Jump to content

Mate-Desktop with "Full Disk Encryption"


Go to solution Solved by Dantes,

Recommended Posts

Posted (edited)

Armbian/Jammy is working like a charm, thanks guys.

 

Settings up the encryption was a bit of bitch but its working as you can see.

Any chance of adding encryption to the installer?

 

:love:

 

mate.png

Edited by Dantes
Posted
7 hours ago, Dantes said:

Any chance of adding encryption to the installer?

Feel free to do that. Your contribution is appreciated. I suggest to start here:

 

  • Solution
Posted (edited)

Alright here is a "proof of concept" script :beer:

 

I can't modify the installer, I'm not that savvy.

But I took your tutorial and scripted it to my needs.

Its been tested (on jammy) and it works.

 

nanopi6_fdeBasically it comes down to this

 

1. Download the script

2. Copy it to the jammy sdcard

3. Boot with the sdcard and fill out Armbian questionnaire

4. chmod +x nanopi6_fde

5 ./nanopi6_fde

6. In the armbian-installer choose

  • boot from emmc
  • filesystem is ext4 (change the script if you want something else)
  • exit after installation

7. At the end it prompts you for a passphrase

8. Reboot

 

#!/bin/sh -vxe
WORKDIR=$(mktemp -d -p /dev/shm)           #faster running from memory
#WORKDIR=/mmt                           #slower running from storage

# 1. boot from sdcard (ubuntu/jammy), then update and install:
apt update && apt upgrade
apt install cryptsetup-bin gdisk

# 2. run armbian-install and install to emmc/ext4, when done choose: exit
armbian-install || true

# 3. backup data
mkdir -p ${WORKDIR}/emmcdata
mount /dev/mmcblk2p1 ${WORKDIR}/emmcdata
rsync -a --info=progress2 ${WORKDIR}/emmcdata/. ${WORKDIR}/backup
sync
umount /dev/mmcblk2p1
rmdir ${WORKDIR}/emmcdata

# 4. create new partition layout
sgdisk -og /dev/mmcblk2
sgdisk -n 1:32768:+512M -t 0:8300 /dev/mmcblk2
sgdisk -n 0:0:0 -t 0:8300 /dev/mmcblk2

# 5. create partitions
mkfs.ext4 -F -L bootfs /dev/mmcblk2p1
dd if=/dev/zero bs=$((512/8)) count=1 of=/dev/shm/keyfile
cryptsetup luksFormat --batch-mode --cipher=aes-xts-plain64 --key-size=512 \
  --hash=sha512 /dev/mmcblk2p2 /dev/shm/keyfile
cryptsetup open /dev/mmcblk2p2 rootfs --key-file=/dev/shm/keyfile
mkfs.ext4 -L rootfs /dev/mapper/rootfs

# 6. mount partitions
mkdir -p ${WORKDIR}/restore
mount /dev/mapper/rootfs ${WORKDIR}/restore
mkdir -p ${WORKDIR}/restore/boot
mount /dev/mmcblk2p1 ${WORKDIR}/restore/boot

# 7. restore from backup
rsync -a --info=progress2 ${WORKDIR}/backup/. ${WORKDIR}/restore
sync

# 8. disable rootfs resize??
touch ${WORKDIR}/restore/root/.no_rootfs_resize

# 9. prepare chroot environment
cd ${WORKDIR}/restore
mount -o rbind /dev dev
mount -t proc proc proc
mount -t sysfs sys sys
cat /etc/resolv.conf > etc/resolv.conf
cat /etc/hosts > etc/hosts
cat /etc/apt/sources.list > etc/apt/sources.list
cat /etc/apt/sources.list.d/armbian.list > etc/apt/sources.list.d/armbian.list

#10. change armbian environment
sed -i '/^bootlogo=/s,=.*,=false,;/^rootdev=/s,=.*,=/dev/mapper/rootfs,' boot/armbianEnv.txt

#11. add necessary modules to initramfs
lsmod | cut -d ' ' -f1 | tail -n+2 > etc/initramfs-tools/modules

#12. create etc/crypttab
echo "rootfs UUID=$(lsblk /dev/mmcblk2p2 --nodeps --noheadings -o UUID) none initramfs,luks" > etc/crypttab

#13. create etc/fstab
echo "/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1" > etc/fstab
echo "UUID=$(lsblk /dev/mmcblk2p1 --noheadings -o UUID) /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2" >> etc/fstab
echo "tmpfs /tmp tmpfs defaults,nosuid 0 0" >> etc/fstab

#14. chrooted environment
cat << EOF > config
#!/bin/sh -vx
apt update
echo 'force-confdef' > /root/.dpkg.cfg
apt --yes install cryptsetup-initramfs
rm /root/.dpkg.cfg
lsinitramfs /boot/initrd.img* | grep 'usr.*cryptsetup'
exit
EOF
chmod +x config
chroot . ./config
rm config

#15. user input needed: new passphrase (temporary keyfile becomes obsolete)
cryptsetup luksChangeKey --key-file=/dev/shm/keyfile --cipher=aes-xts-plain64 --hash=sha512 /dev/mmcblk2p2

#16. unmount everything
umount | awk '/restore/{print $3}' | sort -r | xargs umount 

#17. poweroff, eject sdcard, power on
[ -d "${WORKDIR}" ] && rmdir "${WORKDIR}"

 

nanopi6_fde

Edited by Dantes
fixed some typo's
Posted

Hi!

I love your guide, this is exactly what I need. I tried it with CM3588 Plus and it's 3 different armbian images available here.

 

The script executed fine. There was a hickup at step 16. some stubborn mounts did not want to unmount and also AI says that the command should be more like this: 'mount | awk '/restore/{print $3}' | sort -r | xargs -I {} umount {}'. 😁

 

But I cannot boot the system. I was wondering how do you get bootloader to ask for a password to open the root partition to be accessed.

All I get is this:

 



 

 



 

IMG_20241029_175234_1.jpg

IMG_20241029_175254_1.jpg

IMG_20241029_175311_1.jpg

Posted (edited)

This has been a while :lol:, so I'm going from memory here:

 

Cryptsetup-initramfs should be installed into the ramdisk (initrd) , thats why it fails. So something goes wrong in step 14. Try execute steps manually (1-16)  and check if you have internet in your chroot. It asks for /dev/mapper/rootfs but that device is not there indicates cryptsetup module is not loaded. That's why you did not get the password prompt and thus the disk is still encrypted.

 

## Something goes wrong here, try executing all the steps manually (1-16). Step by step.
## If the cryptsetup module is not inserted/loaded, you will get that error.

#14. chrooted environment
cat << EOF > config
#!/bin/sh -vx
apt update
echo 'force-confdef' > /root/.dpkg.cfg
apt --yes install cryptsetup-initramfs
rm /root/.dpkg.cfg
lsinitramfs /boot/initrd.img* | grep 'usr.*cryptsetup'
exit
EOF
chmod +x config
chroot . ./config
rm config

 

Good luck.

 

Edited by Dantes

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines