cryptmypi
cryptmypi copied to clipboard
unixabg
Cant unlock the disk
After updating my pi the Luks unlock broke
Whenever I try to unlock the disk I get this error:
Enter passphrase for /dev/disk/by-uuid/----: Cannot initialize device-mapper. Is dm_mod kernel module loaded? Cannot use device crypt, name is invalid or still in use. Enter passphrase for /dev/disk/by-uuid/----:
Greetings,
Which example are you using and what hardware? Also please know I only test pristine runs, but I can take a look next time I am updating images.
I just updated image links and nothing obvious showed up for me. The only thing I can offer is testing that you can unlock and mount the sdcard. If that works then luks is ok and something else broke. I would put new build on and move forward. Will leave open for a few days.
So one thing I did notice while testing when testing the ubuntu-encrypted-basic image was that I could not unlock on pi 3b, but could unlock the same image on pi 4. So if you had a pi 4 you could try that also.
I currently cant test the new image but everytime after a kernel update on the old image I always got the error from the issue
I currently cant test the new image but everytime after a kernel update on the old image I always got the error from the issue
i have encountered this problem before, you have to rebuild initramfs after the kernel update and before reboot
sudo apt update && sudo apt upgrade -y
# check kernel version
ls /lib/modules
update-initramfs -u
# replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command
sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+
sudo reboot
I currently cant test the new image but everytime after a kernel update on the old image I always got the error from the issue
i have encountered this problem before, you have to rebuild initramfs after the kernel update and before reboot
sudo apt update && sudo apt upgrade -y # check kernel version ls /lib/modules update-initramfs -u # replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+ sudo reboot
Hi @gemesa Can You help me: I have the same error. I published it here: https://github.com/unixabg/cryptmypi/issues/49 I try different methods, but I don't understand when I must use this:
sudo apt update && sudo apt upgrade -y
# check kernel version
ls /lib/modules
update-initramfs -u
# replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command
sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+
sudo reboot
I must this code when my custom image is built with chroot?
Hi @gemesa Can You help me: I have the same error. I published it here: #49 I try different methods, but I don't understand when I must use this:
sudo apt update && sudo apt upgrade -y # check kernel version ls /lib/modules update-initramfs -u # replace "5.10.63-v7l+" with the proper version, refer to the output of the previous ls command sudo mkinitramfs -o /boot/initramfs.gz 5.10.63-v7l+ sudo rebootI must this code when my custom image is built with chroot?
The easy way would be running these commands while you are still logged in. But if you see this error message it means of course you have already rebooted and are locked out currently so yes, you have to use chroot now. Refer to these links for more info: Raspbian: dm_mod missing after mkinitramfs on luks encrypted partition initramfs, LUKS and dm_mod can't boot after upgrade
Or you could also just create a clean image and download it to the SD card and keep in mind from now on that you have to rebuild the initramfs after each kernel update.
@gemesa Can You help me: When I begin to modify my .img file I use next few commands:
# Replace /dev/sdg with your SD card block device.
# Use `lsblk` to help you find where this is.
# Link "mmcblk" block device so chroot later sees the expected device block names.
test -L /dev/mmcblk0p1 || ln -s /dev/sdg1 /dev/mmcblk0p1
test -L /dev/mmcblk0p2 || ln -s /dev/sdg2 /dev/mmcblk0p2
# Mount SD card.
cryptsetup -v luksOpen /dev/mmcblk0p2 sdcard
mount /dev/mapper/sdcard /mnt; mount /dev/mmcblk0p1 /mnt/boot; mount -o bind /dev /mnt/dev; mount -o bind /dev/pts /mnt/dev/pts; mount -t sysfs none /mnt/sys; mount -t proc none /mnt/proc
