Tutorial Full root filesystem encryption on an Armbian system (NEW, replaces 2017 tutorial on this topic)

[g00d]

Hi Steven,

 

thanks for your feedback and thanks again for your suggestion that led me to the right direction. Yeah, the .next file was missing after I did the encryption stuff mentioned here, no clue why. So I wrote everything in detail, maybe the devs can look over it and tell us more and even fix it if there's something to fix. Thanks for the hint about net.ifnames=0 I will try that and report back.

 

I'm happy right now.

[pinebook]

I've just installed to a Pinebook Pro successfully. Bluetooth is not working, but that's acceptable to me. Details here

Thank you so much @MMGenfor the script.

[Felix]

I have Orange Pi Lite. After running the attached script.  But, black screen after reboot on LUKS enabled SD Card. I don't see any prompt asking for password to unlock the root partition. I use the following command to run:

 

sudo ./armbian_rootenc_setup.sh  -R -m -F /dev/sda

 

U-Boot 2020.10-armbian (Aug 08 2021 - 16:13:23 +0200) Allwinner Technology

 

CPU:   Allwinner H3 (SUN8I 1680)

Model: Xunlong Orange Pi Lite

DRAM:  512 MiB

MMC:   mmc@1c0f000: 0, mmc@1c10000: 1

Loading Environment from FAT… Unable to use mmc 0:1… In:    serial@1c28000

Out:   serial@1c28000

Err:   serial@1c28000

Net:   No ethernet found.

starting USB…

Bus usb@1c1b000: USB EHCI 1.00

Bus usb@1c1b400: USB OHCI 1.0

Bus usb@1c1c000: USB EHCI 1.00

Bus usb@1c1c400: USB OHCI 1.0

scanning bus usb@1c1b000 for devices… 1 USB Device(s) found

scanning bus usb@1c1b400 for devices… 2 USB Device(s) found

scanning bus usb@1c1c000 for devices… 2 USB Device(s) found

scanning bus usb@1c1c400 for devices… 1 USB Device(s) found

       scanning usb for storage devices… 0 Storage Device(s) found

Autoboot in 1 seconds

switch to partitions #0, OK

mmc0 is current device

Scanning mmc 0:1…

Found U-Boot script /boot/boot.scr

3964 bytes read in 2 ms (1.9 MiB/s)

## Executing script at 43100000

U-boot loaded from SD

Boot script loaded from mmc

202 bytes read in 2 ms (98.6 KiB/s)

9986940 bytes read in 476 ms (20 MiB/s)

7995296 bytes read in 382 ms (20 MiB/s)

Found mainline kernel configuration

31752 bytes read in 11 ms (2.8 MiB/s)

4185 bytes read in 7 ms (583 KiB/s)

Applying kernel provided DT fixup script (sun8i-h3-fixup.scr)

## Executing script at 45000000

## Loading init Ramdisk from Legacy Image at 43300000 …

   Image Name:   uInitrd

   Image Type:   ARM Linux RAMDisk Image (gzip compressed)

   Data Size:    9986876 Bytes = 9.5 MiB

   Load Address: 00000000

   Entry Point:  00000000

   Verifying Checksum … OK

## Flattened Device Tree blob at 43000000

   Booting using the fdt blob at 0x43000000

   Loading Ramdisk to 49679000, end 49fff33c … OK

   Loading Device Tree to 49608000, end 49678fff … OK

 

Starting kernel …

 

[MMGen]

Updated  automated script to support Bullseye and Jammy images, plus minor bugfixes.

[MMGen]

On 4/28/2022 at 4:16 AM, Felix said:

I have Orange Pi Lite. After running the attached script.  But, black screen after reboot on LUKS enabled SD Card. I don't see any prompt asking for password to unlock the root partition. I use the following command to run:

 

sudo ./armbian_rootenc_setup.sh  -R -m -F /dev/sda

 

 

Are you able to unlock the device via SSH as per the instructions? Can you ping the device at the expected address?

 

Note that the script has been updated, so you might clone or pull the new version from Github and try running it again.

[LightJolteon]

Hello, I've been trying to use the automated script on an Odriod HC4 running Ubuntu Jammy 5.17.5, but it always fails at some point after running APT with some illegal instruction errors. I pasted the output of the script below. I've never really asked for help on one of these forums before and I'm kind of a noob, so if I'm doing something wrong or if more information is needed then let me know.

 

 

             ┌───────────────────────────────────────────────────┐
             │ ⣎⣱ ⡀⣀ ⣀⣀  ⣇⡀ ⠄ ⢀⣀ ⣀⡀   ⣏⡉ ⣀⡀ ⢀⣀ ⡀⣀ ⡀⢀ ⣀⡀ ⣰⡀ ⢀⡀ ⢀⣸ │
             │ ⠇⠸ ⠏  ⠇⠇⠇ ⠧⠜ ⠇ ⠣⠼ ⠇⠸   ⠧⠤ ⠇⠸ ⠣⠤ ⠏  ⣑⡺ ⡧⠜ ⠘⠤ ⠣⠭ ⠣⠼ │
             │     ⣏⡱ ⢀⡀ ⢀⡀ ⣰⡀   ⣏⡉ ⠄ ⡇ ⢀⡀ ⢀⣀ ⡀⢀ ⢀⣀ ⣰⡀ ⢀⡀ ⣀⣀     │
             │     ⠇⠱ ⠣⠜ ⠣⠜ ⠘⠤   ⠇  ⠇ ⠣ ⠣⠭ ⠭⠕ ⣑⡺ ⠭⠕ ⠘⠤ ⠣⠭ ⠇⠇⠇    │
             │                 ⢎⡑ ⢀⡀ ⣰⡀ ⡀⢀ ⣀⡀                    │
             │                 ⠢⠜ ⠣⠭ ⠘⠤ ⠣⠼ ⡧⠜                    │
             └───────────────────────────────────────────────────┘
                      For detailed usage information,
                        invoke with the '-h' switch

get_armbian_image                OK
apt_install_host                 OK
close_loopmount                  OK
umount_target                    OK
remove_build_dir                 OK
Will write to target /dev/sda (Mass   Storage Device 59.5G)
check_sdcard_name_and_params     OK
create_build_dir                 OK

  Enter the IP address of the target machine.
  Enter 'dhcp' for a dynamic IP or 'none' for no remote SSH unlocking support
  IP address: 192.168.1.5

  Enter the netmask of the target machine,
  or hit ENTER for the default (255.255.255.0):

  Enter a boot partition label for the target machine,
  or hit ENTER for the default (ARMBIAN_BOOT):

  Enter a device name for the encrypted root filesystem,
  or hit ENTER for the default (rootfs):

  Choose a simple disk password for the installation process.
  Once your encrypted system is up and running, you can change
  the password using the 'cryptsetup' command.
  Enter password: 123

  Unlock the disk from the serial console.  WARNING: enabling this will
  make it impossible to unlock the disk using the keyboard and monitor,
  though unlocking via SSH will still work.
  Enable unlocking via serial console? (y/n): n

  Unlock the disk via SSH over USB (g_ether).  Enable this only if your board
  supports USB gadget mode, i.e. if it has a USB OTG port. WARNING: enabling this
  will make it impossible to unlock the disk over the Ethernet interface (eth0).
  Enable unlocking via SSH over USB? (y/n): n

  The following user options are in effect:
  + use local 'authorized_keys' file

  Armbian image:                Armbian_22.05.1_Odroidhc4_jammy_edge_5.17.5.img
  Target device:                /dev/sda (Mass   Storage Device 59.5G)
  Root filesystem device name:  /dev/mapper/rootfs
  Target IP address:            192.168.1.5
  Target netmask:               255.255.255.0
  Boot partition label:         ARMBIAN_BOOT
  Disk password:                123
  Serial console unlocking:     no
  SSH over USB unlocking:       no

  Are these settings correct? (Y/n) y
get_authorized_keys              OK
Copying boot loader (8192 sectors, 4M):
4+0 records in
4+0 records out
4194304 bytes (4.2 MB, 4.0 MiB) copied, 0.421957 s, 9.9 MB/s
copy_boot_loader                 OK
partition_sd_card                OK
Copying files to boot partition:
    101,080,678  99%   10.77MB/s    0:00:08 (xfr#145, to-chk=0/152)
copy_system_boot                 OK
create_bootpart_label            OK
Copying system to encrypted root partition:
  1,186,326,943  99%   16.16MB/s    0:01:09 (xfr#37888, to-chk=0/47428)
copy_system_root                 OK
mount_target                     OK
         Host                         Target
         ----                         ------
distro:  jammy                        jammy
kernel:  vmlinuz-5.17.5-meson64       vmlinuz-5.17.5-meson64
Unable to copy '/etc/apt/apt.conf.d/*proxy' to target (file does not exist)
armbian_rootenc_setup.sh:891: _copy_to_target() failed at command 'false'
Host script exiting with error (1)
armbian_rootenc_setup.sh:905: copy_etc_files() failed at command 'false'
Host script exiting with error (1)
copy_etc_files                   OK
copy_etc_files_distro_specific   OK
edit_initramfs_conf              OK
edit_initramfs_modules           OK
copy_authorized_keys             OK
create_etc_crypttab              OK
create_fstab                     OK
edit_dropbear_cfg                OK
netman_manage_usb0               OK
ifupdown_config_usb0             OK
create_cryptroot_unlock_sh       OK
edit_armbianEnv                  OK
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  bash-completion*
0 upgraded, 0 newly installed, 1 to remove and 31 not upgraded.
After this operation, 1,499 kB disk space will be freed.
(Reading database ... 41456 files and directories currently installed.)
Removing bash-completion (1:2.11-5ubuntu1) ...
Processing triggers for man-db (2.10.2-1) ...
(Reading database ... 40694 files and directories currently installed.)
Purging configuration files for bash-completion (1:2.11-5ubuntu1) ...
Generating 256 bit ecdsa key, this may take a while...
256 SHA256:kcNv1yOFs+xQjuvdzjF23A6r/Qy4BK6dKaLf7A1bK3c /etc/dropbear/initramfs/dropbear_ecdsa_host_key (ECDSA)
+---[ECDSA 256]---+
|                 |
|       . .   .   |
|        =   + .  |
|         + = =   |
|        S * * o  |
|         o * o o.|
|        . + + * +|
|      .ooO.*E* X |
|    .o.o*+B.+o*.+|
+----[SHA256]-----+
Generating Dropbear ED25519 host key.  Please wait.
Generating 256 bit ed25519 key, this may take a while...
256 SHA256:M2QMUYkhLLtOLyRZRDUfguhidpEAEp5o6i9WNmBoc1w /etc/dropbear/initramfs/dropbear_ed25519_host_key (ED25519)
+--[ED25519 256]--+
|==o+* ==..       |
|= =o.E.+.        |
|+=.oo . +        |
|=Oo+   o         |
|Bo=.    S        |
|+ ++     o       |
| *o..            |
| o+ .            |
|. .o             |
+----[SHA256]-----+
update-initramfs: deferring update (trigger activated)
Dropbear has been added to the initramfs. Don't forget to check
your "ip=" kernel bootparameter to match your desired initramfs
ip configuration.

rmdir: failed to remove '/etc/dropbear-initramfs': Directory not empty
ERROR: Couldn't remove directory /etc/dropbear-initramfs
Processing triggers for libc-bin (2.35-0ubuntu3) ...
Illegal instruction
Illegal instruction
dpkg: error processing package libc-bin (--configure):
 installed libc-bin package post-installation script subprocess returned error exit status 132
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for initramfs-tools (0.140ubuntu13) ...
update-initramfs: Generating /boot/initrd.img-5.17.5-meson64
Illegal instruction
Illegal instruction
update-initramfs: Converting to u-boot format
Errors were encountered while processing:
 libc-bin
E: Sub-process /usr/bin/dpkg returned an error code (1)
armbian_rootenc_setup.sh:1149: apt_install_target() failed at command 'apt --yes install $pkgs'
Target script exiting with error (100)
armbian_rootenc_setup.sh:1213: configure_target() failed at command 'chroot $TARGET_ROOT "./$PROGNAME" $ORIG_OPTS 'in_target''
Host script exiting with error (100)
Cleaning up, please wait...
close_loopmount                  OK
umount_target                    OK
update_config_vars_file          OK
remove_build_dir                 OK

 

[mildparanoia]

Hi, MMGen, thank you for your contribution here.

