Installing Armbian Buster on Orange Pi PC2 with full-disk encryption and sysvinit
I'm using Orange Pi PC2 here, but this should work for other sunxi boards as well.
This article is based on this awesome post, but has some additions and corrections. You will need two identical (in terms of storage size) microSD cards.
I do not cover installing dropbear to decrypt rootfs over ssh because I don't need it. It is assumed that you have a serial console over UART and will later enter password in this console.
Requirements
- Orange Pi PC2
- Two microSD cards
- One USB - microSD adapter
Preparing first microSD
First of all, download and unpack the image.
$ 7z x Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.7zCopy the unpacked image (file with .img extension) to the first microSD card.
# dd if=./Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.img of=/dev/mmcblk0 bs=2MPreparing second microSD
Partitioning
Flash bootloader to the second microSD.
# dd if=./Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.img of=/dev/mmcblk0 bs=512 count=4096Open fdisk.
# fdisk /dev/mmcblk0Type p to print current partition table.
Command (m for help): p
Device Boot Start End Sectors Size Id Type
/dev/mmcblk0p1 8192 2875391 2867200 1.4G 83 LinuxNote the start sector of first partition (8192 in my case).
Create new DOS disklabel by using o command.
Command (m for help): o
Created a new DOS disklabel with disk identifier 0xad9b5e1b.Create boot partition. Use n command, primary (p) type, 8192 as first sector and +100M for size.
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p <ENTER>
Partition number (1-4, default 1): <ENTER>
First sector (2048-62333951, default 2048): 8192 <ENTER>
Last sector, +/-sectors or +/-size{K,M,G,T,P} (8192-62333951, default 62333951): +100M <ENTER>
Created a new partition 1 of type 'Linux' and of size 100 MiB.
Partition #1 contains a ext4 signature.
Do you want to remove the signature? [Y]es/[N]o: YPrint partition table (use p) again and note the last sector of partition #1:
Device Boot Start End Sectors Size Id Type
/dev/mmcblk0p1 8192 212991 204800 100M 83 LinuxCreate root partition (this is the one that will be encrypted). Use end sector of the boot partition plus 1 (212992 in my case) as the first sector of new partition.
Command (m for help): n
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
Select (default p): <ENTER>
Using default response p.
Partition number (2-4, default 2): <ENTER>
First sector (2048-62333951, default 2048): 212992 <ENTER>
Last sector, +/-sectors or +/-size{K,M,G,T,P} (212992-62333951, default 62333951): <ENTER>Now your partition table should look like this:
Device Boot Start End Sectors Size Id Type
/dev/mmcblk0p1 8192 212991 204800 100M 83 Linux
/dev/mmcblk0p2 212992 62333951 62120960 29.6G 83 LinuxType w to write partition and exit fdisk.
Creating file systems
Create ext4 fs for /boot.
# mkfs.ext4 /dev/mmcblk0p1Create encrypted root partition.
# cryptsetup luksFormat /dev/mmcblk0p2Then open it and create ext4 fs.
# cryptsetup luksOpen /dev/mmcblk0p2 foo
# mkfs.ext4 /dev/mapper/fooCopying system files
Get unused loop device.
$ losetup -f
/dev/loop0Associate image file with the loop device.
# losetup -Pf Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.imgCreate temporary mountpoints and mount image.
$ mkdir mnt boot root
# mount /dev/loop0p1 mntMount boot partition of SD card and copy files into it.
# mount /dev/mmcblk0p1 boot
# cp -av mnt/boot/* boot
# (cd boot; ln -s . boot)Mount root partition and copy files.
# mount /dev/mapper/foo root
# (cd mnt && rsync -av --exclude=boot * ../root)
# sync
# mkdir root/boot
# touch root/root/.no_rootfs_resizeUnmount and close everything.
# umount mnt boot root
# losetup -d /dev/loop0
# cryptsetup luksClose fooConfiguring the system
Insert the first microSD card into Pi's microSD card slot. Plug the second one in a microSD USB adapter. Plug the adapter into the Pi and boot the board. (Default root password is 1234.)
Setup networking (it is beyond the topic).
Install cryptsetup.
# apt install cryptsetupNow you need to determine device name of the second microSD card. In my case it's /dev/sdb, but it may be different for you. Use lsblk to list all block devices. Your unencrypted, default Armbian microSD has only one partition, while your second microSD has two partitions. So if you see sda1, sdb1 and sdb2, that means that sda if the first card and sdb is the second.
Open and mount partitions, prepare and enter chroot environment.
# cryptsetup luksOpen /dev/sdb2 rootfs
# mkdir /mnt/enc_root
# mount /dev/mapper/rootfs /mnt/enc_root
# mount /dev/sdb1 /mnt/enc_root/boot
# cd /mnt/enc_root
# mount -o rbind /dev dev
# mount -t proc proc proc
# mount -t sysfs sys sys
# cat /etc/resolv.conf > etc/resolv.conf
# chroot .Install cryptsetup again (now on encrypted card).
# apt install cryptsetup cryptsetup-initramfsInstall sysvinit, because systemd sucks.
# apt install sysvinit-core sysvinit-utilsOpen /etc/cryptsetup-initramfs/conf-hook file. Uncomment this line and set CRYPTSETUP to y:
CRYPTSETUP=yWrite /etc/fstab.
/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1
/dev/mmcblk0p1 /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2
tmpfs /tmp tmpfs defaults,nosuid,noexec 0 0Update initramfs.
# dpkg-reconfigure cryptsetup-initramfsOpen /etc/inittab, uncomment and edit this line (115200 is speed):
T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100Get UUID of root device:
# blkid /dev/mmcblk0p2
/dev/sdb2: UUID="<YOURUUID>" TYPE="crypto_LUKS" PARTUUID="<YOURPARTUUID>"Set these options in /boot/armbianEnv.txt (replace YOURUUID with real UUID from previous step):
console=serial
extraargs=root=/dev/mapper/rootfs cryptopts=source=/dev/mmcblk0p2,target=rootfs,luks
rootdev=UUID=YOURUUIDWow, we've finished it!
Now exit chroot and power off. Put the encrypted microSD to the Pi's slot and power it on again. It should work.