# Comment out ld.so.preload.
sed -i 's/^/#/g' /mnt/etc/ld.so.preload
# Copy qemu binary.
cp /usr/bin/qemu-arm-static /mnt/usr/bin/
# chroot to Raspbian to update and rebuild initramfs.
chroot /mnt /bin/bash
rm -rf /var/tmp/mkinitramfs*
apt update && apt upgrade && apt dist-upgrade && apt autoremove
apt install --reinstall raspberrypi-bootloader raspberrypi-kernel
test -L /sbin/fsck.luks || ln -s /sbin/e2fsck /sbin/fsck.luks
update-initramfs -u
# IMPORTANT: Replace "5.10.52-v7l+" with the correct kernel from "/lib/modules".
# Doing `$(ls -t /lib/modules | tail -1)` here doesn't always give you the right one!!!
mkinitramfs -o /boot/initramfs.gz 5.10.52-v7l+
exit
# Undo damage to our local recovery system.
sed -i 's/^#//g' /mnt/etc/ld.so.preload
# Force flushing write buffers and unmount SD card.
sync
umount /mnt/{dev/pts,dev,sys,proc,boot} /mnt
cryptsetup -v luksClose sdcard
# Unlink "mmcblk" block device.
test ! -L /dev/mmcblk0p1 || rm /dev/mmcblk0p1
test ! -L /dev/mmcblk0p2 || rm /dev/mmcblk0p2
# All done. Eject the SD card and attempt boot in your Pi.
Then I plugin my SD-card to Raspberry Pi and have some error:
sh: not found /etc/unlock.sh
I found this script here: https://github.com/unixabg/cryptmypi/blob/07669f8c3b25aa4da8a8f61b7daa1258ca46079b/hooks/2700-stage1-dropbear.hook How I can complete the step with an upgrade with already done image file? How I must prepare all scripts for this?
Then I plugin my SD-card to Raspberry Pi and have some error:
sh: not found /etc/unlock.shI found this script here: https://github.com/unixabg/cryptmypi/blob/07669f8c3b25aa4da8a8f61b7daa1258ca46079b/hooks/2700-stage1-dropbear.hook How I can complete the step with an upgrade with already done image file? How I must prepare all scripts for this?
Its hard to tell what went wrong/is missing to be honest as cryptmypi contains a lot of hooks and I dont know their prerequisites and dependencies. Edit: I have checked quickly tho and to me it looks like the initramfs has not been rebuilt properly. Has your script raised any errors?
Do you have some important files on your SD card you want to save? In that case you can just plug the card into your workstation, unlock and mount it:
lsblk
# replace /dev/sda2 with the correct device
cryptsetup luksOpen /dev/sda2 sdcard
mount /dev/mapper/sdcard /mnt/sdcard
Then the files on your encrypted partition will be visible to you, you can back them up and do a clean cryptmypi install.
@gemesa Can You help me: When I begin to modify my .img file I use next few commands:
# Replace /dev/sdg with your SD card block device. # Use `lsblk` to help you find where this is. # Link "mmcblk" block device so chroot later sees the expected device block names. test -L /dev/mmcblk0p1 || ln -s /dev/sdg1 /dev/mmcblk0p1 test -L /dev/mmcblk0p2 || ln -s /dev/sdg2 /dev/mmcblk0p2 # Mount SD card. cryptsetup -v luksOpen /dev/mmcblk0p2 sdcard mount /dev/mapper/sdcard /mnt; mount /dev/mmcblk0p1 /mnt/boot; mount -o bind /dev /mnt/dev; mount -o bind /dev/pts /mnt/dev/pts; mount -t sysfs none /mnt/sys; mount -t proc none /mnt/proc # Comment out ld.so.preload. sed -i 's/^/#/g' /mnt/etc/ld.so.preload # Copy qemu binary. cp /usr/bin/qemu-arm-static /mnt/usr/bin/ # chroot to Raspbian to update and rebuild initramfs. chroot /mnt /bin/bash rm -rf /var/tmp/mkinitramfs* apt update && apt upgrade && apt dist-upgrade && apt autoremove apt install --reinstall raspberrypi-bootloader raspberrypi-kernel test -L /sbin/fsck.luks || ln -s /sbin/e2fsck /sbin/fsck.luks update-initramfs -u # IMPORTANT: Replace "5.10.52-v7l+" with the correct kernel from "/lib/modules". # Doing `$(ls -t /lib/modules | tail -1)` here doesn't always give you the right one!!! mkinitramfs -o /boot/initramfs.gz 5.10.52-v7l+ exit # Undo damage to our local recovery system. sed -i 's/^#//g' /mnt/etc/ld.so.preload # Force flushing write buffers and unmount SD card. sync umount /mnt/{dev/pts,dev,sys,proc,boot} /mnt cryptsetup -v luksClose sdcard # Unlink "mmcblk" block device. test ! -L /dev/mmcblk0p1 || rm /dev/mmcblk0p1 test ! -L /dev/mmcblk0p2 || rm /dev/mmcblk0p2 # All done. Eject the SD card and attempt boot in your Pi.Then I plugin my SD-card to Raspberry Pi and have some error:
sh: not found /etc/unlock.shI found this script here: https://github.com/unixabg/cryptmypi/blob/07669f8c3b25aa4da8a8f61b7daa1258ca46079b/hooks/2700-stage1-dropbear.hook How I can complete the step with an upgrade with already done image file? How I must prepare all scripts for this?
I also got the sh: not found /etc/unlock.sh error
I guess after updating the kernel something broke with the unlocking script
For me rebuilding the initramfs after an update is working properly. I have not integrated every change into my sandbox though from the latest release (4.10-beta). I am using example pios-encrypted-basic-dropbear with a RPi 4 4GB and I am building the cryptmypi image with an other RPi also to avoid any cross platform, cross compilation problem whatsoever.
