Installing Armbian Buster on Orange Pi PC2 with full-disk encryption and sysvinit

I'm using Orange Pi PC2 here, but this should work for other sunxi boards as well.

This article is based on this awesome post, but has some additions and corrections. You will need two identical (in terms of storage size) microSD cards.

I do not cover installing dropbear to decrypt rootfs over ssh because I don't need it. It is assumed that you have a serial console over UART and will later enter password in this console.

Requirements

  • Orange Pi PC2
  • Two microSD cards
  • One USB - microSD adapter

Preparing first microSD

First of all, download and unpack the image.

$ 7z x Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.7z

Copy the unpacked image (file with .img extension) to the first microSD card.

# dd if=./Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.img of=/dev/mmcblk0 bs=2M

Preparing second microSD

Partitioning

Flash bootloader to the second microSD.

# dd if=./Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.img of=/dev/mmcblk0 bs=512 count=4096

Open fdisk.

# fdisk /dev/mmcblk0

Type p to print current partition table.

Command (m for help): p

Device         Boot Start     End Sectors  Size Id Type
/dev/mmcblk0p1       8192 2875391 2867200  1.4G 83 Linux

Note the start sector of first partition (8192 in my case).

Create new DOS disklabel by using o command.

Command (m for help): o
Created a new DOS disklabel with disk identifier 0xad9b5e1b.

Create boot partition. Use n command, primary (p) type, 8192 as first sector and +100M for size.

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p <ENTER>
Partition number (1-4, default 1): <ENTER>
First sector (2048-62333951, default 2048): 8192 <ENTER>
Last sector, +/-sectors or +/-size{K,M,G,T,P} (8192-62333951, default 62333951): +100M <ENTER>

Created a new partition 1 of type 'Linux' and of size 100 MiB.
Partition #1 contains a ext4 signature.

Do you want to remove the signature? [Y]es/[N]o: Y

Print partition table (use p) again and note the last sector of partition #1:

Device         Boot Start    End Sectors  Size Id Type
/dev/mmcblk0p1       8192 212991  204800  100M 83 Linux

Create root partition (this is the one that will be encrypted). Use end sector of the boot partition plus 1 (212992 in my case) as the first sector of new partition.

Command (m for help): n
Partition type
   p   primary (1 primary, 0 extended, 3 free)
   e   extended (container for logical partitions)
Select (default p): <ENTER>

Using default response p.
Partition number (2-4, default 2): <ENTER>
First sector (2048-62333951, default 2048): 212992 <ENTER>
Last sector, +/-sectors or +/-size{K,M,G,T,P} (212992-62333951, default 62333951): <ENTER>

Now your partition table should look like this:

Device         Boot  Start      End  Sectors  Size Id Type
/dev/mmcblk0p1        8192   212991   204800  100M 83 Linux
/dev/mmcblk0p2      212992 62333951 62120960 29.6G 83 Linux

Type w to write partition and exit fdisk.

Creating file systems

Create ext4 fs for /boot.

# mkfs.ext4 /dev/mmcblk0p1

Create encrypted root partition.

# cryptsetup luksFormat /dev/mmcblk0p2

Then open it and create ext4 fs.

# cryptsetup luksOpen /dev/mmcblk0p2 foo
# mkfs.ext4 /dev/mapper/foo

Copying system files

Get unused loop device.

$ losetup -f
/dev/loop0

Associate image file with the loop device.

# losetup -Pf Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.img

Create temporary mountpoints and mount image.

$ mkdir mnt boot root
# mount /dev/loop0p1 mnt

Mount boot partition of SD card and copy files into it.

# mount /dev/mmcblk0p1 boot
# cp -av mnt/boot/* boot
# (cd boot; ln -s . boot)

Mount root partition and copy files.

# mount /dev/mapper/foo root
# (cd mnt && rsync -av --exclude=boot * ../root)
# sync
# mkdir root/boot
# touch root/root/.no_rootfs_resize

Unmount and close everything.

# umount mnt boot root
# losetup -d /dev/loop0
# cryptsetup luksClose foo

Configuring the system

Insert the first microSD card into Pi's microSD card slot. Plug the second one in a microSD USB adapter. Plug the adapter into the Pi and boot the board. (Default root password is 1234.)

Setup networking (it is beyond the topic).

Install cryptsetup.

# apt install cryptsetup

Now you need to determine device name of the second microSD card. In my case it's /dev/sdb, but it may be different for you. Use lsblk to list all block devices. Your unencrypted, default Armbian microSD has only one partition, while your second microSD has two partitions. So if you see sda1, sdb1 and sdb2, that means that sda if the first card and sdb is the second.

Open and mount partitions, prepare and enter chroot environment.

# cryptsetup luksOpen /dev/sdb2 rootfs
# mkdir /mnt/enc_root
# mount /dev/mapper/rootfs /mnt/enc_root
# mount /dev/sdb1 /mnt/enc_root/boot
# cd /mnt/enc_root
# mount -o rbind /dev dev
# mount -t proc proc proc
# mount -t sysfs sys sys
# cat /etc/resolv.conf > etc/resolv.conf
# chroot .

Install cryptsetup again (now on encrypted card).

# apt install cryptsetup cryptsetup-initramfs

Install sysvinit, because systemd sucks.

# apt install sysvinit-core sysvinit-utils

Open /etc/cryptsetup-initramfs/conf-hook file. Uncomment this line and set CRYPTSETUP to y:

CRYPTSETUP=y

Write /etc/fstab.

/dev/mapper/rootfs /     ext4  defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1
/dev/mmcblk0p1     /boot ext4  defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2
tmpfs              /tmp  tmpfs defaults,nosuid,noexec                                   0 0

Update initramfs.

# dpkg-reconfigure cryptsetup-initramfs

Open /etc/inittab, uncomment and edit this line (115200 is speed):

T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100

Get UUID of root device:

# blkid /dev/mmcblk0p2
/dev/sdb2: UUID="<YOURUUID>" TYPE="crypto_LUKS" PARTUUID="<YOURPARTUUID>"

Set these options in /boot/armbianEnv.txt (replace YOURUUID with real UUID from previous step):

console=serial
extraargs=root=/dev/mapper/rootfs cryptopts=source=/dev/mmcblk0p2,target=rootfs,luks
rootdev=UUID=YOURUUID

Wow, we've finished it!

Now exit chroot and power off. Put the encrypted microSD to the Pi's slot and power it on again. It should work.

If you have any comments, contact me by email.
powered by OpenBSD
© ch1p 2020