Installing Armbian Buster on Orange Pi PC2 with full-disk encryption and sysvinit
I'm using Orange Pi PC2 here, but this should work for other sunxi boards as well.
This article is based on this awesome post, but has some additions and corrections. You will need two identical (in terms of storage size) microSD cards.
I do not cover installing dropbear to decrypt rootfs over ssh because I don't need it. It is assumed that you have a serial console over UART and will later enter password in this console.
Requirements
- Orange Pi PC2
- Two microSD cards
- One USB - microSD adapter
Preparing first microSD
First of all, download and unpack the image.
$ 7z x Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.7z
Copy the unpacked image (file with .img
extension) to the first microSD card.
# dd if=./Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.img of=/dev/mmcblk0 bs=2M
Preparing second microSD
Partitioning
Flash bootloader to the second microSD.
# dd if=./Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.img of=/dev/mmcblk0 bs=512 count=4096
Open fdisk.
# fdisk /dev/mmcblk0
Type p
to print current partition table.
Command (m for help): p
Device Boot Start End Sectors Size Id Type
/dev/mmcblk0p1 8192 2875391 2867200 1.4G 83 Linux
Note the start sector of first partition (8192
in my case).
Create new DOS disklabel by using o
command.
Command (m for help): o
Created a new DOS disklabel with disk identifier 0xad9b5e1b.
Create boot partition. Use n
command, primary (p
) type, 8192
as first sector and +100M
for size.
Command (m for help): n
Partition type
p primary (0 primary, 0 extended, 4 free)
e extended (container for logical partitions)
Select (default p): p <ENTER>
Partition number (1-4, default 1): <ENTER>
First sector (2048-62333951, default 2048): 8192 <ENTER>
Last sector, +/-sectors or +/-size{K,M,G,T,P} (8192-62333951, default 62333951): +100M <ENTER>
Created a new partition 1 of type 'Linux' and of size 100 MiB.
Partition #1 contains a ext4 signature.
Do you want to remove the signature? [Y]es/[N]o: Y
Print partition table (use p
) again and note the last sector of partition #1:
Device Boot Start End Sectors Size Id Type
/dev/mmcblk0p1 8192 212991 204800 100M 83 Linux
Create root partition (this is the one that will be encrypted). Use end sector of the boot partition plus 1 (212992
in my case) as the first sector of new partition.
Command (m for help): n
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
Select (default p): <ENTER>
Using default response p.
Partition number (2-4, default 2): <ENTER>
First sector (2048-62333951, default 2048): 212992 <ENTER>
Last sector, +/-sectors or +/-size{K,M,G,T,P} (212992-62333951, default 62333951): <ENTER>
Now your partition table should look like this:
Device Boot Start End Sectors Size Id Type
/dev/mmcblk0p1 8192 212991 204800 100M 83 Linux
/dev/mmcblk0p2 212992 62333951 62120960 29.6G 83 Linux
Type w
to write partition and exit fdisk.
Creating file systems
Create ext4 fs for /boot.
# mkfs.ext4 /dev/mmcblk0p1
Create encrypted root partition.
# cryptsetup luksFormat /dev/mmcblk0p2
Then open it and create ext4 fs.
# cryptsetup luksOpen /dev/mmcblk0p2 foo
# mkfs.ext4 /dev/mapper/foo
Copying system files
Get unused loop device.
$ losetup -f
/dev/loop0
Associate image file with the loop device.
# losetup -Pf Armbian_19.11.3_Orangepipc2_buster_current_5.3.9.img
Create temporary mountpoints and mount image.
$ mkdir mnt boot root
# mount /dev/loop0p1 mnt
Mount boot partition of SD card and copy files into it.
# mount /dev/mmcblk0p1 boot
# cp -av mnt/boot/* boot
# (cd boot; ln -s . boot)
Mount root partition and copy files.
# mount /dev/mapper/foo root
# (cd mnt && rsync -av --exclude=boot * ../root)
# sync
# mkdir root/boot
# touch root/root/.no_rootfs_resize
Unmount and close everything.
# umount mnt boot root
# losetup -d /dev/loop0
# cryptsetup luksClose foo
Configuring the system
Insert the first microSD card into Pi's microSD card slot. Plug the second one in a microSD USB adapter. Plug the adapter into the Pi and boot the board. (Default root password is 1234.)
Setup networking (it is beyond the topic).
Install cryptsetup.
# apt install cryptsetup
Now you need to determine device name of the second microSD card. In my case it's /dev/sdb
, but it may be different for you. Use lsblk
to list all block devices. Your unencrypted, default Armbian microSD has only one partition, while your second microSD has two partitions. So if you see sda1
, sdb1
and sdb2
, that means that sda
if the first card and sdb
is the second.
Open and mount partitions, prepare and enter chroot environment.
# cryptsetup luksOpen /dev/sdb2 rootfs
# mkdir /mnt/enc_root
# mount /dev/mapper/rootfs /mnt/enc_root
# mount /dev/sdb1 /mnt/enc_root/boot
# cd /mnt/enc_root
# mount -o rbind /dev dev
# mount -t proc proc proc
# mount -t sysfs sys sys
# cat /etc/resolv.conf > etc/resolv.conf
# chroot .
Install cryptsetup again (now on encrypted card).
# apt install cryptsetup cryptsetup-initramfs
Install sysvinit, because systemd sucks.
# apt install sysvinit-core sysvinit-utils
Open /etc/cryptsetup-initramfs/conf-hook
file. Uncomment this line and set CRYPTSETUP
to y
:
CRYPTSETUP=y
Write /etc/fstab
.
/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1
/dev/mmcblk0p1 /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2
tmpfs /tmp tmpfs defaults,nosuid,noexec 0 0
Update initramfs.
# dpkg-reconfigure cryptsetup-initramfs
Open /etc/inittab
, uncomment and edit this line (115200 is speed):
T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100
Get UUID of root device:
# blkid /dev/mmcblk0p2
/dev/sdb2: UUID="<YOURUUID>" TYPE="crypto_LUKS" PARTUUID="<YOURPARTUUID>"
Set these options in /boot/armbianEnv.txt
(replace YOURUUID
with real UUID from previous step):
console=serial
extraargs=root=/dev/mapper/rootfs cryptopts=source=/dev/mmcblk0p2,target=rootfs,luks
rootdev=UUID=YOURUUID
Wow, we've finished it!
Now exit chroot and power off. Put the encrypted microSD to the Pi's slot and power it on again. It should work.