Full root filesystem encryption on an Armbian system (NEW, replaces 2017 tutorial on this topic)

[quaSimba]

Thanks for the reply. In the end I soved it by following also a few steps from over here. I don't know exactly what did the trick, but actually I assume it was pure coincidence: my ethernet device is actually called en0, not eth0. During my first run through this tutorial I wasn't aware of that. I think I simply forgot to change this bit in my recent try and luckily got it working that way. 

 

About the systemd-cryptsetup: I don't know if I understand correctly, but doesn't this do some of the steps automatically which we set up manually? If so, maybe it should be adopted to this tutorial in the future … 

[fxkl47BF]

thanks for all the work you put in to this application.

i've done this on most all of my systems and it was a bit tedious and fiddley.

with just a few tweeks it ran through with no errors on my hc4 with bookworm.

one question, why remove bash-completion and command-not-found packages?

[quaSimba]

Quick note on what I also had to change to make it running on my Raspi: in fstab, the option "commit=600" won't work as the Armbian version for Raspis uses a FAT32 boot partition. Apparently "commit" doesn't work with that file system.

 

To get it working, my fstab reads:

…
UUID=[ID] /boot vfat defaults,noatime,nodiratime 0 2
…

[MMGen]

@quaSimba: Thanks for your remarks and the link to the guide on Github. Hopefully I'll one day have a RPi to work with so I can support it in my script and tutorial.

 

@fxkl47BF: The completion packages were removed because they can be horribly laggy on low-powered SoCs and I find them annoying in general. They can be easily reinstalled if desired.

[quaSimba]

How to get this working on your Raspberry Pi (5)

 

Hello all. Thanks again, @MMGen, for offering this fantastic tutorial. As mentioned before, it was the foundation for me to encrypt my Raspi 5, although the tutorial wasn't intended for that. I hat to make the some adjustments to get it working. But first some reasoning. 

 

What's the difference?

The Armbian image for Raspi comes with two partitions:

• FAT32 for booting
• ext4 as a root

Out of the box it already resembles the result that we try to achieve. I assume that this is due to the different booting process of a Raspi compared to other sige-board computers.

 

Download the desired image from:

• https://www.armbian.com/rpi4b/
• https://mirrors.dotsrc.org/armbian-dl/rpi4b/archive/ → more images

(I only tested my approach with the minimal Trixie image, kernel version 6.12.41 to .58, and would be delighted to know if somebody also got it working with other derrivates.)

 

Changes to the original tutorial:

Basically I followed the tutorial (versions Oct 25 to Jan 26) except for the steps below where I had to make some adjustments. If the original tutorial receives major updates (e.g. in its structure) please consider that, as I might not keep this post up to date. 

 

 

Step 6:

As the type of the boot partition needs to be FAT32 instead of ext4, in fdisk change the partition type (hit t) to FAT32 (0b or just b in the partition list l). I also adjusted the size of this partition to +1G, just in case, but that shouldn't make a difference. Here's final partition table:

 

Device         Boot   Start        End    Sectors  Size Id Type
/dev/<your-drive>p1         8192    2105343    2097152    1G  b W95 FAT32
/dev/<your-drive>p2      2105344 3907029167 3904923824  1.8T 83 Linux

I'm using an NVME drive instead of a SD card. I guess that won't make a difference. I always repaced sda with nvme0n1 when I followed the tutorial. I also increased p1's size to a whole GB, just to be sure. 

 

 

Step 7:

mkfs -t vfat /dev/<your-drive>p1

# NOT: mkfs.ext4 /dev/<your-drive>p1
# e2label /dev/sda1 CRYPTO_BOOT won't work on FAT32 partitions

 

 

Step 8:

Because there is no label on the FAT32 partition, just link it manually:

 

BOOT_PART=/dev/<your-device>p1

 

In my image, the resolv.conf was already present and symlinked to /run/systemd/resolve/stub-resolv.conf. I had to rename it to etc/resolv.conf.old and only then did:

 

cat /etc/resolv.conf > etc/resolv.conf

 

 

Step 9:

Now it gets a bit hairy. As already explained, the Armbian Raspi image works a bit differently. It holds the following partitions:

• P1:  is the boot partition. During (or after?) the boot process it will be mounted to P2:/boot/firmware. P2 contains a cmdline.txt (content covered below) which is the config file to make the adjustments from Step 9.1 for the boot partition.
• P2: is our root partition. P1:/boot does contain an armbianEnv.txt but that is not the config file used during the initial boot process for the unlocking system

.

Step 9.1:

At this point in the tutorial P2 is mounted to root/boot, so you can nano boot/cmdline.txt and change its content to:

console=serial0,115200 console=tty1 loglevel=1 root=/dev/mapper/<custom-name-or-rootfs> rootdev=/dev/mapper/<custom-name-or-rootfs> rootfstype=ext4 fsck.repair=yes rootwait logo.nologo cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory

I was hesitant to make further changes besides the root and rootdev entries or break the line but probably that's also feasible.

 

Step 9.2:

Skipped.

 

Step 9.7:

As the boot partition is FAT32, etc/fstab has to know about it too. Also notice that commit=600 results in a failure to mount it to /boot/firmware after unlocking and rebooting (took me days before I could plug a display to my Raspi, read the boot log and figure out that line as the source of failure). Therefore I deleted the commit declaration.

 

/dev/mapper/<custom-name-or-rootfs> / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1
UUID=<BOOT_UUID> /boot/firmware vfat defaults,noatime,nodiratime,errors=remount-ro 0 2
tmpfs /tmp tmpfs defaults,nosuid 0 0

 

 

Step 10:

Add systemd-cryptsetup (when using Trixie or higher) to the install list in the chroot (thanks to @The Tall Man for mentioning; automatic install worked for me btw).

 

apt --yes install systemd cryptsetup cryptsetup-initramfs dropbear-initramfs

 

In principle that should be it and i just followed the rest of the tutorial. But after the initrd.img got generated I always had to make adjustments, after which I had to recreate it. update-initramfs is always suspiciously fast so I just used the approach from this tutorial:

 

KERNEL_VERSION=ls /lib/modules/
echo "CONFIG_RD_ZSTD=y" > /boot/config-$KERNEL_VERSION # to use the right decompression method
mkinitramfs -o /boot/initrd.img $KERNEL_VERSION
rm /boot/config-$KERNEL_VERSION  # remove the config

 

If you want to keep the original initrd.img as a backup you can just copy it before running the above commands but of course it won't be work with our encrypted boot. You can give the .img output file a different name. Don't forget to change the line initramfs initrd.img followkernel in boot/config.txt accordingly.

 

Don't forget ssh-keygen -A. 

 

That's it

Please let me know how if it worked for your Raspi. Good luck.

 

@MMGen: If you find this sub-tutorial helpful enough, please consider to link it in your original post or feel free to incorporate it. It took me quite some days to figure out all the necessary changes and borow from other sources. Would be nice to spare others and this thread is a top rank in search engines.

As you can see I used a name other than rootfs as my device name – the ability to change  that could be a nice feature for the next version of your script  

 

Cheers!

Edited 1 hour ago by quaSimba