 

I have a Rock Pi 4A+ and am trying to install Armbian to the eMMC module, fully encrypted.

 

After running your script for /dev/mmcblk1 (the eMMC module) I am getting the following error:

 

armbian_rootenc_setup.sh:841: copy_system_root() failed at command 'cryptsetup luksOpen "/dev/$ROOT_DEVNAME" $ROOTFS_NAME'

 

I tried to unlock it manually but it doesn't work:

cryptsetup luksOpen /dev/mmcblk1p2 temp
No key available with this passphrase. 
(Yes I did use the correct key which I entered during the setup script's prompt)

Any suggestions on how to fix this?

 

Found the problem; the script isn't creating the encrypted partition correctly. If I make the luks partition manually, the script works.

 

Edited August 6, 2022 by mildparanoia
Found solution

[MMGen]

On 8/6/2022 at 7:07 AM, mildparanoia said:

Found the problem; the script isn't creating the encrypted partition correctly. If I make the luks partition manually, the script works.

 

Glad you got it to work. Instead of setting up the LUKS partition manually, erasing everything with the -z option might have solved the problem here.

Edited September 5, 2022 by MMGen

[MMGen]

On 5/30/2022 at 9:08 AM, LightJolteon said:

Hello, I've been trying to use the automated script on an Odriod HC4 running Ubuntu Jammy 5.17.5, but it always fails at some point after running APT with some illegal instruction errors. I pasted the output of the script below. I've never really asked for help on one of these forums before and I'm kind of a noob, so if I'm doing something wrong or if more information is needed then let me know.

Sorry for the extreme delay in replying to your post. Since the errors are coming from APT, this could be a distro-specific problem. Have you tried the Bullseye image?

[DIYprojectz]

Dear @MMGen,

 

Thank you for this wonderful guide!

 

Any chance you could include steps necessary to make this guide work with a non-bootable SSD i.e. sitting on a PCIe to SATA controller? Reading the guide, and @Bagel's comments on it, sadly can't figure out.

[MMGen]

@DIYprojectz: It should be possible to put the encrypted root filesystem on a different device than the boot partition, though I've never tried it with an SoC or Armbian. Thanks for the idea. I promise to look into it, but don't expect immediate results as I'm busy with other things at the moment.

[dannyboy]

Just want to say thanks!  I always intended to report back, but failed.  Script worked great for me back in 2021.Mar.02 on PineA64 that has been running perfectly to this day! 

Two important points that made me charge down this path (1) encrypt everything (2) ability to remote unlock via SSH after reboots.

 

Looking at my notes (i.e. a wrapper script that calls MMGen's script that does all hard work and is thoroughly commented).  It took me 4 attempts and what finally worked, was to rebuild all.

...

# Destination device name (e.g. SD card in USB reader)
dstDevNm=sda

export ROOTFS_NAME=somename
export IP_ADDRESS=dhcp
export BOOTPART_LABEL=somenameboot
export DISK_PASSWD=dontlook
export UNLOCKING_USERHOST=

 

# Call main script
#
# [attempt 1] -s use auth keys file, -v verbose, -z wipe all partitions
#./armbian_rootenc_setup.sh -svz $dstDevNm
#
# [attempt 2] Don't wipe all parts.
#./armbian_rootenc_setup.sh -sz $dstDevNm
#
# [attempt 3] only use auth keys
#./armbian_rootenc_setup.sh -s $dstDevNm
#
# [attempt 4] Complete rebuild [THIS WORKED!]
./armbian_rootenc_setup.sh -fFsvz $dstDevNm

...

 

 

I will be using this again to upgrade my setup, after getting the new version of MMGen's script.

Edited February 9, 2023 by dannyboy
upd

[Tim Makarios]

Thank you for the excellent tutorial!

 

Just a little simplification:  Instead of using the script in step 9.9, I put

command="/usr/bin/cryptroot-unlock"

at the start of the line in /etc/dropbear-initramfs/authorized_keys, to force that command when SSHing in using that key.

