Step 9 question

[technicalitch500]

NOTE: I would have liked to have posted this as a comment on the Armbian forum, but I have only just joined there and have a post limit

---

Dear MMGen,

Firstly many thanks for taking the time to create this guide, much apprieciated! https://forum.armbian.com/topic/15618-full-root-filesystem%C2%A0encryption%C2%A0on-an-armbian-system-new-replaces-2017-tutorial-on-this-topic

I am a Linux and Terminal N00b, normally 75% of things I try end in some kind of error that I cannot easily overcome, but all part of the learning process I guess! With your guide I am 75% through with no problems so far which is rewarding in itself :)

I am at Step 9 and do not fully understand what I am to do next… I have rough idea, that config files on the target system are to be edited and saved using a Text Editor. I am just not sure how to locate these files (I need to better learn how to search and navigate directories in Terminal!).

I would be extremely grateful if you could you give me some pointers on how to locate, open and edit the config files mentioned in step 9.

I have found this guide: https://vitux.com/how-to-edit-config-files-in-ubuntu/

I guess then the command I need is as follows, but I need the paths to the files: $ sudo gedit /path/to/filename

I will try and leave the system running - but secondary question would be can I resume where I left off if I need to shutdown? Or would I need to run the whole process again from the start? If so would I have created any issues by shutting down that I would need to fix before resuming?

Many thanks!

[mmgen]

Yes, that's correct. Or you could use nano instead of gedit. And omit sudo - it's unnecessary because you're already root user. Make sure to use the paths as indicated, without leading slashes. When finished with the editing steps, continue executing the commands exactly as indicated in the guide and everything should work. Note that the halt -p command should shut down the board, but you may need to cut the power manually afterwards.

[technicalitch500]

Hey,

Many thanks for coming back to me on this.

I happen to be using Gedit, would you reccomend Nano?

So using the first one as example, I only need to execute the following command to launch the first config file?

$ gedit /boot/boot.cmd

Is the above both the path and the file? I assumed the path would be more complex, perhaps referencing sda?

... I am being cautious as aware I could end up editing the config files of the host system.

Sure these are pretty basic questions so apologies for that!

[mmgen]

Gedit is fine, if that's what you're using. But in my previous comment I warned that you must use the exact paths indicated, without leading slashes, which you seem to have missed. Otherwise, you will be editing the host system config files, which is not what you want.

The editing steps are performed in the subdirectory root of your working directory, i.e. the root of the target system, which is where you'll be if you've performed all the steps of the tutorial in order from the beginning.

Note that this tutorial is intended for people with a basic understanding of the Unix file system and use of the command line. To avoid damaging your host system, you might wish to get up to speed with an online Linux/Unix primer before proceeding further.

[technicalitch500]

Yes you are right I lack some basic understanding but this is prompting me to learn.

I’m trying to set-up a RockPro64 as an airgapped desktop machine and so full system encryption is an intial requirement. Luckily there are no issues if I were to accidently edit the host files, as I can always start over with the host.

I have a few more questions as relate to Step 9.

Q1.

Regarding Step 9.2. When I opened ‘armbianEnv.txt’ there was no Console line to amend… is that right?

Here is what I see:

verbosity=1 bootlogo=true overlay_prefix=rockchip rootdev=UUID=34927065-13a3-4f55-a232-875368aebcaf rootfstype=ext4

Should I make the other two changes and omit the Console change? Or should I add the Console line? If so, where?

Q2.

Regarding Step 9.3. I am not sure if I need to make this change or not? As an airgapped device, once set-up I would not plan to connect to the internet.

Q3.

Regarding Step 9.5. My understanding of SSH is that this step would be for those using the system headless so they can login remotely. For my use case as an airgapped machine I will not need SSH, therefore is this step required? If it is somehow required (perhaps this allows the encryption to be unlocked?) I am just not sure what my SSH public key infomation is to amend the command or indeed where I would find this.

Q4.

Regarding Step 9.8. I haven’t got his far yet, but I see it refers to the directory created as part of step 9.5. If I (potentially) don’t need to set-up SSH, would this step be required?

Q5.

I have noticed you have a script that automates the process. Would this be the better way to set-up do you think? That said I am not quite sure how to run this script and feel I am now 95% there with the manual process.

Once more, thanks.

[mmgen]

In answer to your questions:

Q1: Go ahead and set the console variable anyway. It shouldn’t hurt.

Q2, Q3, Q4: Yes, you can omit these steps for an air-gapped device.

Q5: If you’re 95% there, I’d recommend continuing with the tutorial.

Note that the tutorial and script haven’t been tested on the RockPro64, so results are not guaranteed!

