Jump to content

Full root filesystem encryption on an Armbian/Orange Pi PC 2 system


Recommended Posts

Full root filesystem encryption on an Armbian/Orange Pi PC 2 system

 

MMGen (https://github.com/mmgen)

 

WARNING: This tutorial has been obsoleted by Full root filesystem encryption on an Armbian system. In addition, an automated script is available, which can be downloaded here or by cloning the following repository: git clone https://github.com/mmgen/mmgen-geek-tools

 

This tutorial provides detailed, step-by-step instructions for setting up full root filesystem encryption on an Armbian/Orange Pi PC2 system. With minor changes, it can be adapted to other Armbian-supported boards. The disk is unlocked remotely via ssh, permitting unattended bootup.

 

Requirements:

  • Linux host system
  • One Orange Pi PC 2
  • Two blank Micro-SD cards (or a working Armbian system for your board + one blank SD card)
  • USB Micro-SD card reader
  • Ability to edit text files and do simple administrative tasks on the Linux command line

 

 

Part 1 - Get, unpack and copy an Armbian image for your board

 

Create your build directory:

$ mkdir armbenc-build && cd armbenc-build

Download and unpack an Armbian image for your board and place it in this directory.

 

If you have two blank SD cards, the first will hold an ordinary unencrypted Armbian system used for the setup process, while the second will hold the target encrypted system.

 

Alternatively, if you already have a working Armbian system for your board, you can use it for the setup process. In that case, your one blank SD card will be considered the “second” card, and you can ignore all instructions hereafter pertaining to the first card.

 

Note that for the remainder of this section, the first SD card will be referred to as '/dev/sdX' and the second as '/dev/sdY'. You'll replace these with the SD cards' true device filenames. The device names can be discovered using the command 'dmesg' or 'lsblk'. If you remove the first card before inserting the second, it's possible (but not guaranteed) that the cards will have the same device name.

 

Insert the first blank SD card and copy the image to it:

$ sudo dd if=$(echo *.img) of=/dev/sdX bs=4M

After the command exits, you may remove the first card.

 

Now insert the second SD card, which will hold a small unencrypted boot partition plus your encrypted Armbian system. Copy the image's boot loader to it:

$ sudo dd if=$(echo *.img) of=/dev/sdY bs=512 count=32768

Now partition the card:

$ sudo fdisk /dev/sdY

Within fdisk, create a new DOS disklabel with the 'o' command. Use the 'n' command to create a primary partition of size +200M beginning at sector 32768. Type 'p' to view the partition table. Note the end sector. Now create a second primary partition beginning one sector after the first partition's end sector and filling the remainder of the card. When you're finished, your partition table will look something like this:

 Device     Boot  Start       End   Sectors  Size Id Type
 /dev/sdY1        32768    442367    409600  200M 83 Linux
 /dev/sdY2       442368 123596799 123154432 58.7G 83 Linux

Double-check that the second partition begins one sector after the end of the first one. If you mess something up, use 'd' to delete partitions or 'q' to exit fdisk and try again.

 

Once everything looks correct, type 'w' to write the partition table.

 

Now you'll begin the process of copying the system to the second card. First you'll associate the image file with a loop device and mount the device:

$ losetup -f              # displays the name of the loop device; remember this
$ sudo losetup -Pf *.img  # associate image file with the above loop device
$ mkdir mnt boot root
$ sudo mount /dev/loopXp1 mnt  # replace '/dev/loopX' with the above loop device

Create a filesystem on the SD card's boot partition and copy the boot partition data from the image file to it:

$ sudo mkfs.ext4 /dev/sdY1
$ sudo e2label /dev/sdY1 OPI_PC2_BOOT # don't omit this step!
$ sudo mount /dev/sdY1 boot
$ sudo cp -av mnt/boot/* boot
$ (cd boot; sudo ln -s . boot)

Create the encrypted root partition (for this the 'cryptsetup-bin' package must be installed on the host). You'll be prompted for a passphrase. It's recommended to choose an easy one like 'abc' for now. The passphrase can easily be changed later (consult the 'cryptsetup' man page for details):

$ sudo cryptsetup --pbkdf argon2i --pbkdf-memory 600000 luksFormat /dev/sdY2

Note that the --pbkdf-memory argument must be less than the available free memory in kilobytes at bootup time.  Otherwise you’ll get an out-of-memory error and your disk will fail to unlock.  600000 is a safe value for the Orange Pi PC2 with its 1GB of RAM.

