MMGen

Fixed some errors with dropbear installation.

Tutorial revised, improved and updated for current Ubuntu Bionic images.

Everything works as usual. If you're worried about forgetting the key, start out with a simple disk password like 'abc'. The password is all you need. Use case: if your machine ever falls into the wrong hands, any sensitive information on your disk is inaccessible to the attacker (but then you'll need a better password than 'abc').

Re-tested tutorial with current server image. Minor updates and revisions.

Thanks! It's sort of like the mix-up with USB slots on computers. Some are upside-down, others right side up. And it's a constant source of annoyance. Hardware manufacturers are horrible when it comes to observing standards.

So power green, status red is OK? This is the standard for Armbian? Just wanted to clarify that.

Can confirm: ORANGE_PI-PC2-V1_2_schematic.pdf erroneously has STATUS-LED as PA15 when it's really PA20. But this is the RED led (next to the green one, which is always on). I think power led and status led might be reversed then on the PC2. On RPi/Raspbian the power led is red and status is green.

Assuming all the steps of the tutorial completed without error, this is probably an authorization problem. Make sure you installed the correct SSH public key or keys as described and are unlocking from the correct remote machine. Also make sure dropbear is running. You should see a 'dropbear started' message at boot up if you have a monitor connected.

dmesg | less Type 'F' inside less.

Revised and re-tested tutorial with current Armbian OPi PC2 images, removed unneeded kernel compilation section.

Edit: dropped the ip argument from the kernel command line because it's not necessary.

Edited tutorial and made the following improvements: only one card reader required improved dropbear configuration using configured address and non-standard port allow for DHCP-configured systems The dm-crypt module has now been added to the kernel (thanks, developers!), which makes the whole setup process much easier.

Update: commenting out the following line in 'boot.cmd' allows you to unlock the disk from the tty as well as via ssh: # if test "${console}" = "serial" || test "${console}" = "both"; then setenv consoleargs "${consoleargs} console=ttyS0,115200"; fi

Rechecked tutorial, fixed a non-critical error, removed a couple unnecessary commands. Just replace the bogus device filenames with real ones and everything will work "out of the box".

