rm /dev/mmcblk0p1
test ! -L /dev/mmcblk0p2 || rm /dev/mmcblk0p2

# All done. Eject the SD card and attempt boot in your Pi.

Then I plugin my SD-card to Raspberry Pi and have some error:

sh: not found /etc/unlock.sh

I found this script here: https://github.com/unixabg/cryptmypi/blob/07669f8c3b25aa4da8a8f61b7daa1258ca46079b/hooks/2700-stage1-dropbear.hook How I can complete the step with an upgrade with already done image file? How I must prepare all scripts for this?

I also got the sh: not found /etc/unlock.sh error

I guess after updating the kernel something broke with the unlocking script

from cryptmypi.

For me rebuilding the initramfs after an update is working properly. I have not integrated every change into my sandbox though from the latest release (4.10-beta). I am using example pios-encrypted-basic-dropbear with a RPi 4 4GB and I am building the cryptmypi image with an other RPi also to avoid any cross platform, cross compilation problem whatsoever.

Here is my config for reference (all of the changes compared to v4.10-beta, some of them might be unrelated/irrelevant):

cryptmypi.conf:

-export _KERNEL_VERSION_FILTER="v7+"
+export _KERNEL_VERSION_FILTER="v7l+"

-## Stage2 regenerate luks uuid
-# A value of yes generates a new luks uuid for deployment
-export _NEWLUKSUUID="yes"

chroot.fns:

-#chroot_execute update-initramfs -u # -k ${_KERNEL_VERSION} # TODO Test this + test without it completely
+chroot_execute update-initramfs -u # -k ${_KERNEL_VERSION} # TODO Test this + test without it completely

0000-experimental-initramfs-iodine.hook:

-    chroot_pkginstall iodine
+    chroot_pkginstall install iodine

0000-experimental-sys-iodine.hook:

-    chroot_pkginstall iodine cron
+    chroot_pkginstall install iodine

2600-stage1-ssh.hook:

-# Make sure ssh is enabled
-chroot_execute systemctl enable ssh

2700-stage1-dropbear.hook:

-# Backwards compatibility on dropbear-initramfs
-echo_debug "Attempting dropbear compatibility sanity check with newer versions ..."
-chroot_execute  /bin/bash << "EOF"
-if [ -d "/etc/dropbear/initramfs" ]; then
-    # New path location for drobbear initramfs exists.
-    echo "Found /etc/dropbear/initramfs directory."
-    cd /etc
-    echo "Linking /etc/dropbear/initramfs to /etc/dropbear-initramfs directory."
-    ln -s dropbear/initramfs dropbear-initramfs
-    echo "Linking /etc/dropbear/initramfs/config to /etc/dropbear/initramfs/dropbear.conf."
-    cd /etc/dropbear/initramfs
-    if [ -f "dropbear.conf" ]; then
-        mv dropbear.conf config
-    else
-        echo '#DROPBEAR_OPTIONS=' >> config
-    fi
-    ln -s config dropbear.conf
-    echo $$
-fi
-EOF

3000-stage1-setup-encryption.hook:

-chroot_pkginstall cryptsetup cryptsetup-initramfs busybox
+chroot_pkginstall cryptsetup busybox

echo 'dm_crypt' >> ${_BUILDDIR}/root/etc/initramfs-tools/modules

+# Disable autoresize
+chroot_execute systemctl disable rpiwiggle
+rm ${_BUILDDIR}/root/root/scripts/rpi-wiggle.sh

5200-stage2-setup-luks-create.hook:

-        ## Test to generate new luks uuid
-        if [ "${_NEWLUKSUUID}" = "yes" ]; then
-            echo_debug "Attempting to regenerate and configure a new luks uuid for deployment ..."
-            __NEWLUKSUUID=$(cat /proc/sys/kernel/random/uuid)
-            echo "__NEWLUKSUUID=${__NEWLUKSUUID}" > ${_BUILDDIR}/root/boot/newluksuuid.txt
-            echo "crypt    UUID=${__NEWLUKSUUID}    none    luks" > ${_BUILDDIR}/root/etc/crypttab
-            __LUKSUUID="${__NEWLUKSUUID}"
-        fi

cryptmypi.sh:

-export _VER="4.10-beta"
+export _VER="4.8-beta"

from cryptmypi.

Hi @gemesa thx for the answer, I will take my RPi 4 and hard work tomorrow, after giving you some feedback!
Have a nice day

from cryptmypi.

Hi thanks for this awesome project.

Unfortunately, I have the same issue,
I'm using a freshly flashed kali-encrypted-basic from master(52227df) on a RPi Zero 2 W.

This is my only diff in examples/kali-encrypted-basic/cryptmypi.conf:

 # LINUX IMAGE FILE ------------------------------------------------------------
-export _IMAGEURL=https://kali.download/arm-images/kali-2022.4/kali-linux-2022.4-raspberry-pi-arm64.img.xz
-export _IMAGESHA="60e33582746bb25d87092e842398e1f946ff3cd3678743856f01d8bd3b43946a"
+export _IMAGEURL=https://kali.download/arm-images/current/kali-linux-2023.4-raspberry-pi-zero-2-w-armhf.img.xz
+export _IMAGESHA="41f88cbecd97a3731768b88a396265f5cf51455c81452618f18cc53cbcc0ff9a"

Also, even with the changes from @gemesa above I still run into the issue that I directly get prompted with:

Cannot initialize device-mapper. Is dm_mod kernel module loaded?
Cannot use device crypt, name is invalid or still in use.

(I did tries with several Kali configs and also tried to add another chroot_mkinitramfs in hooks/7500-stage2-chroot-final.hook. All tries have the same result. Those where I tried unlocking via wifi even failed by the fact that the firmware of wlan0 seemed not to be available.)

I'm really looking forward for your help. Thanks in advance!

EDIT: [SOLVED] I had the wrong Re4son Kernel Version. For the given Kali RPi02w distribution v7+ is required (instead of v8+)

from cryptmypi.