Preliminaries - On your Raspberry

This tutorial was tested on Raspbian Pixel Lite (2017).

Remove shitty things

sudo apt-get -y purge plymouth

Create your initramfs

sudo apt-get install busybox cryptsetup ntp dropbear
dd if=/dev/zero of=/tmp/fakeroot.img bs=1M count=20
cryptsetup luksFormat /tmp/fakeroot.img
sudo cryptsetup luksOpen /tmp/fakeroot.img sdcard
sudo mkfs.ext4 /dev/mapper/sdcard
sudo mkinitramfs -o /boot/initramfs.gz

Check if cryptsetup is available

lsinitramfs /boot/initramfs.gz | grep cryptsetup

Export SSH key

sudo scp /etc/initramfs-tools/root/.ssh/id_rsa username@othercomputer:~/.ssh/id_rsa_rpi_dropbear

Configure Dropbear

Edit /etc/initramfs-tools/root/.ssh/authorized_keys and add the following line at the beginning of the file:

command="/scripts/local-top/cryptroot && kill -9 `ps | grep -m 1 'cryptroot' | cut -d ' ' -f 3`"

Edit /usr/share/initramfs-tools/scripts/init-premount/dropbear and replace configure_networking & by:

echo "Waiting 5 seconds for USB to wake"
sleep 5
configure_networking &

Rebuild the initramfs

sudo mkinitramfs -o /boot/initramfs.gz

Configure boot

Edit /boot/config.txt and add these lines at the end:

initramfs initramfs.gz followkernel

Edit /boot/cmdline.txt and replace the first line something like that:

dwc_otg.lpm_enable=0 console=serial0,115200 console=tty1 root=/dev/mapper/sdcard cryptdevice=/dev/mmcblk0p2:sdcard rootfstype=ext4 elevator=deadline rootwait

Configure mouting points

Edit /etc/fstab and change /dev/mmcblk0p2 to /dev/mapper/sdcard.

Edit /etc/crypttab add the following line (separated by tab char):

sdcard  /dev/mmcblk0p2  none    luks

Encrypt the partition - On a separate computer

Power off your Raspberry Pi and plug the SD-Card to a linux-based computer. In my case, the SD-Card is /dev/sdc.

Backup your original FS

sudo apt-get install cryptsetup
sudo dd if=/dev/sdc2 of=/tmp/raspbian-plain.img bs=4M
sudo e2fsck -f /tmp/raspbian-plain.img
sudo resize2fs -M /tmp/raspbian-plain.img

Encrypt the partition

sudo cryptsetup -v -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sdc2
sudo cryptsetup -v luksOpen /dev/sdc2 sdcard

Restore your FS

sudo dd if=/tmp/raspbian-plain.img of=/dev/mapper/sdcard bs=4M
sudo e2fsck /dev/mapper/sdcard
sudo resize2fs /dev/mapper/sdcard

Umount all

sudo umount /tmp/pi_boot /tmp/pi_root
sudo cryptsetup luksClose sdcard

Boot your raspberry

After few seconds, try to unlock your raspberry with this command and type your passphrase:

ssh -t -o UserKnownHostsFile=luks_kwown_hosts "root@192.168.x.x" -i ~/.ssh/id_rsa_rpi_dropbear "/lib/cryptsetup/askpass Pass: > /lib/cryptsetup/passfifo"