MMGen

April 12

The automated script has been updated to support the Nano Pi M6 (Noble mainline kernel IOT/minimal image and Noble Gnome desktop vendor kernel image both tested). Use the -m option to include all loaded modules in the initrd.

The boot partition size has also been increased to 400MB, which should fix out-of-space errors when upgrading via apt.

The tutorial has been updated accordingly.

January 21

Successfully tested on the Orange Pi 5 with Ubuntu Noble minimal mainline image. Note that this image kernel panics every now and then on bootup (something to do with power management and interrupts). Disabling networking seems to solve the issue

The automated script now supports configuring the network interface on the target using ifupdown. This is primarily useful for statically configured setups

December 11, 2024

Tutorial has been updated to include support for GPT-partitioned images

December 10, 2024

Automated script has been successfully tested on the Orange Pi 5, with the Debian bookworm minimal (kernel v6.12) image (also GPT-partitioned)

Note that there are some missing modules in the initrd in this image, resulting in a blank screen at startup. This can be fixed by booting via serial or network console, adding the modules listed by lsmod to /etc/initramfs-tools/modules and rebuilding the initrd

December 10, 2024

The automated script has been updated to support GUID partition table (GPT) images

Tested on the Radxa Rock 5B, with the Debian trixie minimal (rolling release) image

The tutorial will be updated shortly with instructions for GPT

November 23, 2024

GPT support upcoming

November 14, 2024

The tutorial and automated script have been updated for images that use extlinux.conf to configure the bootloader.

In addition, some logic has been added to select the correct network device name (eth0 on some systems, end0 on others).

The script has been successfully tested on the Banana Pi F3 with the Ubuntu Noble legacy minimal image.

September 27, 2024

@DIYprojectz: Thanks for the feedback and support!

First of all, make sure your Internet connection is active as you perform the steps in the tutorial. If it is, you should have a non-empty /etc/resolv.conf file, and the cat command will successfully create a copy of the file's contents in the target. If that doesn't solve the problem, then here are some things you might try:

What does `ls -l /etc/resolv.conf` on the host produce? Is the resolv.conf file on the host a symlink? If so, you might try running `systemctl restart resolvconf` and then rechecking the file. If the host is using systemd-resolved for address resolution, try restarting that instead.

July 9, 2024

The tutorial and automated script have been updated for Debian bookworm and Ubuntu noble images. Here's a summary of the changes required to make everything work:

replace eth0 with end0
replace cryptsetup-bin with cryptsetup
replace lsinitramfs /boot/initrd.img* with lsinitramfs /boot/initrd.img-*
replace etc/dropbear-initramfs with etc/dropbear/initramfs
replace etc/dropbear-initramfs/config with etc/dropbear/initramfs/dropbear.conf
before exiting the chroot, execute ssh-keygen -A

December 12, 2022

@DIYprojectz: It should be possible to put the encrypted root filesystem on a different device than the boot partition, though I've never tried it with an SoC or Armbian. Thanks for the idea. I promise to look into it, but don't expect immediate results as I'm busy with other things at the moment.

September 5, 2022

On 5/30/2022 at 9:08 AM, LightJolteon said:

Hello, I've been trying to use the automated script on an Odriod HC4 running Ubuntu Jammy 5.17.5, but it always fails at some point after running APT with some illegal instruction errors. I pasted the output of the script below. I've never really asked for help on one of these forums before and I'm kind of a noob, so if I'm doing something wrong or if more information is needed then let me know.

Sorry for the extreme delay in replying to your post. Since the errors are coming from APT, this could be a distro-specific problem. Have you tried the Bullseye image?

September 5, 2022

On 8/6/2022 at 7:07 AM, mildparanoia said:

Found the problem; the script isn't creating the encrypted partition correctly. If I make the luks partition manually, the script works.

Glad you got it to work. Instead of setting up the LUKS partition manually, erasing everything with the -z option might have solved the problem here.

May 10, 2022

On 4/28/2022 at 4:16 AM, Felix said:
I have Orange Pi Lite. After running the attached script. But, black screen after reboot on LUKS enabled SD Card. I don't see any prompt asking for password to unlock the root partition. I use the following command to run:
sudo ./armbian_rootenc_setup.sh  -R -m -F /dev/sda

Are you able to unlock the device via SSH as per the instructions? Can you ping the device at the expected address?

Note that the script has been updated, so you might clone or pull the new version from Github and try running it again.

May 10, 2022

Updated automated script to support Bullseye and Jammy images, plus minor bugfixes.

August 12, 2021

13 hours ago, Werner said:

Since we have this as open issue do you want to port your tutorial to the documentation and use this thread as support thread?

Thanks for the offer/request. I'll be busy for the next several days, but when I get some free time I'll look into doing this.

July 14, 2021

On 7/4/2021 at 2:29 PM, Bagel said:
Whoop, it works, thanks! I've followed the (non-boot) parts in your tutorial. thus I created a single partition on the SSD, formatted it with LUKS/ext4 and copied the rootfs over to my SSD. I've performed some steps on the original (source) OS as well, such as installing dropbear, copying the authorized keys and editing the crypttab and fstab (basically step 9) + update initramfs.

