Mate-Desktop with "Full Disk Encryption"

[Dantes]

Armbian/Jammy is working like a charm, thanks guys.

 

Settings up the encryption was a bit of bitch but its working as you can see.

Any chance of adding encryption to the installer?

 

 

Edited June 2, 2023 by Dantes

[Werner]

7 hours ago, Dantes said:

Any chance of adding encryption to the installer?

Feel free to do that. Your contribution is appreciated. I suggest to start here:

 

[Dantes]

Alright here is a "proof of concept" script

 

I can't modify the installer, I'm not that savvy.

But I took your tutorial and scripted it to my needs.

Its been tested (on jammy) and it works.

 

nanopi6_fdeBasically it comes down to this

 

1. Download the script

2. Copy it to the jammy sdcard

3. Boot with the sdcard and fill out Armbian questionnaire

4. chmod +x nanopi6_fde

5 ./nanopi6_fde

6. In the armbian-installer choose

• boot from emmc
• filesystem is ext4 (change the script if you want something else)
• exit after installation

7. At the end it prompts you for a passphrase

8. Reboot

 

#!/bin/sh -vxe
WORKDIR=$(mktemp -d -p /dev/shm)           #faster running from memory
#WORKDIR=/mmt                           #slower running from storage

# 1. boot from sdcard (ubuntu/jammy), then update and install:
apt update && apt upgrade
apt install cryptsetup-bin gdisk

# 2. run armbian-install and install to emmc/ext4, when done choose: exit
armbian-install || true

# 3. backup data
mkdir -p ${WORKDIR}/emmcdata
mount /dev/mmcblk2p1 ${WORKDIR}/emmcdata
rsync -a --info=progress2 ${WORKDIR}/emmcdata/. ${WORKDIR}/backup
sync
umount /dev/mmcblk2p1
rmdir ${WORKDIR}/emmcdata

# 4. create new partition layout
sgdisk -og /dev/mmcblk2
sgdisk -n 1:32768:+512M -t 0:8300 /dev/mmcblk2
sgdisk -n 0:0:0 -t 0:8300 /dev/mmcblk2

# 5. create partitions
mkfs.ext4 -F -L bootfs /dev/mmcblk2p1
dd if=/dev/zero bs=$((512/8)) count=1 of=/dev/shm/keyfile
cryptsetup luksFormat --batch-mode --cipher=aes-xts-plain64 --key-size=512 \
  --hash=sha512 /dev/mmcblk2p2 /dev/shm/keyfile
cryptsetup open /dev/mmcblk2p2 rootfs --key-file=/dev/shm/keyfile
mkfs.ext4 -L rootfs /dev/mapper/rootfs

# 6. mount partitions
mkdir -p ${WORKDIR}/restore
mount /dev/mapper/rootfs ${WORKDIR}/restore
mkdir -p ${WORKDIR}/restore/boot
mount /dev/mmcblk2p1 ${WORKDIR}/restore/boot

# 7. restore from backup
rsync -a --info=progress2 ${WORKDIR}/backup/. ${WORKDIR}/restore
sync

# 8. disable rootfs resize??
touch ${WORKDIR}/restore/root/.no_rootfs_resize

# 9. prepare chroot environment
cd ${WORKDIR}/restore
mount -o rbind /dev dev
mount -t proc proc proc
mount -t sysfs sys sys
cat /etc/resolv.conf > etc/resolv.conf
cat /etc/hosts > etc/hosts
cat /etc/apt/sources.list > etc/apt/sources.list
cat /etc/apt/sources.list.d/armbian.list > etc/apt/sources.list.d/armbian.list

#10. change armbian environment
sed -i '/^bootlogo=/s,=.*,=false,;/^rootdev=/s,=.*,=/dev/mapper/rootfs,' boot/armbianEnv.txt

#11. add necessary modules to initramfs
lsmod | cut -d ' ' -f1 | tail -n+2 > etc/initramfs-tools/modules

#12. create etc/crypttab
echo "rootfs UUID=$(lsblk /dev/mmcblk2p2 --nodeps --noheadings -o UUID) none initramfs,luks" > etc/crypttab

#13. create etc/fstab
echo "/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1" > etc/fstab
echo "UUID=$(lsblk /dev/mmcblk2p1 --noheadings -o UUID) /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2" >> etc/fstab
echo "tmpfs /tmp tmpfs defaults,nosuid 0 0" >> etc/fstab

#14. chrooted environment
cat << EOF > config
#!/bin/sh -vx
apt update
echo 'force-confdef' > /root/.dpkg.cfg
apt --yes install cryptsetup-initramfs
rm /root/.dpkg.cfg
lsinitramfs /boot/initrd.img* | grep 'usr.*cryptsetup'
exit
EOF
chmod +x config
chroot . ./config
rm config

#15. user input needed: new passphrase (temporary keyfile becomes obsolete)
cryptsetup luksChangeKey --key-file=/dev/shm/keyfile --cipher=aes-xts-plain64 --hash=sha512 /dev/mmcblk2p2

#16. unmount everything
umount | awk '/restore/{print $3}' | sort -r | xargs umount 

#17. poweroff, eject sdcard, power on
[ -d "${WORKDIR}" ] && rmdir "${WORKDIR}"

 

nanopi6_fde

Edited June 4, 2023 by Dantes
fixed some typo's

[Corrie]

Hi!

I love your guide, this is exactly what I need. I tried it with CM3588 Plus and it's 3 different armbian images available here.

 

The script executed fine. There was a hickup at step 16. some stubborn mounts did not want to unmount and also AI says that the command should be more like this: 'mount | awk '/restore/{print $3}' | sort -r | xargs -I {} umount {}'. 😁

 

But I cannot boot the system. I was wondering how do you get bootloader to ask for a password to open the root partition to be accessed.

All I get is this: