- Raspberry PI
- SDCard w/ Raspberry PI OS Lite installed
- Flash drive connected to the RPI (to copy data from root partition during encrypt)
- Bash scripts: https://github.com/F1LT3R/luks-encrypt-raspberry-pi/tree-save/main/README.md
-
Burn the Raspberry PI OS to the SDCard w/
Balenar Etcher
orRaspberry PI Imager
-
Copy install scripts into
/boot/install/
-
Boot into the Raspberry PI and run
sudo /boot/install/1.update.sh
-
sudo reboot
to load the updated kernel
-
Run script
/boot/install/2.disk_encrypt.sh
-
sudo reboot
to drop into the initramfs shell.
-
Mount master block device to
/tmp/boot/
mkdir /tmp/boot mount /dev/mmcblk0p1 /tmp/boot/
-
Run the encryption script, passing your flash drive descriptor:
/tmp/boot/install/3.disk_encrypt_initramfs.sh [sda|sdb|etc]
-
When LUKS encrypts the root partition it will ask you to type
YES
(in uppercase). -
Create a decryption password (you will be asked twice).
-
LUKS will ask for the decryption password again to copy the data back from the flash drive to the root partition.
-
reboot -f
to drop back into initramfs.
-
Mount master block device at
/tmp/boot/
mkdir /tmp/boot mount /dev/mmcblk0p1 /tmp/boot/
-
Open the LUKS encrypted disk:
/tmp/boot/install/4.luks_open.sh
-
Type in your decryption password again.
-
exit
to quit BusyBox and boot normally.
-
Run script:
/boot/install/5.rebuild_initram.sh
-
sudo reboot
into Raspberry PI OS. -
You should be asked for your decryption password every time you boot.
Please unlock disc sdcard: _
- Source: https://forums.raspberrypi.com/viewtopic.php?t=219867
- https://github.com/johnshearing/MyEtherWalletOffline/blob/master/Air-Gap_Setup.md#setup-luks-full-disk-encryption
- https://robpol86.com/raspberry_pi_luks.html
- https://www.howtoforge.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile