Dantes Posted June 2, 2023 Share Posted June 2, 2023 (edited) Armbian/Jammy is working like a charm, thanks guys. Settings up the encryption was a bit of bitch but its working as you can see. Any chance of adding encryption to the installer? Edited June 2, 2023 by Dantes 0 Quote Link to comment Share on other sites More sharing options...
Werner Posted June 3, 2023 Share Posted June 3, 2023 7 hours ago, Dantes said: Any chance of adding encryption to the installer? Feel free to do that. Your contribution is appreciated. I suggest to start here: 0 Quote Link to comment Share on other sites More sharing options...
Dantes Posted June 3, 2023 Author Share Posted June 3, 2023 (edited) Alright here is a "proof of concept" script I can't modify the installer, I'm not that savvy. But I took your tutorial and scripted it to my needs. Its been tested (on jammy) and it works. nanopi6_fdeBasically it comes down to this 1. Download the script 2. Copy it to the jammy sdcard 3. Boot with the sdcard and fill out Armbian questionnaire 4. chmod +x nanopi6_fde 5 ./nanopi6_fde 6. In the armbian-installer choose boot from emmc filesystem is ext4 (change the script if you want something else) exit after installation 7. At the end it prompts you for a passphrase 8. Reboot #!/bin/sh -vxe WORKDIR=$(mktemp -d -p /dev/shm) #faster running from memory #WORKDIR=/mmt #slower running from storage # 1. boot from sdcard (ubuntu/jammy), then update and install: apt update && apt upgrade apt install cryptsetup-bin gdisk # 2. run armbian-install and install to emmc/ext4, when done choose: exit armbian-install || true # 3. backup data mkdir -p ${WORKDIR}/emmcdata mount /dev/mmcblk2p1 ${WORKDIR}/emmcdata rsync -a --info=progress2 ${WORKDIR}/emmcdata/. ${WORKDIR}/backup sync umount /dev/mmcblk2p1 rmdir ${WORKDIR}/emmcdata # 4. create new partition layout sgdisk -og /dev/mmcblk2 sgdisk -n 1:32768:+512M -t 0:8300 /dev/mmcblk2 sgdisk -n 0:0:0 -t 0:8300 /dev/mmcblk2 # 5. create partitions mkfs.ext4 -F -L bootfs /dev/mmcblk2p1 dd if=/dev/zero bs=$((512/8)) count=1 of=/dev/shm/keyfile cryptsetup luksFormat --batch-mode --cipher=aes-xts-plain64 --key-size=512 \ --hash=sha512 /dev/mmcblk2p2 /dev/shm/keyfile cryptsetup open /dev/mmcblk2p2 rootfs --key-file=/dev/shm/keyfile mkfs.ext4 -L rootfs /dev/mapper/rootfs # 6. mount partitions mkdir -p ${WORKDIR}/restore mount /dev/mapper/rootfs ${WORKDIR}/restore mkdir -p ${WORKDIR}/restore/boot mount /dev/mmcblk2p1 ${WORKDIR}/restore/boot # 7. restore from backup rsync -a --info=progress2 ${WORKDIR}/backup/. ${WORKDIR}/restore sync # 8. disable rootfs resize?? touch ${WORKDIR}/restore/root/.no_rootfs_resize # 9. prepare chroot environment cd ${WORKDIR}/restore mount -o rbind /dev dev mount -t proc proc proc mount -t sysfs sys sys cat /etc/resolv.conf > etc/resolv.conf cat /etc/hosts > etc/hosts cat /etc/apt/sources.list > etc/apt/sources.list cat /etc/apt/sources.list.d/armbian.list > etc/apt/sources.list.d/armbian.list #10. change armbian environment sed -i '/^bootlogo=/s,=.*,=false,;/^rootdev=/s,=.*,=/dev/mapper/rootfs,' boot/armbianEnv.txt #11. add necessary modules to initramfs lsmod | cut -d ' ' -f1 | tail -n+2 > etc/initramfs-tools/modules #12. create etc/crypttab echo "rootfs UUID=$(lsblk /dev/mmcblk2p2 --nodeps --noheadings -o UUID) none initramfs,luks" > etc/crypttab #13. create etc/fstab echo "/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1" > etc/fstab echo "UUID=$(lsblk /dev/mmcblk2p1 --noheadings -o UUID) /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2" >> etc/fstab echo "tmpfs /tmp tmpfs defaults,nosuid 0 0" >> etc/fstab #14. chrooted environment cat << EOF > config #!/bin/sh -vx apt update echo 'force-confdef' > /root/.dpkg.cfg apt --yes install cryptsetup-initramfs rm /root/.dpkg.cfg lsinitramfs /boot/initrd.img* | grep 'usr.*cryptsetup' exit EOF chmod +x config chroot . ./config rm config #15. user input needed: new passphrase (temporary keyfile becomes obsolete) cryptsetup luksChangeKey --key-file=/dev/shm/keyfile --cipher=aes-xts-plain64 --hash=sha512 /dev/mmcblk2p2 #16. unmount everything umount | awk '/restore/{print $3}' | sort -r | xargs umount #17. poweroff, eject sdcard, power on [ -d "${WORKDIR}" ] && rmdir "${WORKDIR}" nanopi6_fde Edited June 4, 2023 by Dantes fixed some typo's 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.