There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

chevy9294 ,

That was really hard to do. I created a note for myself and I will also publish it on my website. You can also decrypt the sd using fido2 hardware key (I have a nitrokey). If you don’t need that just skip steps that are for fido2.

The note:

Download the image.

Format SD card to new DOS table:

  • Boot: 512M 0c W95 FAT32 (LBA)
  • Root: 83 Linux

As root:


<span style="color:#323232;">xz -d 2023-12-11-raspios-bookworm-arm64-lite.img.xz
</span><span style="color:#323232;">losetup -fP 2023-12-11-raspios-bookworm-arm64-lite.img
</span><span style="color:#323232;">dd if=/dev/loop0p1 of=/dev/mmcblk0p1 bs=1M
</span><span style="color:#323232;">cryptsetup luksFormat --type=luks2 --cipher=xchacha20,aes-adiantum-plain64 /dev/mmcblk0p2
</span><span style="color:#323232;">systemd-cryptenroll --fido2-device=auto /dev/mmcblk0p2
</span><span style="color:#323232;">cryptsetup open /dev/mmcblk0p2 root
</span><span style="color:#323232;">dd if=/dev/loop0p2 of=/dev/mapper/root bs=1M
</span><span style="color:#323232;">e2fsck -f /dev/mapper/root
</span><span style="color:#323232;">resize2fs -f /dev/mapper/root
</span><span style="color:#323232;">mount /dev/mapper/root /mnt
</span><span style="color:#323232;">mount /dev/mmcblk0p1 /mnt/boot/firmware
</span><span style="color:#323232;">arch-chroot /mnt
</span>

In chroot:


<span style="color:#323232;">apt update && apt full-upgrade -y && apt autoremove -y && apt install cryptsetup-initramfs fido2-tools jq debhelper git vim -y
</span><span style="color:#323232;">git clone https://github.com/bertogg/fido2luks && cd fido2luks
</span><span style="color:#323232;">fakeroot debian/rules binary && sudo apt install ../fido2luks*.deb
</span><span style="color:#323232;">cd .. && rm -rf fido2luks*
</span>

Edit /etc/crypttab:


<span style="color:#323232;">root            /dev/mmcblk0p2          none            luks,keyscript=/lib/fido2luks/keyscript.sh
</span>

Edit /etc/fstab:


<span style="color:#323232;">/dev/mmcblk0p1    /boot/firmware  vfat    defaults          0       2
</span><span style="color:#323232;">/dev/mapper/root  /               ext4    defaults,noatime  0       1
</span>

Change root to /dev/mapper/root and add cryptdevice=/dev/mmcblk0p2:root to /boot/firmware/cmdline.txt.


<span style="color:#323232;">PATH="$PATH:/sbin"
</span><span style="color:#323232;">update-initramfs -u
</span>

Exit chroot and finish!


<span style="color:#323232;">umount -R /mnt
</span>
  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •