Dantes Posted June 2, 2023 Posted June 2, 2023 (edited) Armbian/Jammy is working like a charm, thanks guys. Settings up the encryption was a bit of bitch but its working as you can see. Any chance of adding encryption to the installer? Edited June 2, 2023 by Dantes 0 Quote
Werner Posted June 3, 2023 Posted June 3, 2023 7 hours ago, Dantes said: Any chance of adding encryption to the installer? Feel free to do that. Your contribution is appreciated. I suggest to start here: 0 Quote
Solution Dantes Posted June 3, 2023 Author Solution Posted June 3, 2023 (edited) Alright here is a "proof of concept" script I can't modify the installer, I'm not that savvy. But I took your tutorial and scripted it to my needs. Its been tested (on jammy) and it works. nanopi6_fdeBasically it comes down to this 1. Download the script 2. Copy it to the jammy sdcard 3. Boot with the sdcard and fill out Armbian questionnaire 4. chmod +x nanopi6_fde 5 ./nanopi6_fde 6. In the armbian-installer choose boot from emmc filesystem is ext4 (change the script if you want something else) exit after installation 7. At the end it prompts you for a passphrase 8. Reboot #!/bin/sh -vxe WORKDIR=$(mktemp -d -p /dev/shm) #faster running from memory #WORKDIR=/mmt #slower running from storage # 1. boot from sdcard (ubuntu/jammy), then update and install: apt update && apt upgrade apt install cryptsetup-bin gdisk # 2. run armbian-install and install to emmc/ext4, when done choose: exit armbian-install || true # 3. backup data mkdir -p ${WORKDIR}/emmcdata mount /dev/mmcblk2p1 ${WORKDIR}/emmcdata rsync -a --info=progress2 ${WORKDIR}/emmcdata/. ${WORKDIR}/backup sync umount /dev/mmcblk2p1 rmdir ${WORKDIR}/emmcdata # 4. create new partition layout sgdisk -og /dev/mmcblk2 sgdisk -n 1:32768:+512M -t 0:8300 /dev/mmcblk2 sgdisk -n 0:0:0 -t 0:8300 /dev/mmcblk2 # 5. create partitions mkfs.ext4 -F -L bootfs /dev/mmcblk2p1 dd if=/dev/zero bs=$((512/8)) count=1 of=/dev/shm/keyfile cryptsetup luksFormat --batch-mode --cipher=aes-xts-plain64 --key-size=512 \ --hash=sha512 /dev/mmcblk2p2 /dev/shm/keyfile cryptsetup open /dev/mmcblk2p2 rootfs --key-file=/dev/shm/keyfile mkfs.ext4 -L rootfs /dev/mapper/rootfs # 6. mount partitions mkdir -p ${WORKDIR}/restore mount /dev/mapper/rootfs ${WORKDIR}/restore mkdir -p ${WORKDIR}/restore/boot mount /dev/mmcblk2p1 ${WORKDIR}/restore/boot # 7. restore from backup rsync -a --info=progress2 ${WORKDIR}/backup/. ${WORKDIR}/restore sync # 8. disable rootfs resize?? touch ${WORKDIR}/restore/root/.no_rootfs_resize # 9. prepare chroot environment cd ${WORKDIR}/restore mount -o rbind /dev dev mount -t proc proc proc mount -t sysfs sys sys cat /etc/resolv.conf > etc/resolv.conf cat /etc/hosts > etc/hosts cat /etc/apt/sources.list > etc/apt/sources.list cat /etc/apt/sources.list.d/armbian.list > etc/apt/sources.list.d/armbian.list #10. change armbian environment sed -i '/^bootlogo=/s,=.*,=false,;/^rootdev=/s,=.*,=/dev/mapper/rootfs,' boot/armbianEnv.txt #11. add necessary modules to initramfs lsmod | cut -d ' ' -f1 | tail -n+2 > etc/initramfs-tools/modules #12. create etc/crypttab echo "rootfs UUID=$(lsblk /dev/mmcblk2p2 --nodeps --noheadings -o UUID) none initramfs,luks" > etc/crypttab #13. create etc/fstab echo "/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1" > etc/fstab echo "UUID=$(lsblk /dev/mmcblk2p1 --noheadings -o UUID) /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2" >> etc/fstab echo "tmpfs /tmp tmpfs defaults,nosuid 0 0" >> etc/fstab #14. chrooted environment cat << EOF > config #!/bin/sh -vx apt update echo 'force-confdef' > /root/.dpkg.cfg apt --yes install cryptsetup-initramfs rm /root/.dpkg.cfg lsinitramfs /boot/initrd.img* | grep 'usr.*cryptsetup' exit EOF chmod +x config chroot . ./config rm config #15. user input needed: new passphrase (temporary keyfile becomes obsolete) cryptsetup luksChangeKey --key-file=/dev/shm/keyfile --cipher=aes-xts-plain64 --hash=sha512 /dev/mmcblk2p2 #16. unmount everything umount | awk '/restore/{print $3}' | sort -r | xargs umount #17. poweroff, eject sdcard, power on [ -d "${WORKDIR}" ] && rmdir "${WORKDIR}" nanopi6_fde Edited June 4, 2023 by Dantes fixed some typo's 0 Quote
Corrie Posted October 29 Posted October 29 Hi! I love your guide, this is exactly what I need. I tried it with CM3588 Plus and it's 3 different armbian images available here. The script executed fine. There was a hickup at step 16. some stubborn mounts did not want to unmount and also AI says that the command should be more like this: 'mount | awk '/restore/{print $3}' | sort -r | xargs -I {} umount {}'. 😁 But I cannot boot the system. I was wondering how do you get bootloader to ask for a password to open the root partition to be accessed. All I get is this: 0 Quote
Dantes Posted Tuesday at 03:28 AM Author Posted Tuesday at 03:28 AM (edited) This has been a while , so I'm going from memory here: Cryptsetup-initramfs should be installed into the ramdisk (initrd) , thats why it fails. So something goes wrong in step 14. Try execute steps manually (1-16) and check if you have internet in your chroot. It asks for /dev/mapper/rootfs but that device is not there indicates cryptsetup module is not loaded. That's why you did not get the password prompt and thus the disk is still encrypted. ## Something goes wrong here, try executing all the steps manually (1-16). Step by step. ## If the cryptsetup module is not inserted/loaded, you will get that error. #14. chrooted environment cat << EOF > config #!/bin/sh -vx apt update echo 'force-confdef' > /root/.dpkg.cfg apt --yes install cryptsetup-initramfs rm /root/.dpkg.cfg lsinitramfs /boot/initrd.img* | grep 'usr.*cryptsetup' exit EOF chmod +x config chroot . ./config rm config Good luck. Edited Tuesday at 03:33 AM by Dantes 0 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.