[stamatov]

i have issue with rock 5

 

rock01:armbian:% sudo ./armbian_rootenc_setup.sh  -R -m -F /dev/sda

             ┌───────────────────────────────────────────────────┐
             │ ⣎⣱ ⡀⣀ ⣀⣀  ⣇⡀ ⠄ ⢀⣀ ⣀⡀   ⣏⡉ ⣀⡀ ⢀⣀ ⡀⣀ ⡀⢀ ⣀⡀ ⣰⡀ ⢀⡀ ⢀⣸ │
             │ ⠇⠸ ⠏  ⠇⠇⠇ ⠧⠜ ⠇ ⠣⠼ ⠇⠸   ⠧⠤ ⠇⠸ ⠣⠤ ⠏  ⣑⡺ ⡧⠜ ⠘⠤ ⠣⠭ ⠣⠼ │
             │     ⣏⡱ ⢀⡀ ⢀⡀ ⣰⡀   ⣏⡉ ⠄ ⡇ ⢀⡀ ⢀⣀ ⡀⢀ ⢀⣀ ⣰⡀ ⢀⡀ ⣀⣀     │
             │     ⠇⠱ ⠣⠜ ⠣⠜ ⠘⠤   ⠇  ⠇ ⠣ ⠣⠭ ⠭⠕ ⣑⡺ ⠭⠕ ⠘⠤ ⠣⠭ ⠇⠇⠇    │
             │                 ⢎⡑ ⢀⡀ ⣰⡀ ⡀⢀ ⣀⡀                    │
             │                 ⠢⠜ ⠣⠭ ⠘⠤ ⠣⠼ ⡧⠜                    │
             └───────────────────────────────────────────────────┘
                      For detailed usage information,
                        invoke with the '-h' switch

get_armbian_image                OK
apt_install_host                 OK
close_loopmount                  OK
umount_target                    OK
remove_build_dir                 OK
  /dev/sda (KINGSTON SNVS1000G 931.5G) doesn’t appear to be an SD card
  for the following reasons:
      Device is non-removable
      Size is > 128GiB
  Are you sure this is the correct device of your blank SD card? (y/N) n
Exiting at user request
rock01:armbian:% nano armbian_rootenc_setup.sh                     
rock01:armbian:% sudo ./armbian_rootenc_setup.sh  -R -m -F /dev/sda

             ┌───────────────────────────────────────────────────┐
             │ ⣎⣱ ⡀⣀ ⣀⣀  ⣇⡀ ⠄ ⢀⣀ ⣀⡀   ⣏⡉ ⣀⡀ ⢀⣀ ⡀⣀ ⡀⢀ ⣀⡀ ⣰⡀ ⢀⡀ ⢀⣸ │
             │ ⠇⠸ ⠏  ⠇⠇⠇ ⠧⠜ ⠇ ⠣⠼ ⠇⠸   ⠧⠤ ⠇⠸ ⠣⠤ ⠏  ⣑⡺ ⡧⠜ ⠘⠤ ⠣⠭ ⠣⠼ │
             │     ⣏⡱ ⢀⡀ ⢀⡀ ⣰⡀   ⣏⡉ ⠄ ⡇ ⢀⡀ ⢀⣀ ⡀⢀ ⢀⣀ ⣰⡀ ⢀⡀ ⣀⣀     │
             │     ⠇⠱ ⠣⠜ ⠣⠜ ⠘⠤   ⠇  ⠇ ⠣ ⠣⠭ ⠭⠕ ⣑⡺ ⠭⠕ ⠘⠤ ⠣⠭ ⠇⠇⠇    │
             │                 ⢎⡑ ⢀⡀ ⣰⡀ ⡀⢀ ⣀⡀                    │
             │                 ⠢⠜ ⠣⠭ ⠘⠤ ⠣⠼ ⡧⠜                    │
             └───────────────────────────────────────────────────┘
                      For detailed usage information,
                        invoke with the '-h' switch

get_armbian_image                OK
apt_install_host                 OK
close_loopmount                  OK
umount_target                    OK
remove_build_dir                 OK
  /dev/sda (KINGSTON SNVS1000G 931.5G) doesn’t appear to be an SD card
  for the following reasons:
      Device is non-removable
      Size is > 128GiB
  Are you sure this is the correct device of your blank SD card? (y/N) y
Will write to target /dev/sda (KINGSTON SNVS1000G 931.5G)
check_sdcard_name_and_params     OK
create_build_dir                 OK

