Encrypting LVM on Raspberry Pi 4


For my Raspberry Pi 4 setup I decided to change the LVM configuration to use LUKS for encryption.

$ sudo apt install cryptsetup

Then I setup the LVM volume just as before:

$ sudo pvcreate /dev/sda1
$ sudo vgcreate vg_data /dev/sda1
$ sudo lvcreate -l +100%FREE vg_data -n data

Next format the volume using cryptsetup

$ sudo cryptsetup luksFormat --type luks2 /dev/mapper/vg_data-data
$ sudo cryptsetup luksOpen /dev/mapper/vg_data-data encrypted
$ sudo mkfs.ext4 /dev/mapper/encrypted

Update /etc/fstab to add/contain:

/dev/mapper/encrypted /mnt/data ext4 defaults 0 0

Create a keyfile to mount during boot:

$ sudo dd bs=512 count=4 if=/dev/random of=/etc/mykeyfile iflag=fullblock
$ sudo chmod 600 /etc/mykeyfile
$ sudo cryptsetup luksAddKey /dev/mapper/vg_data-data /etc/mykeyfile

Finally, add an entry to /etc/crypttab so the block device can be opened during boot:

encrypted /dev/mapper/vg_data-data /etc/mykeyfile

Reboot and verify that you aren’t prompted for a password to unlock the device.