4

My Raspberry Pi (which is 10,000 km away from me right now) works as follows:

  • It is running Raspbian (July 2016's version)
  • The SD card contains /boot
  • An encrypted hard disk drive (using LUKS cryptsetup) contains /
  • When the Pi boots, I can unlock the HDD remotely using dropbear over SSH. It asks for the HDD's password and then the boot sequence continues normally.

For more info about how I did all of this, read http://blog.romainpellerin.eu/raspberry-pi-the-ultimate-guide.html.
TL;DR here is a shortened version:

apt-get install busybox cryptsetup rsync
echo "initramfs initramfs.gz 0x00f00000" >> /boot/config.txt
sed -e "s|root=/dev/mmcblk0p2|root=/dev/mapper/hddcrypt cryptdevice=/dev/sda1:hddcrypt|" -i /boot/cmdline.txt
sed -e "s|/dev/mmcblk0p2|/dev/mapper/hddcrypt|" -i /etc/fstab
echo -e "hddcrypt\t/dev/sda1\tnone\tluks" >> /etc/crypttab
cryptsetup --verify-passphrase -c aes-xts-plain64 -s 512 -h sha256 luksFormat /dev/sda1
mkinitramfs -o /boot/initramfs.gz $(uname -r)
aptitude install dropbear
// Configuring the SSH access here...
mkinitramfs -o /boot/initramfs.gz $(uname -r)
update-initramfs -u

Problem

Up until yesterday, everything was working fine. I could reboot it and unlock the HDD over SSH. However, yesterday I did aptitude update && aptitude upgrade. As far as I know, this does not upgrade the kernel. Anyway, I rebooted it. Now, I'm stuck at the unlocking step. Even though I type the right password, it immediately says Can't change directory to <something/a kernel version> and Cannot initialize device-mapper. Is dm_mod kernel module loaded? and keeps asking again for the password.

I cannot tell you what kernel it is running as I set up a while ago and do not use it that much.

Sorry for the lack of details, I do not have a physical access to my Raspberry and I turned it off yesterday, thus I am telling from what I remember.

Supposition

I am pretty sure I could fix it by tweaking /boot/initramfs.gz but I do not know how. Can you help me please? Thank you very much.

Romain Pellerin
  • 165
  • 2
  • 7

1 Answers1

4

I do not know what gave you the impression that aptitude upgrade would leave your kernel untouched, it simply doesn't. I had the same trouble after a kernel update on my encrypted pi. The problem is that your initramfs needs to be rebuilt. Here is how you do that on an external machine.

First, plug in your SD card with the crypted raspbian on it into your external computer and mount everything like so:

cryptsetup -v luksOpen /dev/mmcblk0p2 thunderdome
mount /dev/mapper/thunderdome /mnt
mount /dev/mmcblk0p1 /mnt/boot
mount -o bind /dev /mnt/dev
mount -t sysfs none /mnt/sys
mount -t proc  none /mnt/proc

Install qemu to emulate raspberry pi binaries:

apt-get install qemu qemu-user-static binfmt-support

Accoding to this gist, it is better to remove all lines from /mnt/etc/ld.so.preload before proceeding, this is what the sed commands do in the following:

# comment out ld.so.preload
sed -i 's/^/#/g' /mnt/etc/ld.so.preload
# copy qemu binary
cp /usr/bin/qemu-arm-static /mnt/usr/bin/

# chroot to raspbian and rebuild initramfs
chroot /mnt /bin/bash
    mkinitramfs -o /boot/initramfs.gz [NEW RASPBIAN KERNEL VERSION]
    exit

# undo damage
sed -i 's/^#//g' /mnt/etc/ld.so.preload
umount /mnt/{dev,sys,proc,boot}

You can find the new raspbian kernel version by checking out /lib/modules, inside the chroot.

After doing that, my raspberry pi booted just fine again.

Jesko Hüttenhain
  • 155
  • 5
  • Wow, thanks a lot for the detailed answer. I will definitely keep that somewhere, just in case it happens again. – Romain Pellerin Apr 23 '17 at 19:20
  • @RomainPellerin: Cool! Glad I could help =) – Jesko Hüttenhain Apr 24 '17 at 10:43
  • Thank you very much for these steps. Unfortunately it doesn't resolve the problem for my Pi 4 running Raspian Buster. While making the initramfs I get shown `cryptsetup: ERROR: Couldn't resolve device /dev/mmcblk0p2`, but is this because I'm building it from a Debian PC instead of directly on the Pi? (The SD card is at `/dev/sdf*` instead of `/dev/mmcblk0p*`.) – Adambean Jan 29 '20 at 11:51
  • 1
    Dear @Adambean, if your SD card device has a different name, then yes, I would guess that replacing `/dev/mmcblk0p2` in the above description by your path to the SD card device should work. Note that all the instructions are indeed supposed to be run on a separate PC and not on the Pi, it is just that on my PC the SD card device was named `/dev/mmcblk0p2`. I hope this helps, of course it is hard for me to debug this remotely. Let me know if you get it to work. – Jesko Hüttenhain Jan 29 '20 at 22:44
  • Thanks for your reply @JeskoHüttenhain. I am indeed doing this on a Debian based PC instead of the Pi directly, which is why I'm surprised your SD card shows up at device path `/dev/mmcblk0p*`. I guess your SD card adapter is just behaving differently to mine. (I use an external USB3 based one.) -- I've popped up my modified steps at https://pastebin.com/1MVQ49X8 if you wouldn't mind taking a look to see if I've got anything wrong. – Adambean Jan 30 '20 at 09:01
  • 1
    Dear @Adambean, I went over it and it seems fine. Just to clarify though, I would advise no to run this as a script in one go, but to do it step by step in a shell and see if everything behaves as you'd expect it to. Cheers and good luck! – Jesko Hüttenhain Jan 30 '20 at 19:27
  • Yep, been doing it step by step. The Pi refuses to unlock the encrypted partition due to kernel module "dm_mod" not being loaded. I know the password is 100% correct as I'm able to mount it successfully on a Debian instance. I've put a screenshot of this here: https://imgur.com/a/E02wZZK – Adambean Jan 30 '20 at 22:04
  • Doing `sed -i 's/mmcblk0p/sdf/g' /mnt/etc/crypttab` prior entering chroot to do `mkinitramfs` (and reversing it later) does remove the "cryptsetup: ERROR: Couldn't resolve device /dev/mmcblk0p2" error, but "Cannot initialize device-mapper. Is dm_mod kernel module loaded?" still shows. – Adambean Feb 14 '20 at 08:33
  • 1
    If you cannot make my answer work, I recommend asking a new question with all the context and what you tried. You can link back here to explain that it is not a duplicate, and also note a link to the new question here. – Jesko Hüttenhain Feb 14 '20 at 09:53
  • Fair enough, posted: https://raspberrypi.stackexchange.com/questions/108375/raspbian-dm-mod-missing-after-mkinitramfs-on-luks-encrypted-partition -- Thank you for all your time and efforts to date Jesko. :) – Adambean Feb 14 '20 at 13:38
  • 1
    @Adambean No problem, +1'ed it ;-). I would have loved to provide a satisfying solution for you, but I think I might be out of my depths. With a new post you'll get better visibility. I'll follow the post and see if I have something to add, but I am sure there are people out there who have better insights than me... – Jesko Hüttenhain Feb 14 '20 at 17:41