After rebooting and configuring the new rootfs such as providing new root password etc. I've added two lines to the fstab on the new or target-rootfs:
UUID=old-rootfs-uuid-here /oldfs ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2
/oldfs/boot /boot none bind 0 0
Now the new system is aware of the boot folder. When I run update-initramfs on the new rootfs, the boot folder is updated accordingly. Not sure if this is the best way to do it, suggestions and improvements are welcome.

When starting the newly copied system for the first time, I noticed that I couldn't use ssh to login for the first time (with root + password "1234"). Is this expected behaviour?

Glad everything worked! However, the bind mount wasn't necessary. Since you're still booting from the SD/eMMC, the old fstab would have worked unmodified. Can't say why you couldn't log in via SSH initially, but in any case this is a minor issue.

June 17, 2021

On 6/7/2021 at 3:30 PM, Bagel said:

Thank you for the comprehensive tutorial!

Instead of installing the encrypted system on an SD/eMMC I'd like to move the rootfs to my SSD and keep the boot partition on the SD-card (I'm using the Odroid HC4, unfortunately can't boot directly from SSD). Is it sufficient to edit the armbianEnv.txt-file in the SD-card's boot-partition? Do you have any suggestions on this?

Yes, this should be doable. Create a LUKS partition and ext4 fs on the SSD, copy the root fs to it, update /etc/crypttab with the new device UUID, mount, chroot and update the initramfs. I haven't tested this myself though, so other steps might be required. But first you should try the tutorial without modification to make sure it works for your board. If it does, please let me know and I'll add the HC4 to the "supported" list.

April 9, 2021

Add serial console disk unlocking instructions at step 9.1. Serial console disk unlocking has been added as an option to the automated script as well.

March 3, 2021

12 hours ago, legogris said:

I guess it should be safe to assume that if `CRYPTROOT_UNLOCK` works, so should this guide?

No, I wouldn't assume that. See the comments by @sunzone above regarding the Orange Pi Zero.

In their case, the problem may be connected with the fact that the OPi Zero requires 'flash-kernel' to set up the boot loader.

I think that boards/images that don't depend on flash-kernel should generally work with this tutorial, but I need more test data to confirm that hypothesis.

February 27, 2021

- Add RockPro64 to supported list

- Add automatic disk unlock prompt (Step 9.10)

October 21, 2020

31 minutes ago, sunzone said:
Also tried with an Opi Zero Plus I had since it is 64bit, following the steps and also using the script.

Boot hangs after
Starting kernel ...

Sorry to hear that. I'm afraid I've run out of options, since I don't have an Opi Zero for testing. If you really need root fs encryption, then you might try building Armbian with the CRYPTROOT_ENABLE option mentioned by @DevShankyin the post above.

October 20, 2020

4 hours ago, sunzone said:

Thanks for the post.
I test the script with Orange Pi zero with the latest Ubuntu Focal image.

Armbian 20.08.1 Focal with Linux 5.8.5-sunxi

After writing to the SD, at booting phase, following error occurs.

...SNIP....

@MMGen anything I need to do additionally to support Orange Pi Zero?

Thanks.

This is not the kind of error I would expect to see. Are you sure you performed all the steps correctly, didn't omit anything? Is the SD card itself in working order? I'll take a look at the Focal Orange Pi Zero image to see if there's anything there that might be causing this error, but I don't have that board to test on, unfortunately.

UPDATE: I looked at your image. Some things you might want to check:

1) Make sure you're editing armbianEnv.txt correctly. After performing the edits, the file should look like this:

verbosity=1
bootlogo=false
console=display
disp_mode=1920x1080p60
overlay_prefix=sun8i-h3
overlays=usbhost2 usbhost3
rootdev=/dev/mapper/rootfs
rootfstype=ext4

2) In boot.cmd there are two lines beginning with 'setenv rootdev'. Make sure you're deleting the first one.

If that doesn't work, there are other things you might try and see whether you get the same or similar error at bootup:

1) Use the automated script instead of the tutorial.

2) Try the Buster image instead of Focal.

October 20, 2020

9 hours ago, DevShanky said:

I am wondering if this script would break nand-sata-install since the base Armbian images are single partition while the new encrypted image on SD card is having a separate Boot and Root partition.

If this is the case then how can we move the image to eMMC from SD?

-R

You don't need nand-sata-install, because the tutorial (and script) create the encrypted system directly on the eMMC. This has been tested successfully on the RockPi 4. Would like to hear from users how it works on other boards.

October 18, 2020

Thanks for pointing that out!

As far as overlap goes, I think this tutorial (and the automated script) has a clear use case, as it creates encrypted Armbian systems without building or compiling anything, which is much easier for most users (the automated script can create a fully configured system on your SD card or eMMC in a matter of minutes).

Secondly, the tutorial can be a valuable learning experience for those interested in better understanding disk partitioning, loop devices, LUKS encryption, uBoot, the Linux bootup process, basic administrative commands, etc.

October 18, 2020

This tutorial is now replaced by https://forum.armbian.com/topic/15618-full-root-filesystem encryption on-an-armbian-system-new-replaces-2017-tutorial-on-this-topic/

Sign In

Forums

Store

Crowdfunding

Applications

Events

Raffles

Community Map

Posts posted by MMGen

Important Information