 

Activate the encrypted root partition, create a filesystem on it and mount it:

$ sudo cryptsetup luksOpen /dev/sdY2 foo   # enter your passphrase from above
$ sudo mkfs.ext4 /dev/mapper/foo
$ sudo mount /dev/mapper/foo root

Copy the system to the encrypted root partition:

$ (cd mnt && sudo rsync -av --exclude=boot * ../root)
$ sync # be patient, this could take a while
$ sudo mkdir root/boot
$ sudo touch root/root/.no_rootfs_resize

Unmount the mounted image and second SD card, and free the loop device and encrypted mapping:

$ sudo umount mnt boot root
$ sudo losetup -d /dev/loopX
$ sudo cryptsetup luksClose foo

From here on, all your work will be done on the Orange Pi.

 

 

Part 2 - boot into the unencrypted Armbian system

 

If applicable, insert the first (unencrypted) SD card into the Pi's Micro-SD card slot.

 

Insert a USB card reader holding the second SD card into a USB port on the Pi.

 

Boot the Pi.

 

If applicable, log in as root with password '1234', follow the password update instructions, and stay logged in as root. The following steps will be performed from a root shell.

 

 

Part 3 - set up the unencrypted Armbian system

 

Update the APT package index and install cryptsetup:

  # apt-get update
  # apt-get install cryptsetup

 

 

Part 4 - set up the encrypted Armbian system

 

 Prepare the encrypted system chroot:

 # BOOT_PART=($(lsblk -l -o NAME,LABEL | grep OPI_PC2_BOOT))
 # ROOT_PART=${BOOT_PART%1}2

 # cryptsetup luksOpen /dev/$ROOT_PART foo
 # mkdir /mnt/enc_root
 # mount /dev/mapper/foo /mnt/enc_root
 # mount /dev/$BOOT_PART /mnt/enc_root/boot

 # cd /mnt/enc_root
 # mount -o rbind /dev dev
 # mount -t proc proc proc
 # mount -t sysfs sys sys

Copy some key files so you'll have a working Internet connection within the chroot:

# cat /etc/resolv.conf > etc/resolv.conf
# cat /etc/hosts > etc/hosts

Now chroot into the encrypted system. From this point on, all work will be done inside the chroot:

# chroot .
# apt-get update
# echo 'export CRYPTSETUP=y' > /etc/initramfs-tools/conf.d/cryptsetup
# apt-get install cryptsetup-initramfs dropbear-initramfs # for focal and buster
# apt-get install cryptsetup dropbear-initramfs           # for bionic

Check to see that the cryptsetup scripts are present in the initramfs (command should produce output):

# gunzip -c /boot/initrd.img* | cpio --quiet -t | grep cryptsetup

Edit '/etc/fstab' to look exactly like this:

/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1
/dev/mmcblk0p1 /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2
tmpfs /tmp tmpfs defaults,nosuid 0 0

Add the following lines to '/etc/initramfs-tools/initramfs.conf'. If the Orange Pi's IP address will be statically configured, substitute the correct static IP address after 'IP='. If it will be configured via DHCP, omit the IP line entirely:

DEVICE=eth0
IP=192.168.0.88:::255.255.255.0::eth0:off

Add the following parameters to the quoted bootargs line in '/boot/boot.cmd'.  Note that the 'root' parameter replaces the existing one:

root=/dev/mapper/rootfs cryptopts=source=/dev/mmcblk0p2,target=rootfs

If you want to be able to unlock the disk from the virtual console (which you probably do) as well as via ssh, then comment out the following line:

# if test "${console}" = "serial" || test "${console}" = "both"; then setenv consoleargs "${consoleargs} console=ttyS0,115200"; fi

In case you're wondering, 'setenv console "display"' doesn't work. Don't ask me why.

