In case you followed my previous posts you already know that ARM architecture should be avoided. It's in early development, things barely work. But, if you are like me: that is exactly what brought you here! So we can continue in the next episode of setting up my #PinebookPro.
But first, #opsec. You really want to fully encrypt your laptop storage, swap included. I think Pine64 is making big mistake by not having an option to do that easily. This post is all about that, if there was an option to secure system then I would happily continue using default Manjaro install.
These are the steps to install Armbian with full-disk (or in this case eMMC) encryption based on very helpful Armbian forum post. Installer does not support this, so you have to do it manually, so let's go.
1) Download Armbian for Pinebook Pro and dd
it on microSD. Boot from it using Tow-Boot. I chose Desktop version, but do use CLI option if you want something else than Cinnamon desktop environment.
2) Once in Armbian set up cache directory:
export WORKDIR=/mnt
3) Update your system and install dependencies:
apt update && apt upgrade
apt install cryptsetup-bin gdisk
4) Start installer, when asked choose booting from eMMC and ext4
filesystem (or something else, of course), then exit at the end. Ideally, all this work should be part of installer itself, and eventually it will:
armbian-install || true
5) Now, we want to move installed files and replace the disk with encrypted volume. So, we need to take a copy of data:
mkdir -p ${WORKDIR}/emmcdata
mount /dev/mmcblk2p1 ${WORKDIR}/emmcdata
rsync -a --info=progress2 ${WORKDIR}/emmcdata/. ${WORKDIR}/backup
sync
umount /dev/mmcblk2p1
rmdir ${WORKDIR}/emmcdata
6) Create partition layout. We need two partitions: unencrypted /boot
and the rest for encrypted data:
sgdisk -og /dev/mmcblk2
sgdisk -n 1:32768:+512M -t 0:8300 /dev/mmcblk2
sgdisk -n 0:0:0 -t 0:8300 /dev/mmcblk2
7) Create partitions. Simple /boot
and encrypted rootfs
volume. Notice how we use temporary key for encryption. Don't worry, we'll set up passphrase later. Again, I chose ext4
, but you don't have to:
mkfs.ext4 -F -L bootfs /dev/mmcblk2p1
dd if=/dev/zero bs=$((512/8)) count=1 of=/dev/shm/keyfile
cryptsetup luksFormat --batch-mode --cipher=aes-xts-plain64 --key-size=512 --hash=sha512 /dev/mmcblk2p2 /dev/shm/keyfile
cryptsetup open /dev/mmcblk2p2 rootfs --key-file=/dev/shm/keyfile
mkfs.ext4 -L rootfs /dev/mapper/rootfs
8) Mount partitions for sync:
mkdir -p ${WORKDIR}/restore
mount /dev/mapper/rootfs ${WORKDIR}/restore
mkdir -p ${WORKDIR}/restore/boot
mount /dev/mmcblk2p1 ${WORKDIR}/restore/boot
9) Restore installer files from backup at step 5:
rsync -a --info=progress2 ${WORKDIR}/backup/. ${WORKDIR}/restore
sync
10) Tell Armbian not to try to be smart and attempt partition resizing at the first boot, or it will mess up your encrypted volume:
touch ${WORKDIR}/restore/root/.no_rootfs_resize
11) Prepare your new environment:
cd ${WORKDIR}/restore
mount -o rbind /dev dev
mount -t proc proc proc
mount -t sysfs sys sys
cat /etc/resolv.conf > etc/resolv.conf
cat /etc/hosts > etc/hosts
cat /etc/apt/sources.list > etc/apt/sources.list
cat /etc/apt/sources.list.d/armbian.list > etc/apt/sources.list.d/armbian.list
12) Make it aware of proper root filesystem volume:
sed -i '/^bootlogo=/s,=.*,=false,;/^rootdev=/s,=.*,=/dev/mapper/rootfs,' boot/armbianEnv.txt
13) Add active modules to initramfs
:
lsmod | cut -d ' ' -f1 | tail -n+2 > etc/initramfs-tools/modules
14) Create crypttab
:
echo "rootfs UUID=$(lsblk /dev/mmcblk2p2 --nodeps --noheadings -o UUID) none initramfs,luks" > etc/crypttab
15) Create fstab
:
echo "/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1" > etc/fstab
echo "UUID=$(lsblk /dev/mmcblk2p1 --noheadings -o UUID) /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2" >> etc/fstab
echo "tmpfs /tmp tmpfs defaults,nosuid 0 0" >> etc/fstab
16) Chroot into your new system and do what installer should be doing in the first place (don't forget, you should be in ${WORKDIR}/restore
in case you went to explore around in the meantime):
cat << EOF > config
#!/bin/sh -vx
apt update
echo 'force-confdef' > /root/.dpkg.cfg
apt --yes install cryptsetup-initramfs
rm /root/.dpkg.cfg
lsinitramfs /boot/initrd.img* | grep 'usr.*cryptsetup'
exit
EOF
chmod +x config
chroot . ./config
rm config
17) Set up your final passphrase that will make temporary key obsolete. Use something strong here:
cryptsetup luksChangeKey --key-file=/dev/shm/keyfile --cipher=aes-xts-plain64 --hash=sha512 /dev/mmcblk2p2
18) Umount all filesystems:
umount | awk '/restore/{print $3}' | sort -r | xargs umount
19) And finally, power-off and remove Armbian installer's microSD card, then start your system. Your data is now protected at rest and you can finally start properly using your Pinebook Pro.
Posts in #PinebookPro series: