That was really hard to do. I created a note for myself and I will also publish it on my website. You can also decrypt the sd using fido2 hardware key (I have a nitrokey). If you don't need that just skip steps that are for fido2.
The note:
Download the image.
Format SD card to new DOS table:
- Boot: 512M 0c W95 FAT32 (LBA)
- Root: 83 Linux
As root:
xz -d 2023-12-11-raspios-bookworm-arm64-lite.img.xz
losetup -fP 2023-12-11-raspios-bookworm-arm64-lite.img
dd if=/dev/loop0p1 of=/dev/mmcblk0p1 bs=1M
cryptsetup luksFormat --type=luks2 --cipher=xchacha20,aes-adiantum-plain64 /dev/mmcblk0p2
systemd-cryptenroll --fido2-device=auto /dev/mmcblk0p2
cryptsetup open /dev/mmcblk0p2 root
dd if=/dev/loop0p2 of=/dev/mapper/root bs=1M
e2fsck -f /dev/mapper/root
resize2fs -f /dev/mapper/root
mount /dev/mapper/root /mnt
mount /dev/mmcblk0p1 /mnt/boot/firmware
arch-chroot /mnt
In chroot:
apt update && apt full-upgrade -y && apt autoremove -y && apt install cryptsetup-initramfs fido2-tools jq debhelper git vim -y
git clone https://github.com/bertogg/fido2luks && cd fido2luks
fakeroot debian/rules binary && sudo apt install ../fido2luks*.deb
cd .. && rm -rf fido2luks*
Edit /etc/crypttab
:
root /dev/mmcblk0p2 none luks,keyscript=/lib/fido2luks/keyscript.sh
Edit /etc/fstab
:
/dev/mmcblk0p1 /boot/firmware vfat defaults 0 2
/dev/mapper/root / ext4 defaults,noatime 0 1
Change root
to /dev/mapper/root
and add cryptdevice=/dev/mmcblk0p2:root
to /boot/firmware/cmdline.txt
.
PATH="$PATH:/sbin"
update-initramfs -u
Exit chroot and finish!
umount -R /mnt
No problem ;)