 

Compile the boot menu:

# mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr

Copy the SSH public key from the machine you'll be unlocking the disk from to the Armbian machine:

# rsync yourusername@remote_machine:.ssh/id_*.pub /etc/dropbear-initramfs/authorized_keys

If you'll be unlocking the disk from more than one host, then edit the authorized_keys file by hand and add the additional SSH public keys.

 

Edit '/etc/dropbear-initramfs/config', adding the following lines:

DROPBEAR_OPTIONS="-p 2222"
DROPBEAR=y

Reconfigure dropbear:

# dpkg-reconfigure dropbear-initramfs

Make sure everything was included in the initramfs (both commands should produce output):

# gunzip -c /boot/initrd.img* | cpio --quiet -t | grep dropbear
# gunzip -c /boot/initrd.img* | cpio --quiet -t | grep authorized_keys

Your work is finished! Exit the chroot and shut down the Orange Pi:

# exit
# halt -p

Swap the SD cards and restart the Pi. Unlock the disk by executing the following command on your remote machine. Substitute the Pi's correct static or DHCP-configured IP address for the one below. If necessary, also substitute the correct disk password in place of 'abc':

$ ssh -p 2222 -x root@192.168.0.88 'echo -n abc > /lib/cryptsetup/passfifo'

If you choose to unlock the disk from the tty, just enter your disk password and hit ENTER.

 

If all went well, your root-filesystem encrypted Armbian system is now up and running!

Link to comment
Share on other sites

Rechecked tutorial, fixed a non-critical error, removed a couple unnecessary commands.

 

Just replace the bogus device filenames with real ones and everything will work "out of the box".

Link to comment
Share on other sites

  • Igor pinned this topic

Update: commenting out the following line in 'boot.cmd' allows you to unlock the disk from the tty as well as via ssh:

# if test "${console}" = "serial" || test "${console}" = "both"; then setenv consoleargs "${consoleargs} console=ttyS0,115200"; fi

 

Link to comment
Share on other sites

Edited tutorial and made the following improvements:

  • only one card reader required
  • improved dropbear configuration using configured address and non-standard port
  • allow for DHCP-configured systems

The dm-crypt module has now been added to the kernel (thanks, developers!), which makes the whole setup process much easier.

 

Link to comment
Share on other sites

  • Igor unpinned this topic

In the intro it would be nice read about potential usecases.

Do updates still work as usually.

Are you able to install new software as usually.

Simply because I don't know anything about this and I am always afraid of losing the key :unsure:

Link to comment
Share on other sites

5 hours ago, Tido said:

In the intro it would be nice read about potential usecases.

Do updates still work as usually.

Are you able to install new software as usually.

Simply because I don't know anything about this and I am always afraid of losing the key :unsure:

Everything works as usual. If you're worried about forgetting the key, start out with a simple disk password like 'abc'. The password is all you need.

 

Use case: if your machine ever falls into the wrong hands, any sensitive information on your disk is inaccessible to the attacker (but then you'll need a better password than 'abc').

Link to comment
Share on other sites

Can this work on the Armbian N2 release?  Also, I have EMMC and no SD CARD.

 

I got about as far as 

Quote

Add the following parameters to the quoted bootargs line in '/boot/boot.cmd'.  Note that the 'root' parameter replaces the existing one:

 

 

But, Armbian for N2 does not have boot.cmd.  Do you mean boot.ini?  Further, there is no boot.scr so this command

Quote

# mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr

 

doesn't appear to work. And, also I believe "-A arm" should reflect ARM64 or arm64?  I'm not sure which notation is correct. But, the N2 is an ARM64 board.  

 

There also appears to be an error with CRYPTSETUP in /etc/initramfs-tools/initramfs.conf, as it is reported to be deprecated. 

 

Hopefully someone can assist with continuing this guide as I'd really like to get the whole EMMC encrypted.  

 

Thanks in advance. 

Link to comment
Share on other sites

Fixed boot sector size, luksFormat command. Removed outdated image downloading and unpacking instructions.

 

Tested on SD and eMMC; Orange Pi PC2 and RockPi 4; Bionic legacy, Focal legacy and Buster mainline images.

 

Instead of this tutorial, users are now encouraged to use my automated script, which does things in a better, more up-to-date way:

git clone https://github.com/mmgen/mmgen-geek-tools

 

Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines