LUKS Disk Encryption on Raspberry Pi 4 and Ubuntu Desktop 20.10

Solution 1:

EDIT: I misread the original question, but everything still applies. Using /dev/mmcblk0p2 below is for installing to the microSD card. To install to an external SSD/HD the device will likely be /dev/sda2. Use the appropriate device when editing cmdline.txt, crypttab, and booting for the first time via (initramfs).


The latest Ubuntu image includes cryptsetup, so you can convert the "writeable" (root) partition to LUKS using your desktop PC. I began with the 20.10 64-bit Server image.

Prepare your SD card but do not install into the RPi. Keep it on your desktop PC.

Unmount the SD card (/dev/sdc2 is my "writeable" (root) partition - yours may be different).

sudo umount /dev/sdc2

Check the partition...   sudo e2fsck -f /dev/sdc2

Shrink the partition...   sudo resize2fs -M /dev/sdc2

Encrypt the partition (RPi does not have hardware AES support, Adiantum seems to perform better)...

sudo cryptsetup-reencrypt --new --reduce-device-size=16M --type=luks2 -c xchacha12,aes-adiantum-plain64 -s 256 -h sha512 --use-urandom /dev/sdc2

Decrypt the LUKS partition...   sudo cryptsetup luksOpen /dev/sdc2 rootfs

Expand the partition...   sudo resize2fs /dev/mapper/rootfs

Mount the partition...   sudo mkdir mnt; sudo mount /dev/mapper/rootfs mnt;

Edit etc/crypttab... sudo vim mnt/etc/crypttab

  • Add rootfs /dev/mmcblk0p2 none luks

Edit etc/fstab... sudo vim mnt/etc/fstab

  • Change the first line to /dev/mapper/rootfs / ext4 defaults,noatime 0 0

On the system-boot partition, edit cmdline.txt...

  • change root=LABEL=writable to root=/dev/mapper/rootfs
  • remove splash (so it prompts for the passphrase on boot)
  • add cryptdevice=/dev/mmcblk0p2:sdcard to the end of the line

It should look like this... dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mapper/rootfs rootfstype=ext4 elevator=deadline rootwait fixrtc quiet cryptdevice=/dev/mmcblk0p2:sdcard

Unmount the microSD card and install into the Raspberry Pi. It will fail to boot and enter (initramfs) because initramfs hasn't been updated yet.

Manually decrypt from initramfs...   (initramfs) cryptsetup luksOpen /dev/mmcblk0p2 rootfs

Continue booting...   (initramfs) exit

Login (ubuntu/ubuntu) and update initramfs...   sudo update-initramfs -u

Reboot...   sudo reboot

It should reboot, prompt for the passphrase, then start the OS.

Solution 2:

Just adding to Cameron's answer, the Ubuntu 20.10 Desktop image for Pi 4 does not include cryptsetup in the initramfs. The easiest solution is to boot into unencrypted Ubuntu after writing it to SD card, connect to network, and then apt install cryptsetup-initramfs

After doing that, Cameron's steps worked perfectly for me. It also works for USB boot (after you have followed Ubuntu's instructions to update the eeprom and change the boot order) by replacing /dev/mmcblk0p2 with /dev/sda2

I thought it wasn't working at first and nearly gave up because the display was showing a single blinking underscore and not failing into the initramfs prompt. All I had to do was wait 7 minutes. I also had USB device read errors when trying to boot from USB, using an unpowered hub resolved that for some reason. I tried doing this on a Debian laptop first but it doesn't have Adiantum in cryptsetup. Then I tried a laptop booting Ubuntu from live USB and it failed to mount the Pi encrypted partition, I don't know why. I only had success after I installed Ubuntu 20.10 onto a laptop.