3 3

Full root filesystem encryption on an Armbian/Orange Pi PC 2 system

Recommended Posts

Full root filesystem encryption on an Armbian/Orange Pi PC 2 system


MMGen (https://github.com/mmgen)


This tutorial provides detailed, step-by-step instructions for setting up full root filesystem encryption on an Armbian/Orange Pi PC2 system. With minor changes, it can be adapted to other Armbian-supported boards. The disk is unlocked remotely via ssh, permitting unattended bootup.



  • Linux host system
  • One Orange Pi PC 2
  • Two blank Micro-SD cards (or a working Armbian system for your board + one blank SD card)
  • USB Micro-SD card reader
  • Ability to edit text files and do simple administrative tasks on the Linux command line



Part 1 - Get, unpack and copy the latest Armbian image for the Orange Pi PC 2

$ mkdir ~/opi-build; cd ~/opi-build

# For a server image:
$ curl -L -O https://dl.armbian.com/orangepipc2/Ubuntu_bionic_next.7z
# For a desktop image:
$ curl -L -O https://dl.armbian.com/orangepipc2/Ubuntu_bionic_next_desktop.7z

# Consult the download directory for changes, as well as torrent files:
$ https://dl.armbian.com/orangepipc2/

Unpack (if the 7zr command is missing on your system, first install the 'p7zip' package):

$ 7zr x Ubuntu_*.7z

Check the PGP signature and integrity of the image (optional):

$ gpg --keyserver pgp.mit.edu --recv-key 9F0E78D5
$ gpg --verify *.img.asc

Or, alternatively, just check its integrity with a checksum:

$ sha256sum -c sha256sum.sha

Now you're ready to copy Armbian to the SD card or cards.


If you have two blank cards, the first will hold an ordinary unencrypted Armbian system used for the setup process, while the second will hold the target encrypted system.


Alternatively, if you already have a working Armbian system for your board, you can use it for the setup process. In that case, your one blank SD card will be considered the “second” card, and you can ignore all instructions hereafter pertaining to the first card.


Note that for the remainder of this section, the first SD card will be referred to as '/dev/sdX' and the second as '/dev/sdY'. You'll replace these with the SD cards' true device filenames. The device names can be discovered using the command 'dmesg' or 'lsblk'. If you remove the first card before inserting the second, it's possible (but not guaranteed) that the cards will have the same device name.


Insert the first blank SD card and copy the image to it:

$ sudo dd if=$(echo *.img) of=/dev/sdX bs=4M

After the command exits, you may remove the first card.


Now insert the second SD card, which will hold a small unencrypted boot partition plus your encrypted Armbian system. Copy the image's boot loader to it:

$ sudo dd if=$(echo *.img) of=/dev/sdY bs=512 count=4096

Now partition the card:

$ sudo fdisk /dev/sdY

Within fdisk, create a new DOS disklabel with the 'o' command. Use the 'n' command to create a primary partition of size +100M beginning at sector 4096. Type 'p' to view the partition table. Note the end sector. Now create a second primary partition beginning one sector after the first partition's end sector and filling the remainder of the card. When you're finished, your partition table will look something like this:

Device     Boot  Start      End  Sectors  Size Id Type
/dev/sdY1         4096   208895   204800  100M 83 Linux
/dev/sdY2       208896 31422463 31213568 14.9G 83 Linux

Double-check that the second partition begins one sector after the end of the first one. If you mess something up, use 'd' to delete partitions or 'q' to exit fdisk and try again.


Once everything looks correct, type 'w' to write the partition table.


Now you'll begin the process of copying the system to the second card. First you'll associate the image file with a loop device and mount the device:

$ losetup -f              # displays the name of the loop device; remember this
$ sudo losetup -Pf *.img  # associate image file with the above loop device
$ mkdir mnt boot root
$ sudo mount /dev/loopXp1 mnt  # replace '/dev/loopX' with the above loop device

Create a filesystem on the SD card's boot partition and copy the boot partition data from the image file to it:

$ sudo mkfs.ext4 /dev/sdY1
$ sudo e2label /dev/sdY1 OPI_PC2_BOOT # don't omit this step!
$ sudo mount /dev/sdY1 boot
$ sudo cp -av mnt/boot/* boot
$ (cd boot; sudo ln -s . boot)

Create the encrypted root partition (for this the 'cryptsetup' package must be installed on the host). You'll be prompted for a passphrase. It's recommended to choose an easy one like 'abc' for now. The passphrase can easily be changed later (consult the 'cryptsetup' man page for details):

$ sudo cryptsetup luksFormat /dev/sdY2

Activate the encrypted root partition, create a filesystem on it and mount it:

$ sudo cryptsetup luksOpen /dev/sdY2 foo   # enter your passphrase from above
$ sudo mkfs.ext4 /dev/mapper/foo
$ sudo mount /dev/mapper/foo root

Copy the system to the encrypted root partition:

$ (cd mnt && sudo rsync -av --exclude=boot * ../root)
$ sync # be patient, this could take a while
$ sudo mkdir root/boot
$ sudo touch root/root/.no_rootfs_resize

Unmount the mounted image and second SD card, and free the loop device and encrypted mapping:

$ sudo umount mnt boot root
$ sudo losetup -d /dev/loopX
$ sudo cryptsetup luksClose foo

From here on, all your work will be done on the Orange Pi.



Part 2 - boot into the unencrypted Armbian system


If applicable, insert the first (unencrypted) SD card into the Pi's Micro-SD card slot.


Insert a USB card reader holding the second SD card into a USB port on the Pi.


Boot the Pi.


If applicable, log in as root with password '1234', follow the password update instructions, and stay logged in as root. The following steps will be performed from a root shell.



Part 3 - set up the unencrypted Armbian system


Update the APT package index and install cryptsetup:

  # apt-get update
  # apt-get install cryptsetup



Part 4 - set up the encrypted Armbian system


 Prepare the encrypted system chroot:

 # BOOT_PART=($(lsblk -l -o NAME,LABEL | grep OPI_PC2_BOOT))

 # cryptsetup luksOpen /dev/$ROOT_PART foo
 # mkdir /mnt/enc_root
 # mount /dev/mapper/foo /mnt/enc_root
 # mount /dev/$BOOT_PART /mnt/enc_root/boot

 # cd /mnt/enc_root
 # mount -o rbind /dev dev
 # mount -t proc proc proc
 # mount -t sysfs sys sys

Copy some key files so you'll have a working Internet connection within the chroot:

# cat /etc/resolv.conf > etc/resolv.conf
# cat /etc/hosts > etc/hosts

Now chroot into the encrypted system. From this point on, all work will be done inside the chroot:

# chroot .
# apt-get update
# echo 'export CRYPTSETUP=y' > /etc/initramfs-tools/conf.d/cryptsetup
# apt-get install cryptsetup dropbear-initramfs

Check to see that the cryptsetup scripts are present in the initramfs (command should produce output):

# gunzip -c /boot/initrd.img* | cpio --quiet -t | grep cryptsetup

Edit '/etc/fstab' to look exactly like this:

/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1
/dev/mmcblk0p1 /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2
tmpfs /tmp tmpfs defaults,nosuid 0 0

Add the following lines to '/etc/initramfs-tools/initramfs.conf'. If the Orange Pi's IP address will be statically configured, substitute the correct static IP address after 'IP='. If it will be configured via DHCP, omit the IP line entirely:


Add the following parameters to the quoted bootargs line in '/boot/boot.cmd'.  Note that the 'root' parameter replaces the existing one:

root=/dev/mapper/rootfs cryptopts=source=/dev/mmcblk0p2,target=rootfs

If you want to be able to unlock the disk from the virtual console (which you probably do) as well as via ssh, then comment out the following line:

# if test "${console}" = "serial" || test "${console}" = "both"; then setenv consoleargs "${consoleargs} console=ttyS0,115200"; fi

In case you're wondering, 'setenv console "display"' doesn't work. Don't ask me why.


Compile the boot menu:

# mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr

Copy the SSH public key from the machine you'll be unlocking the disk from to the Armbian machine:

# rsync yourusername@remote_machine:.ssh/id_*.pub /etc/dropbear-initramfs/authorized_keys

If you'll be unlocking the disk from more than one host, then edit the authorized_keys file by hand and add the additional SSH public keys.


Edit '/etc/dropbear-initramfs/config', adding the following lines:


Reconfigure dropbear:

# dpkg-reconfigure dropbear-initramfs

Make sure everything was included in the initramfs (both commands should produce output):

# gunzip -c /boot/initrd.img* | cpio --quiet -t | grep dropbear
# gunzip -c /boot/initrd.img* | cpio --quiet -t | grep authorized_keys

Your work is finished! Exit the chroot and shut down the Orange Pi:

# exit
# halt -p

Swap the SD cards and restart the Pi. Unlock the disk by executing the following command on your remote machine. Substitute the Pi's correct static or DHCP-configured IP address for the one below. If necessary, also substitute the correct disk password in place of 'abc':

$ ssh -p 2222 -x root@ 'echo -n abc > /lib/cryptsetup/passfifo'

If you choose to unlock the disk from the tty, just enter your disk password and hit ENTER.


If all went well, your root-filesystem encrypted Armbian system is now up and running!

Edited by MMGen
minor corrections

Share this post

Link to post
Share on other sites

Rechecked tutorial, fixed a non-critical error, removed a couple unnecessary commands.


Just replace the bogus device filenames with real ones and everything will work "out of the box".

Share this post

Link to post
Share on other sites

Update: commenting out the following line in 'boot.cmd' allows you to unlock the disk from the tty as well as via ssh:

# if test "${console}" = "serial" || test "${console}" = "both"; then setenv consoleargs "${consoleargs} console=ttyS0,115200"; fi


Share this post

Link to post
Share on other sites

Edited tutorial and made the following improvements:

  • only one card reader required
  • improved dropbear configuration using configured address and non-standard port
  • allow for DHCP-configured systems

The dm-crypt module has now been added to the kernel (thanks, developers!), which makes the whole setup process much easier.


Share this post

Link to post
Share on other sites

In the intro it would be nice read about potential usecases.

Do updates still work as usually.

Are you able to install new software as usually.

Simply because I don't know anything about this and I am always afraid of losing the key :unsure:

Share this post

Link to post
Share on other sites
5 hours ago, Tido said:

In the intro it would be nice read about potential usecases.

Do updates still work as usually.

Are you able to install new software as usually.

Simply because I don't know anything about this and I am always afraid of losing the key :unsure:

Everything works as usual. If you're worried about forgetting the key, start out with a simple disk password like 'abc'. The password is all you need.


Use case: if your machine ever falls into the wrong hands, any sensitive information on your disk is inaccessible to the attacker (but then you'll need a better password than 'abc').

Share this post

Link to post
Share on other sites
3 3