This is what I have done , note that the current system state was to have an encrypted filesystem on the ssd with the following format:
First check on /boot/firmware. Before to go on I started raspberrypi from SD card in order to be able to emulate the exact same conditions to startup the filesystem from SSD. The diference between the two, is that SSD filesystem needs crypto modules to handles decryption but the rest is the same!
This looks fine, get current kernel loaded and update initramfs on that kernel
After done this, if you reboot having your sd card and at the same time SSD attached it will boot correctly asking for a password and filesystem loaded will be the one of the SSD this time, not the SD card. But if you remove your SD card you can still notice some errors when starting up:
In fact the current situation of the filesystem on ssd is this:
/dev/mmcblk0p1 is not the right one for mounting /boot/firmware
We need to update few things. Let's reboot with SD only and SSD detached, then as always attach SSD and open cryptsetup partition and mount it as already done until now.
To solve this, fstab needs to be updated with UUID of SSD partitions
After rebooting errors should gone but there is a least caveat to solve.
RaspberryPi searches for a partition called /boot/firmware to load modules but the /boot is just a directory, not a partition. And this can lead to problems when doing apt full-upgrade for example:
So we must recreate this scheme:
sda3 is missing and in order to create it I used Gparted on the ssd, doing the following:
Then, on new non-allocated space:
and it will finally create the expected structure. Now we need to move firmware files into the new partition.
Now all problems should be solved one last thing to solve can be to cleanup some resources, for example, reboot raspberrypi loading from SSD and removing completely the SD card, we can cleanup quirks:
Code:
/dev/sda1 512Mb Boot Partition/dev/sda2 932Gb Encrypted partitionCode:
ls -1 /boot/firmware | egrep 'kernel|vmlinuz|initrd|initramfs|initrd.img' || true initramfsinitramfs_2712initramfs7initramfs7linitramfs8kernel_2712.imgkernel7.img kernel7l.img kernel8.img kernel.imgCode:
sudo cryptsetup open /dev/sda2 cryptrootsudo mount /dev/mapper/cryptroot /mnt/newrootsudo mount /dev/sda1 /mnt/newroot/bootsudo mount --bind /dev /mnt/newroot/devsudo mount --bind /proc /mnt/newroot/procsudo mount --bind /sys /mnt/newroot/syssudo mount --bind /run /mnt/newroot/run#chroot ssdsudo chroot /mnt/newroot /bin/bash -luname -r> 6.12.34+rpt-rpi-2712 # in my caseKVER=6.12.34+rpt-rpi-2712update-initramfs -c -k "$KVER"apt install --yes cryptsetup cryptsetup-initramfs busyboxLUKS_UUID=$(blkid -s UUID -o value /dev/sda2)echo "cryptroot UUID=${LUKS_UUID} none luks,initramfs" > /etc/crypttab# add hooks to crypttab to let initramfs to load crypto setup requirementscat >/etc/initramfs-tools/hooks/00-copy-crypttab <<'EOF'#!/bin/shset -eif [ -e /etc/crypttab ]; then mkdir -p "${DESTDIR}/cryptroot" cp /etc/crypttab "${DESTDIR}/cryptroot/crypttab"fiexit 0EOFchmod +x /etc/initramfs-tools/hooks/00-copy-crypttab# make sure required kernel modules are loadedcat >> /etc/initramfs-tools/modules <<'EOF'dm-moddm-cryptdm_cryptcryptdalgif_skcipherEOF#generate cryptsetupcat >/etc/initramfs-tools/hooks/01-include-cryptsetup <<'EOF'#!/bin/shset -e# copy cryptsetup from wherever it is installed to the initramfsfor p in /sbin/cryptsetup /usr/sbin/cryptsetup /bin/cryptsetup /usr/bin/cryptsetup; do if [ -x "$p" ]; then mkdir -p "${DESTDIR}$(dirname "$p")" cp "$p" "${DESTDIR}$p" fidoneexit 0EOFchmod +x /etc/initramfs-tools/hooks/01-include-cryptsetup# (C) Add a fallback file that will be copied into the final initramfs root# Files placed under /etc/initramfs-tools/root are included in the initramfs at /mkdir -p /etc/initramfs-tools/root/cryptrootcp -v /etc/crypttab /etc/initramfs-tools/root/cryptroot/crypttabls -l /etc/initramfs-tools/root/cryptroot/crypttabchmod +x /etc/initramfs-tools/hooks/* || true#rebuildapt updateapt install -y cryptsetup cryptsetup-initramfs busyboxupdate-initramfs -c -k "$KVER" || update-initramfs -u -k "$KVER"ls -l /boot/initrd.img-"$KVER" # this should be /boot/initrd.img-6.12.34+rpt-rpi-2712# create link name that matches the firmware namingcp -v /boot/initramfs_2712 /boot/initramfs_2712.bak # backupcp -v /boot/initrd.img-"$KVER" /boot/initramfs_2712sync# check initramfs contains crypto moduleslsinitramfs /boot/initramfs_2712 | egrep 'cryptsetup|/cryptroot/crypttab|dm-crypt|dm_crypt|dm-mod|dm_mod|dm_crypt|dm-mod.ko|dm_mod.ko' || true# the output should include all required moduleslsinitramfs /boot/initramfs_2712 | egrep 'crypttab|cryptroot' || true# output should include /cryptroot/crypttab# close chrootexit for d in run sys proc dev; do umount /mnt/newroot/$d || true; donesyncrebootCode:
failed to start systemd-remount-fs.service failed to activate swap swapfile.swap timed out warning for device dev-dis-by\x2dpartuuid-d0c23d96\xd2d01 (which d0c23d96 is the old sd uuid)Code:
df -TFilesystem Type 1K-blocks Used Available Use% Mounted onudev devtmpfs 4084144 0 4084144 0% /devtmpfs tmpfs 825264 6352 818912 1% /run/dev/mapper/cryptroot ext4 959772408 28699540 882245444 4% /tmpfs tmpfs 4126304 0 4126304 0% /dev/shmtmpfs tmpfs 5120 48 5072 1% /run/lock/dev/sda1 vfat 523244 381672 141572 73% /boot/dev/mmcblk0p1 vfat 522230 127922 394308 25% /boot/firmwareoverlay overlay 959772408 28699540 882245444 4% /var/lib/docker/rootfs/overlayfs/19381acaaad01f3146bb531a3799919ed23a0027bb386237b4a459e49a298ba7tmpfs tmpfs 825248 0 825248 0% /run/user/1000We need to update few things. Let's reboot with SD only and SSD detached, then as always attach SSD and open cryptsetup partition and mount it as already done until now.