Full root filesystem encryption on an Armbian/Orange Pi PC 2 system MMGen (https://github.com/mmgen) This tutorial provides detailed, step-by-step instructions for setting up full root filesystem encryption on an Armbian/Orange Pi PC2 system. With minor changes, it can be adapted to other Armbian-supported boards. The disk is unlocked remotely via ssh, permitting unattended bootup. Requirements: Linux host system One Orange Pi PC 2 Two blank Micro-SD cards (or a working Armbian system for your board + one blank SD card) USB Micro-SD card reader Ability to edit text files and do simple administrative tasks on the Linux command line Part 1 - Get, unpack and copy the latest Armbian image for the Orange Pi PC 2 $ mkdir ~/opi-build; cd ~/opi-build # For a server image: $ curl -L -O https://dl.armbian.com/orangepipc2/Ubuntu_bionic_next.7z # For a desktop image: $ curl -L -O https://dl.armbian.com/orangepipc2/Ubuntu_bionic_next_desktop.7z # Consult the download directory for changes, as well as torrent files: $ https://dl.armbian.com/orangepipc2/ Unpack (if the 7zr command is missing on your system, first install the 'p7zip' package): $ 7zr x Ubuntu_*.7z Check the PGP signature and integrity of the image (optional): $ gpg --keyserver pgp.mit.edu --recv-key 9F0E78D5 $ gpg --verify *.img.asc Or, alternatively, just check its integrity with a checksum: $ sha256sum -c sha256sum.sha Now you're ready to copy Armbian to the SD card or cards. If you have two blank cards, the first will hold an ordinary unencrypted Armbian system used for the setup process, while the second will hold the target encrypted system. Alternatively, if you already have a working Armbian system for your board, you can use it for the setup process. In that case, your one blank SD card will be considered the “second” card, and you can ignore all instructions hereafter pertaining to the first card. Note that for the remainder of this section, the first SD card will be referred to as '/dev/sdX' and the second as '/dev/sdY'. You'll replace these with the SD cards' true device filenames. The device names can be discovered using the command 'dmesg' or 'lsblk'. If you remove the first card before inserting the second, it's possible (but not guaranteed) that the cards will have the same device name. Insert the first blank SD card and copy the image to it: $ sudo dd if=$(echo *.img) of=/dev/sdX bs=4M After the command exits, you may remove the first card. Now insert the second SD card, which will hold a small unencrypted boot partition plus your encrypted Armbian system. Copy the image's boot loader to it: $ sudo dd if=$(echo *.img) of=/dev/sdY bs=512 count=4096 Now partition the card: $ sudo fdisk /dev/sdY Within fdisk, create a new DOS disklabel with the 'o' command. Use the 'n' command to create a primary partition of size +100M beginning at sector 4096. Type 'p' to view the partition table. Note the end sector. Now create a second primary partition beginning one sector after the first partition's end sector and filling the remainder of the card. When you're finished, your partition table will look something like this: Device Boot Start End Sectors Size Id Type /dev/sdY1 4096 208895 204800 100M 83 Linux /dev/sdY2 208896 31422463 31213568 14.9G 83 Linux Double-check that the second partition begins one sector after the end of the first one. If you mess something up, use 'd' to delete partitions or 'q' to exit fdisk and try again. Once everything looks correct, type 'w' to write the partition table. Now you'll begin the process of copying the system to the second card. First you'll associate the image file with a loop device and mount the device: $ losetup -f # displays the name of the loop device; remember this $ sudo losetup -Pf *.img # associate image file with the above loop device $ mkdir mnt boot root $ sudo mount /dev/loopXp1 mnt # replace '/dev/loopX' with the above loop device Create a filesystem on the SD card's boot partition and copy the boot partition data from the image file to it: $ sudo mkfs.ext4 /dev/sdY1 $ sudo e2label /dev/sdY1 OPI_PC2_BOOT # don't omit this step! $ sudo mount /dev/sdY1 boot $ sudo cp -av mnt/boot/* boot $ (cd boot; sudo ln -s . boot) Create the encrypted root partition (for this the 'cryptsetup' package must be installed on the host). You'll be prompted for a passphrase. It's recommended to choose an easy one like 'abc' for now. The passphrase can easily be changed later (consult the 'cryptsetup' man page for details): $ sudo cryptsetup luksFormat /dev/sdY2 Activate the encrypted root partition, create a filesystem on it and mount it: $ sudo cryptsetup luksOpen /dev/sdY2 foo # enter your passphrase from above $ sudo mkfs.ext4 /dev/mapper/foo $ sudo mount /dev/mapper/foo root Copy the system to the encrypted root partition: $ (cd mnt && sudo rsync -av --exclude=boot * ../root) $ sync # be patient, this could take a while $ sudo mkdir root/boot $ sudo touch root/root/.no_rootfs_resize Unmount the mounted image and second SD card, and free the loop device and encrypted mapping: $ sudo umount mnt boot root $ sudo losetup -d /dev/loopX $ sudo cryptsetup luksClose foo From here on, all your work will be done on the Orange Pi. Part 2 - boot into the unencrypted Armbian system If applicable, insert the first (unencrypted) SD card into the Pi's Micro-SD card slot. Insert a USB card reader holding the second SD card into a USB port on the Pi. Boot the Pi. If applicable, log in as root with password '1234', follow the password update instructions, and stay logged in as root. The following steps will be performed from a root shell. Part 3 - set up the unencrypted Armbian system Update the APT package index and install cryptsetup: # apt-get update # apt-get install cryptsetup Part 4 - set up the encrypted Armbian system Prepare the encrypted system chroot: # BOOT_PART=($(lsblk -l -o NAME,LABEL | grep OPI_PC2_BOOT)) # ROOT_PART=${BOOT_PART%1}2 # cryptsetup luksOpen /dev/$ROOT_PART foo # mkdir /mnt/enc_root # mount /dev/mapper/foo /mnt/enc_root # mount /dev/$BOOT_PART /mnt/enc_root/boot # cd /mnt/enc_root # mount -o rbind /dev dev # mount -t proc proc proc # mount -t sysfs sys sys Copy some key files so you'll have a working Internet connection within the chroot: # cat /etc/resolv.conf > etc/resolv.conf # cat /etc/hosts > etc/hosts Now chroot into the encrypted system. From this point on, all work will be done inside the chroot: # chroot . # apt-get update # echo 'export CRYPTSETUP=y' > /etc/initramfs-tools/conf.d/cryptsetup # apt-get install cryptsetup dropbear-initramfs Check to see that the cryptsetup scripts are present in the initramfs (command should produce output): # gunzip -c /boot/initrd.img* | cpio --quiet -t | grep cryptsetup Edit '/etc/fstab' to look exactly like this: /dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1 /dev/mmcblk0p1 /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2 tmpfs /tmp tmpfs defaults,nosuid 0 0 Add the following lines to '/etc/initramfs-tools/initramfs.conf'. If the Orange Pi's IP address will be statically configured, substitute the correct static IP address after 'IP='. If it will be configured via DHCP, omit the IP line entirely: DEVICE=eth0 IP=192.168.0.88:::255.255.255.0::eth0:off Add the following parameters to the quoted bootargs line in '/boot/boot.cmd'. Note that the 'root' parameter replaces the existing one: root=/dev/mapper/rootfs cryptopts=source=/dev/mmcblk0p2,target=rootfs If you want to be able to unlock the disk from the virtual console (which you probably do) as well as via ssh, then comment out the following line: # if test "${console}" = "serial" || test "${console}" = "both"; then setenv consoleargs "${consoleargs} console=ttyS0,115200"; fi In case you're wondering, 'setenv console "display"' doesn't work. Don't ask me why. Compile the boot menu: # mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr Copy the SSH public key from the machine you'll be unlocking the disk from to the Armbian machine: # rsync yourusername@remote_machine:.ssh/id_*.pub /etc/dropbear-initramfs/authorized_keys If you'll be unlocking the disk from more than one host, then edit the authorized_keys file by hand and add the additional SSH public keys. Edit '/etc/dropbear-initramfs/config', adding the following lines: DROPBEAR_OPTIONS="-p 2222" DROPBEAR=y Reconfigure dropbear: # dpkg-reconfigure dropbear-initramfs Make sure everything was included in the initramfs (both commands should produce output): # gunzip -c /boot/initrd.img* | cpio --quiet -t | grep dropbear # gunzip -c /boot/initrd.img* | cpio --quiet -t | grep authorized_keys Your work is finished! Exit the chroot and shut down the Orange Pi: # exit # halt -p Swap the SD cards and restart the Pi. Unlock the disk by executing the following command on your remote machine. Substitute the Pi's correct static or DHCP-configured IP address for the one below. If necessary, also substitute the correct disk password in place of 'abc': $ ssh -p 2222 -x root@192.168.0.88 'echo -n abc > /lib/cryptsetup/passfifo' If you choose to unlock the disk from the tty, just enter your disk password and hit ENTER. If all went well, your root-filesystem encrypted Armbian system is now up and running!