MMGen

Everything works as usual. If you're worried about forgetting the key, start out with a simple disk password like 'abc'. The password is all you need. Use case: if your machine ever falls into the wrong hands, any sensitive information on your disk is inaccessible to the attacker (but then you'll need a better password than 'abc').

Re-tested tutorial with current server image. Minor updates and revisions.

Thanks! It's sort of like the mix-up with USB slots on computers. Some are upside-down, others right side up. And it's a constant source of annoyance. Hardware manufacturers are horrible when it comes to observing standards.

So power green, status red is OK? This is the standard for Armbian? Just wanted to clarify that.

Can confirm: ORANGE_PI-PC2-V1_2_schematic.pdf erroneously has STATUS-LED as PA15 when it's really PA20. But this is the RED led (next to the green one, which is always on). I think power led and status led might be reversed then on the PC2. On RPi/Raspbian the power led is red and status is green.

Assuming all the steps of the tutorial completed without error, this is probably an authorization problem. Make sure you installed the correct SSH public key or keys as described and are unlocking from the correct remote machine. Also make sure dropbear is running. You should see a 'dropbear started' message at boot up if you have a monitor connected.

dmesg | less Type 'F' inside less.

Revised and re-tested tutorial with current Armbian OPi PC2 images, removed unneeded kernel compilation section.

Edit: dropped the ip argument from the kernel command line because it's not necessary.

Edited tutorial and made the following improvements: only one card reader required improved dropbear configuration using configured address and non-standard port allow for DHCP-configured systems The dm-crypt module has now been added to the kernel (thanks, developers!), which makes the whole setup process much easier.

Update: commenting out the following line in 'boot.cmd' allows you to unlock the disk from the tty as well as via ssh: # if test "${console}" = "serial" || test "${console}" = "both"; then setenv consoleargs "${consoleargs} console=ttyS0,115200"; fi

Rechecked tutorial, fixed a non-critical error, removed a couple unnecessary commands. Just replace the bogus device filenames with real ones and everything will work "out of the box".

Full root filesystem encryption on an Armbian/Orange Pi PC 2 system MMGen (https://github.com/mmgen) This tutorial provides detailed, step-by-step instructions for setting up full root filesystem encryption on an Armbian/Orange Pi PC2 system. With minor changes, it can be adapted to other Armbian-supported boards. The disk is unlocked remotely via ssh, permitting unattended bootup. Requirements: Linux host system One Orange Pi PC 2 Two blank Micro-SD cards USB Micro-SD card reader Ability to edit text files and do simple administrative tasks on the Linux command line Part 1 - Get, unpack and copy the latest Armbian image for the Orange Pi PC 2 $ mkdir ~/opi-build; cd ~/opi-build # For a server image: $ curl -L -O https://dl.armbian.com/orangepipc2/Ubuntu_xenial_next.7z # For a desktop image: $ curl -L -O https://dl.armbian.com/orangepipc2/Ubuntu_xenial_next_desktop.7z # Consult the download directory for changes, as well as torrent files: $ https://dl.armbian.com/orangepipc2/ Unpack (if the 7zr command is missing on your system, first install the 'p7zip' package): $ 7zr x Ubuntu_*.7z Check the PGP signature and integrity of the image (optional): $ gpg --keyserver pgp.mit.edu --recv-key 9F0E78D5 $ gpg --verify *.img.asc Or, alternatively, just check its integrity: $ sha256sum -c sha256sum.sha Now you're ready to copy Armbian to the SD cards. Note that for the remainder of this section, the first SD card will be referred to as '/dev/sdX' and the second as '/dev/sdY'. You'll replace these with the SD cards' true device filenames. The device names can be discovered using the command 'dmesg' or 'lsblk'. If you remove the first card before inserting the second, it's possible (but not guaranteed) that the cards will have the same device name. The first SD card will hold an ordinary unencrypted Armbian system used for the setup process. Insert the card and copy the image to it: $ sudo dd if=$(echo *.img) of=/dev/sdX bs=4M After the command exits, you may remove the first SD card. Now insert the second SD card, which will hold a small unencrypted boot partition plus your encrypted Armbian system. Copy the image's boot loader to it: $ sudo dd if=$(echo *.img) of=/dev/sdY bs=512 count=4096 Now partition the second SD card: $ sudo fdisk /dev/sdY Within fdisk, create a new DOS disklabel with 'o' command. Use the 'n' command to create a primary partition of size +100M beginning at sector 4096. Type 'p' to view the partition table. Note the end sector. Now create a second primary partition beginning one sector after the first partition's end sector and filling the remainder of the card. When you're finished, your partition table will look something like this: Device Boot Start End Sectors Size Id Type /dev/sdY1 4096 208895 204800 100M 83 Linux /dev/sdY2 208896 31422463 31213568 14.9G 83 Linux Double-check that the second partition begins one sector after the end of the first one. If you mess something up, use 'd' to delete partitions or 'q' to exit fdisk and try again. Once everything looks correct, type 'w' to write the partition table. Now you'll begin the process of copying the system to the second card. First you'll associate the image file with a loop device and mount the device: $ losetup -f # displays the name of the loop device; remember this $ sudo losetup -Pf *.img # associate image file with the above loop device $ mkdir mnt boot root $ sudo mount /dev/loopXp1 mnt # replace '/dev/loopX' with the above loop device Create a filesystem on the SD card's boot partition and copy the boot partition data from the image file to it: $ sudo mkfs.ext4 /dev/sdY1 $ sudo e2label /dev/sdY1 OPI_PC2_BOOT # don't omit this step! $ sudo mount /dev/sdY1 boot $ sudo cp -av mnt/boot/* boot $ (cd boot; sudo ln -s . boot) Create the encrypted root partition (for this the 'cryptsetup' package must be installed on the host). You'll be prompted for a passphrase. It's recommended to choose an easy one like 'abc' for now. The passphrase can easily be changed later (consult the 'cryptsetup' man page for details): $ sudo cryptsetup luksFormat /dev/sdY2 Activate the encrypted root partition, create a filesystem on it and mount it: $ sudo cryptsetup luksOpen /dev/sdY2 foo # enter your passphrase from above $ sudo mkfs.ext4 /dev/mapper/foo $ sudo mount /dev/mapper/foo root Copy the system to the encrypted root partition: $ (cd mnt && sudo rsync -av --exclude=boot * ../root) $ sudo mkdir root/boot $ sudo touch root/root/.no_rootfs_resize Unmount the mounted image and second SD card, and free the loop device and encrypted mapping: $ sudo umount mnt boot root $ sudo losetup -d /dev/loopX $ sudo cryptsetup luksClose foo From here on, all your work will be done on the Orange Pi. Part 2 - boot into the unencrypted Armbian system Insert the first (unencrypted) SD card into the Pi's Micro-SD card slot. Insert the USB card reader with the second SD card inserted into a USB port on the Pi. Boot the Pi, log in as root with password '1234' and follow the password update instructions. Stay logged in as root. Part 3 - set up the unencrypted Armbian system Update the package files and install the cryptsetup package: # apt-get update # echo 'export CRYPTSETUP=y' > /etc/initramfs-tools/conf.d/cryptsetup # apt-get install cryptsetup Check to see that the cryptsetup scripts are present in the initramfs (command should produce output): # gunzip -c /boot/initrd.img* | cpio --quiet -t | grep cryptsetup Part 4 - set up the encrypted Armbian system Prepare the encrypted system chroot: # BOOT_PART=($(lsblk -l -o NAME,LABEL | grep OPI_PC2_BOOT)) # ROOT_PART=${BOOT_PART%1}2 # cryptsetup luksOpen /dev/$ROOT_PART foo # mkdir /mnt/enc_root # mount /dev/mapper/foo /mnt/enc_root # mount /dev/$BOOT_PART /mnt/enc_root/boot # cd /mnt/enc_root # mount -o rbind /dev dev # mount -t proc proc proc # mount -t sysfs sys sys Copy '/etc/resolv.conf' so you'll have a working Internet connection within the chroot: # rm etc/resolv.conf # cp /etc/resolv.conf etc Now chroot into the encrypted system. From this point on, all work will be done inside the chroot: # chroot . Repeat the steps of Part 3 exactly as you did in the unencrypted system. Edit '/etc/fstab' to look exactly like this: /dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1 /dev/mmcblk0p1 /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2 tmpfs /tmp tmpfs defaults,nosuid 0 0 /var/swap none swap sw 0 0 Add the following lines to '/etc/initramfs-tools/initramfs.conf'. If the Orange Pi's IP address will be statically configured, substitute the correct static IP address after 'IP='. If it will be configured via DHCP, omit the IP line entirely: DROPBEAR_OPTIONS="-p 2222" DROPBEAR=y DEVICE=eth0 IP=192.168.0.88:::255.255.255.0::eth0:off Add the following parameters to the quoted bootargs line in '/boot/boot.cmd'. Note that the 'root' parameter replaces the existing one: root=/dev/mapper/rootfs cryptopts=source=/dev/mmcblk0p2,target=rootfs If you want to be able to unlock the disk from the virtual console (which you probably do) as well as via ssh, then comment out the following line: # if test "${console}" = "serial" || test "${console}" = "both"; then setenv consoleargs "${consoleargs} console=ttyS0,115200"; fi In case you're wondering, 'setenv console "display"' doesn't work. Don't ask me why. Compile the boot menu: # mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr Copy the SSH public key from the machine you'll be unlocking the disk from to the Armbian machine: # KEYDIR='/etc/initramfs-tools/root/.ssh' # mkdir -p $KEYDIR # rsync yourusername@remote_machine:.ssh/id_*.pub $KEYDIR/authorized_keys If you'll be unlocking the disk from more than one host, then edit the authorized_keys file by hand and add the additional SSH public keys. Install dropbear: # apt-get install dropbear-initramfs Make sure everything was included in the initramfs (both commands should produce output): # gunzip -c /boot/initrd.img* | cpio --quiet -t | grep dropbear # gunzip -c /boot/initrd.img* | cpio --quiet -t | grep authorized_keys Your work is finished! Exit the chroot and shut down the Orange Pi: # exit # halt -p Swap the SD cards and start the Pi. Unlock the disk by executing the following command on your remote machine. Substitute the Pi's correct static or DHCP-configured IP address for the one below. If necessary, also substitute the correct password in place of 'abc': $ ssh -p 2222 -x root@192.168.0.88 'echo -n abc > /lib/cryptsetup/passfifo' If you choose to unlock the disk from the tty, ignore the garbage printed by dropbear to the screen after the password prompt. Just enter your password and hit ENTER. If all went well, your root-filesystem encrypted Armbian system is now up and running!