To solve this, fstab needs to be updated with UUID of SSD partitions
Code:
blkid # obtain uuid needed # /boot is ssd fat "partition" while /boot/firmware is sd boot partition , let's copy the contentrsync -avh --delete /boot/firmware/ /boot/synccat > /etc/fstab.new <<'EOF'# /etc/fstab: static file system information.proc /proc proc defaults 0 0# root filesystem (cryptroot) - use the filesystem UUID of /dev/mapper/cryptrootUUID=<dev_mapper_UUID> / ext4 defaults,noatime 0 1# boot on SSD (FAT)UUID=<boot_uuid> /boot vfat defaults 0 2# swapfile on root/swapfile none swap sw 0 0EOF mv /etc/fstab /etc/fstab.orig.save && mv /etc/fstab.new /etc/fstab#remount root as read/write and check swapfile permsmount -o remount,rw /chmod 600 /swapfileswapon --show # show statusupdate-initramfs -u -k all || truesudo apt install -y rpi-eepromsudo rpi-eeprom-update -asudo rebootRaspberryPi searches for a partition called /boot/firmware to load modules but the /boot is just a directory, not a partition. And this can lead to problems when doing apt full-upgrade for example:
Code:
Reading package lists... DoneBuilding dependency tree... DoneReading state information... DoneCalculating upgrade... DoneThe following packages have been kept back: libcamera-apps-lite libcamera0.5 rpicam-apps-lite0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.16 not fully installed or removed.After this operation, 0 B of additional disk space will be used.Setting up initramfs-tools (0.142+rpt4+deb12u3) ...update-initramfs: deferring update (trigger activated)Setting up linux-image-6.12.47+rpt-rpi-v8 (1:6.12.47-1+rpt1~bookworm) .../etc/kernel/postinst.d/initramfs-tools:update-initramfs: Generating /boot/initrd.img-6.12.47+rpt-rpi-v8raspi-firmware: missing /boot/firmware, did you forget to mount it?run-parts: /etc/initramfs/post-update.d//z50-raspi-firmware exited with return code 1run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1dpkg: error processing package linux-image-6.12.47+rpt-rpi-v8 (--configure): installed linux-image-6.12.47+rpt-rpi-v8 package post-installation script subprocess returned error exit status 1dpkg: dependency problems prevent configuration of linux-headers-6.12.47+rpt-rpi-v8: linux-headers-6.12.47+rpt-rpi-v8 depends on linux-image-6.12.47+rpt-rpi-v8 (= 1:6.12.47-1+rpt1~bookworm) | linux-image-6.12.47+rpt-rpi-v8-unsigned (= 1:6.12.47-1+rpt1~bookworm); however: Package linux-image-6.12.47+rpt-rpi-v8 is not configured yet. Package linux-image-6.12.47+rpt-rpi-v8-unsigned is not installed.Code:
sda1 512 MiB → /bootsdaX 200 MiB → /boot/firmware (new partition)sda2 ~842 G → LUKS cryptroot (shrunk/moved)Code:
Right click on sda2 -> resize -> Initial space (or also called left space): 200 MB -> apply resizeCode:
Right cick on unallocted -> new -> file system ext4 (label firmware)Code:
sudo mkdir -p /mnt/firmwaresudo mkdir -p /mnt/bootsudo mount /dev/sda3 /mnt/firmwaresudo mount /dev/sda1 /mnt/bootsudo cp -a /mnt/boot/firmware/* /mnt/firmware/Code:
sudo umount /boot/firmwaresudo rm -rf /boot/firmware/*sudo mount /dev/sda3 /boot/firmwareStatistics: Posted by virgula0 — Sun Nov 30, 2025 11:25 am