Here is my config for reference (all of the changes compared to v4.10-beta, some of them might be unrelated/irrelevant):
cryptmypi.conf:
-export _KERNEL_VERSION_FILTER="v7+"
+export _KERNEL_VERSION_FILTER="v7l+"
-## Stage2 regenerate luks uuid
-# A value of yes generates a new luks uuid for deployment
-export _NEWLUKSUUID="yes"
chroot.fns:
-#chroot_execute update-initramfs -u # -k ${_KERNEL_VERSION} # TODO Test this + test without it completely
+chroot_execute update-initramfs -u # -k ${_KERNEL_VERSION} # TODO Test this + test without it completely
0000-experimental-initramfs-iodine.hook:
- chroot_pkginstall iodine
+ chroot_pkginstall install iodine
0000-experimental-sys-iodine.hook:
- chroot_pkginstall iodine cron
+ chroot_pkginstall install iodine
2600-stage1-ssh.hook:
-# Make sure ssh is enabled
-chroot_execute systemctl enable ssh
2700-stage1-dropbear.hook:
-# Backwards compatibility on dropbear-initramfs
-echo_debug "Attempting dropbear compatibility sanity check with newer versions ..."
-chroot_execute /bin/bash << "EOF"
-if [ -d "/etc/dropbear/initramfs" ]; then
- # New path location for drobbear initramfs exists.
- echo "Found /etc/dropbear/initramfs directory."
- cd /etc
- echo "Linking /etc/dropbear/initramfs to /etc/dropbear-initramfs directory."
- ln -s dropbear/initramfs dropbear-initramfs
- echo "Linking /etc/dropbear/initramfs/config to /etc/dropbear/initramfs/dropbear.conf."
- cd /etc/dropbear/initramfs
- if [ -f "dropbear.conf" ]; then
- mv dropbear.conf config
- else
- echo '#DROPBEAR_OPTIONS=' >> config
- fi
- ln -s config dropbear.conf
- echo $$
-fi
-EOF
3000-stage1-setup-encryption.hook:
-chroot_pkginstall cryptsetup cryptsetup-initramfs busybox
+chroot_pkginstall cryptsetup busybox
echo 'dm_crypt' >> ${_BUILDDIR}/root/etc/initramfs-tools/modules
+# Disable autoresize
+chroot_execute systemctl disable rpiwiggle
+rm ${_BUILDDIR}/root/root/scripts/rpi-wiggle.sh
5200-stage2-setup-luks-create.hook:
- ## Test to generate new luks uuid
- if [ "${_NEWLUKSUUID}" = "yes" ]; then
- echo_debug "Attempting to regenerate and configure a new luks uuid for deployment ..."
- __NEWLUKSUUID=$(cat /proc/sys/kernel/random/uuid)
- echo "__NEWLUKSUUID=${__NEWLUKSUUID}" > ${_BUILDDIR}/root/boot/newluksuuid.txt
- echo "crypt UUID=${__NEWLUKSUUID} none luks" > ${_BUILDDIR}/root/etc/crypttab
- __LUKSUUID="${__NEWLUKSUUID}"
- fi
cryptmypi.sh:
-export _VER="4.10-beta"
+export _VER="4.8-beta"
Hi @gemesa thx for the answer, I will take my RPi 4 and hard work tomorrow, after giving you some feedback! Have a nice day
Hi thanks for this awesome project.
Unfortunately, I have the same issue, I'm using a freshly flashed kali-encrypted-basic from master(52227df) on a RPi Zero 2 W.
This is my only diff in examples/kali-encrypted-basic/cryptmypi.conf:
# LINUX IMAGE FILE ------------------------------------------------------------
-export _IMAGEURL=https://kali.download/arm-images/kali-2022.4/kali-linux-2022.4-raspberry-pi-arm64.img.xz
-export _IMAGESHA="60e33582746bb25d87092e842398e1f946ff3cd3678743856f01d8bd3b43946a"
+export _IMAGEURL=https://kali.download/arm-images/current/kali-linux-2023.4-raspberry-pi-zero-2-w-armhf.img.xz
+export _IMAGESHA="41f88cbecd97a3731768b88a396265f5cf51455c81452618f18cc53cbcc0ff9a"
Also, even with the changes from @gemesa above I still run into the issue that I directly get prompted with:
Cannot initialize device-mapper. Is dm_mod kernel module loaded?
Cannot use device crypt, name is invalid or still in use.
(I did tries with several Kali configs and also tried to add another chroot_mkinitramfs in hooks/7500-stage2-chroot-final.hook. All tries have the same result. Those where I tried unlocking via wifi even failed by the fact that the firmware of wlan0 seemed not to be available.)
I'm really looking forward for your help. Thanks in advance!
EDIT: [SOLVED] I had the wrong Re4son Kernel Version. For the given Kali RPi02w distribution v7+ is required (instead of v8+)
