Encrypting rootfs for hikey960


#1

I’m trying the encrypt the filesystem used by hikey960. Could any one help with how to approach this?


#2

System settings --> security --> advanced --> encryption.

If the option isnt there, you might need to add “encryptable” to the userdata partition mount parameters in the fstab and rebuild the rootfs (bootimage).


#3

I want to do this for Debian. Will I have to add initramfs too ?


#4

@judepaul One way to do this is to use dm-crypt that provides a transparent disk encryption subsystem. You can read about this from [1]. Also [1] has links to tutorials which you could use to create encrypted Linux file system. I haven’t tried it with rootfs but I think it should work.

Regarding initramfs, I think yes you need it to mount encrypted rootfs.

[1] https://www.linux.com/learn/how-encrypt-linux-file-system-dm-crypt


#5

Thanks @sumit.garg. Will take a look at it.


#6

I’ve added a initramfs(rpb-initramfs-rootfs.cpio.gz) in my Debian image and made changes to my grub by adding initramfs /boot/rpb-initramfs-rootfs.cpio.gz. It’s stuck in the initramfs now. I don’t know what to write in the init script in the initramfs image. Is there any link which tells how to mount the rfs from initramfs?


#7

I’ve added a initramfs(rpb-initramfs-rootfs.cpio.gz) in my Debian image and made changes to my grub by adding initramfs /boot/rpb-initramfs-rootfs.cpio.gz. It’s stuck in the initramfs now. I don’t know what to write in the init script in the initramfs image. Is there any link which tells how to mount the rfs from initramfs?

You probably won’t be able to use an off-the-shelf initramfs… you
need to generate one matched to your machine. The distro provides these
tools for you and they work by copying config files from /etc (such as
crypttab and fstab) into the initramfs together with other necessary
binaries (busybox, init, kernel modules, etc).

There is an obvious chicken and egg problem. You can’t boot from your
encrypted partition until you have an initramfs and you can’t generate
your initramfs until you can boot.

Normally the Debian installer sorts all this out for you but if you are
trying to modify an existing install you need a place to stand which
means finding some other way to boot.

If you can boot an installer then its “rescue” features can be good for
this. Alternatively a useful trick for embedded systems is to use
buildroot to construct a simple rootfs packed as an initramfs. From
there you can run things like cryptsetup, mount, chroot, etc to get
enough of the distro loaded to be able to generate the initramfs.

I hope its obvious from the description above but you need to make sure
that in addition to encrypting your rootfs you have also gone inside it
an updated crypttab and (maybe) fstab acordingly before generating a
new initramfs.

It is fiddly work to repair a system after a change like this. I do work
like this from time to time (usually on a workstation after an upgrade)
and I’m afraid you must expect to get it wrong several times before you
get it right! Good luck.


#8

Thanks @danielt. This is really helpful. I’ll give it go. I cannot get a buildroot image to work for me on hikey960. My image always results in a kernel panic. I think I’ll try making the initramfs on Debian-hikey960 first. Do commands like mkinitramfs and update-initramfs make a initramfs which can be used directly?
Also if I’m stuck in initramfs how do I get into the actual rfs?


#9

I’m not 100% familiar with these tools (I mostly use dracut these days) but they should still inherit configuration from the rootfs (crypttab, fstab, etc) to decide which block devices to decrypt and mount.

You have to fill in whatever steps are missing in the initramfs configuration. For example, assuming LVM is not involved this is probably just using cryptsetup to decrypt the block device and then using mount to mount the resulting mapped block device (probably in /dev/mapper ).

It is helpful to turn on all the rescue and debug options you can find since this will make working in the initramfs more comfortable. For initramfs-tools it looks like making sure it includes busybox is the most important step to ensuring recovery tools are included in the initramfs by default.


#10

Thank you so much. It’s really helpful. This gives a great start to try to achieve. Will let you know how it goes.