  Enter the IP address of the target machine.
  Enter 'dhcp' for a dynamic IP or 'none' for no remote SSH unlocking support
  IP address: none

  Enter a boot partition label for the target machine,
  or hit ENTER for the default (ARMBIAN_BOOT): 

  Enter a device name for the encrypted root filesystem,
  or hit ENTER for the default (rootfs): 

  Choose a simple disk password for the installation process.
  Once your encrypted system is up and running, you can change
  the password using the 'cryptsetup' command.
  Enter password: 123

  Unlock the disk from the serial console.  WARNING: enabling this will
  make it impossible to unlock the disk using the keyboard and monitor,
  though unlocking via SSH will still work.
  Enable unlocking via serial console? (y/n): n

  Unlock the disk via SSH over USB (g_ether).  Enable this only if your board
  supports USB gadget mode, i.e. if it has a USB OTG port. WARNING: enabling this
  will make it impossible to unlock the disk over the Ethernet interface (eth0).
  Enable unlocking via SSH over USB? (y/n): n

  The following user options are in effect:
  + force full rebuild
  + force reformat of encrypted root partition
  + add all currently loaded modules to initramfs

  Armbian image:                Armbian_22.11.2_Rock-5b_jammy_legacy_5.10.110.img
  Target device:                /dev/sda (KINGSTON SNVS1000G 931.5G)
  Root filesystem device name:  /dev/mapper/rootfs
  Target IP address:            none
  Boot partition label:         ARMBIAN_BOOT
  Disk password:                W3koslad
  Serial console unlocking:     no
  SSH over USB unlocking:       no

  Are these settings correct? (Y/n) y
setup_loopmount                  OK
check_install_state              OK
All data on /dev/sda (KINGSTON SNVS1000G 931.5G) will be destroyed!!!
Are you sure you want to continue? (y/N) y
Creating new partition label on /dev/sda
create_partition_label           OK
Copying boot loader (557056 sectors, 272M):
272+0 records in
272+0 records out
285212672 bytes (285 MB, 272 MiB) copied, 1.40963 s, 202 MB/s
copy_boot_loader                 OK
partition_sd_card                OK
Copying files to boot partition:
rsync: [sender] change_dir "/home/rock/armbian/armbian_rootenc_build/src/boot" failed: No such file or directory (2)
              0 100%    0.00kB/s    0:00:00 (xfr#0, to-chk=0/0)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1333) [sender=3.2.3]
armbian_rootenc_setup.sh:823: copy_system_boot() failed at command 'rsync $RSYNC_VERBOSITY --archive $SRC_ROOT/boot/* $BOOT_ROOT'
Host script exiting with error (23)
Cleaning up, please wait...
close_loopmount                  OK
umount_target                    OK
update_config_vars_file          OK
remove_build_dir                 OK
rock01:armbian:% ls -la
total 2095036
drwxrwxr-x 2 rock rock       4096 Mar 11 15:19 .
drwxr-x--- 7 rock rock       4096 Mar 11 15:23 ..
-rw-r--r-- 1 root root 2982150144 Mar 11 15:19 Armbian_22.11.2_Rock-5b_jammy_legacy_5.10.110.img
-rwxrwxr-x 1 rock rock      39358 Mar 11 15:15 armbian_rootenc_setup.sh

 

[Igor]

On 3/11/2023 at 6:10 PM, stamatov said:

i have issue with rock 5

Try with something that is close to standards, mainline based (older) rockchip / allwinner, x86, Rpi ... when this is confirmed working there, move on

[Vasir]

Orangepi5 installed successfully using this process. Did not work on bookworm but worked on Orangepi5_1.1.6_debian_bullseye_server_linux5.10.110 with small modifications. 

 

[Tim Makarios]

I used this tutorial as the basis of my own script, which is heavily adapted for my own needs.  It worked for me, getting a bookworm CLI image to run on a Libre Computer Renegade.

 

Although I made lots of changes, I think the only ones necessary for getting it to work on a bookworm image were replacing "etc/dropbear-initramfs" with "etc/dropbear/initramfs" twice in step 9.4, and replacing "etc/dropbear-initramfs/config" with "etc/dropbear/initramfs/dropbear.conf" twice in step 9.7.  Perhaps this was the problem @Vasir encountered?