If everything works for you, please let me know and I’ll add your board to the “tested” list. If it doesn’t work, an alternative might be to build Armbian using the CRYPTROOT_ENABLE option:

https://docs.armbian.com/Developer-Guide_Build-Options/

Assuming everything works, if you have a spare SD card, you might want to try out the script and report on your success with that too. Note that the script can be configured to omit the remote unlocking feature.

Good luck!

[technicalitch500]

Thanks for the encouragement!

A few steps away, fingers crossed it can work for the RockPro64.

Yes I did see someone comment on your post regarding CRYPTROOT_ENABLE - Like your script it probably opens up many more questions. I also saw this thread which makes me wonder if it works right now: https://forum.armbian.com/topic/11162-problems-with-crypt-root/

For complete clarity would you mind taking a look at the below and let me know if I am correct regarding final steps to implement versus to leave out?

Many thanks!

9.2. >>> rootdev=/dev/mapper/rootfs console=display bootlogo=false >>> Re: Console variable, does it matter where I add it? Will the bottom suffice?

9.3.1. >>> IP=192.168.0.88:::255.255.255.0::eth0:off >>> Unneeded for airgapped

9.3.2. >>> DEVICE=eth0 >>> Unneeded for airgapped

9.4. >>> # lsmod | cut -d ' ' -f1 | tail -n+2 > etc/initramfs-tools/modules >>> Unneeded as Focal

9.5.1. >>> # mkdir -p etc/dropbear-initramfs >>> Should I create this directory for later steps?

9.5.2. >>> # rsync yourusername@remotemachine:.ssh/id*.pub etc/dropbear-initramfs/authorized_keys >>> Unneeded for airgapped

9.6. >>> # echo "rootfs UUID=$ROOT_UUID none initramfs,luks" > etc/crypttab >>> Presume required

9.7.1. >>> # echo '/dev/mapper/rootfs / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1' > etc/fstab >>> Presume required

9.7.2. >>> # echo "UUID=$BOOT_UUID /boot ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 2" >> etc/fstab >>> Presume required

9.7.3. >>> # echo 'tmpfs /tmp tmpfs defaults,nosuid 0 0' >> etc/fstab >>> Presume required

9.8.1. >>> # echo 'DROPBEAR_OPTIONS="-p 2222"' > etc/dropbear-initramfs/config >>> Presume required

9.8.2. >>> # echo 'DROPBEAR=y' >> etc/dropbear-initramfs/config >>> Presume required

9.9. >>> # echo 'export CRYPTSETUP=y' > etc/initramfs-tools/conf.d/cryptsetup >>> Presume required

10.1. >>> # chroot . >>> Presume required

10.2. >>> # mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr >>> Presume required

10.3. >>> # apt update >>> Presume required

10.4. >>> # echo 'force-confdef' > /root/.dpkg.cfg >>> Presume required

10.5. >>> # apt --yes install cryptsetup-initramfs dropbear-initramfs >>> Presume required

10.6. >>> # apt --yes install cryptsetup dropbear-initramfs >>> Presume required

10.7. >>> # rm /root/.dpkg.cfg >>> Presume required

10.8. >>> # lsinitramfs /boot/initrd.img | grep 'usr.cryptsetup' >>> Presume required

10.9. >>> # lsinitramfs /boot/initrd.img* | grep dropbear' >>> Presume required

10.10. >>> # lsinitramfs /boot/initrd.img* | grep authorized_keys >>> Presume required

10.11. >>> # exit >>> Presume required

10.12. >>> # halt -p >>> Presume required

10.13. >>> $ ssh -p 2222 -x root@192.168.0.88 'echo -n abc > /lib/cryptsetup/passfifo' >>> Presume required

[mmgen]

9.2 - No, it doesn't matter, but the vars must be on separate lines, not all on one line as you've listed them.

9.5 - Skip this step entirely

9.8 - Skip this step entirely

Otherwise OK

[technicalitch500]

It worked!

I have not had time to play around with it, test using / adding applications but hopefully no issues.

I would like to now copy this SD card and use it as a master template. I have two Micro SD to USB adapters... in your view is the following command what I need (of course using 'lsblk' to first identify the correct references for each device on my system):

$ sudo dd if=/dev/sdc of=/dev/sdd

https://www.addictivetips.com/ubuntu-linux-tips/back-up-sd-cards-and-flash-drives-linux/

Big thanks - is there a way I can send you an email or direct mail?

[mmgen]

Congratulations!

Upgrading the system will work, just like an ordinary unencrypted system.

The dd command will work, assuming the destination card has equal or greater capacity than the source.

You can PM me on reddit (user mmgen-py) or email me at mmgen at tuta dot io.