Jump to content

Mate-Desktop with "Full Disk Encryption"


Recommended Posts

Armbian/Jammy is working like a charm, thanks guys.


Settings up the encryption was a bit of bitch but its working as you can see.

Any chance of adding encryption to the installer?





Edited by Dantes
Link to comment
Share on other sites

Alright here is a "proof of concept" script :beer:


I can't modify the installer, I'm not that savvy.

But I took your tutorial and scripted it to my needs.

Its been tested (on jammy) and it works.


nanopi6_fdeBasically it comes down to this


1. Download the script

2. Copy it to the jammy sdcard

3. Boot with the sdcard and fill out Armbian questionnaire

4. chmod +x nanopi6_fde

5 ./nanopi6_fde

6. In the armbian-installer choose

  • boot from emmc
  • filesystem is ext4 (change the script if you want something else)
  • exit after installation

7. At the end it prompts you for a passphrase

8. Reboot


#!/bin/sh -vxe
WORKDIR=$(mktemp -d -p /dev/shm)           #faster running from memory
#WORKDIR=/mmt                           #slower running from storage

# 1. boot from sdcard (ubuntu/jammy), then update and install:
apt update && apt upgrade
apt install cryptsetup-bin gdisk

# 2. run armbian-install and install to emmc/ext4, when done choose: exit
armbian-install || true

# 3. backup data
mkdir -p ${WORKDIR}/emmcdata
mount /dev/mmcblk2p1 ${WORKDIR}/emmcdata
rsync -a --info=progress2 ${WORKDIR}/emmcdata/. ${WORKDIR}/backup
umount /dev/mmcblk2p1
rmdir ${WORKDIR}/emmcdata

# 4. create new partition layout
sgdisk -og /dev/mmcblk2
sgdisk -n 1:32768:+512M -t 0:8300 /dev/mmcblk2
sgdisk -n 0:0:0 -t 0:8300 /dev/mmcblk2

# 5. create partitions
mkfs.ext4 -F -L bootfs /dev/mmcblk2p1
dd if=/dev/zero bs=$((512/8)) count=1 of=/dev/shm/keyfile
cryptsetup luksFormat --batch-mode --cipher=aes-xts-plain64 --key-size=512 \
  --hash=sha512 /dev/mmcblk2p2 /dev/shm/keyfile
cryptsetup open /dev/mmcblk2p2 rootfs --key-file=/dev/shm/keyfile
mkfs.ext4 -L rootfs /dev/mapper/rootfs

# 6. mount partitions
mkdir -p ${WORKDIR}/restore
mount /dev/mapper/rootfs ${WORKDIR}/restore
mkdir -p ${WORKDIR}/restore/boot
mount /dev/mmcblk2p1 ${WORKDIR}/restore/boot

# 7. restore from backup
rsync -a --info=progress2 ${WORKDIR}/backup/. ${WORKDIR}/restore

# 8. disable rootfs resize??
touch ${WORKDIR}/restore/root/.no_rootfs_resize

# 9. prepare chroot environment
cd ${WORKDIR}/restore
mount -o rbind /dev dev
mount -t proc proc proc
mount -t sysfs sys sys
cat /etc/resolv.conf > etc/resolv.conf
cat /etc/hosts > etc/hosts
cat /etc/apt/sources.list > etc/apt/sources.list
cat /etc/apt/sources.list.d/armbian.list > etc/apt/sources.list.d/armbian.list

#10. change armbian environment
sed -i '/^bootlogo=/s,=.*,=false,;/^rootdev=/s,=.*,=/dev/mapper/rootfs,' boot/armbianEnv.txt

#11. add necessary modules to initramfs
lsmod | cut -d ' ' -f1 | tail -n+2 > etc/initramfs-tools/modules

#12. create etc/crypttab
echo "rootfs UUID=$(lsblk /dev/mmcblk2p2 --nodeps --noheadings -o UUID) none initramfs,luks" > etc/crypttab

#13. create etc/fstab
echo "/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1" > etc/fstab
echo "UUID=$(lsblk /dev/mmcblk2p1 --noheadings -o UUID) /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2" >> etc/fstab
echo "tmpfs /tmp tmpfs defaults,nosuid 0 0" >> etc/fstab

#14. chrooted environment
cat << EOF > config
#!/bin/sh -vx
apt update
echo 'force-confdef' > /root/.dpkg.cfg
apt --yes install cryptsetup-initramfs
rm /root/.dpkg.cfg
lsinitramfs /boot/initrd.img* | grep 'usr.*cryptsetup'
chmod +x config
chroot . ./config
rm config

#15. user input needed: new passphrase (temporary keyfile becomes obsolete)
cryptsetup luksChangeKey --key-file=/dev/shm/keyfile --cipher=aes-xts-plain64 --hash=sha512 /dev/mmcblk2p2

#16. unmount everything
umount | awk '/restore/{print $3}' | sort -r | xargs umount 

#17. poweroff, eject sdcard, power on
[ -d "${WORKDIR}" ] && rmdir "${WORKDIR}"



Edited by Dantes
fixed some typo's
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines