The default Armbian images do not offer an encrypted root partition. Unfortunately it is requied to build the image yourself inorder to use LUKS on your root partition.
In order to build an armbian image you need to setup a VM or docker container first. After that you can build the Armbian image for a supported board of your choice. A good guide for this is found in the official docs: Building Armbian
A quick overview of the process is the following:
- Setup a VM and login as
- Setup the tools you need for compiling
git clone --depth 1 https://github.com/armbian/build
We will first use a dummy-password for the luks container as you probably do not want to expose your password to the
compile.sh script. Note that it is technically possible that the Armbian script gets a copy of the unencrypted master key of your LUKS container. This is all about trust like any installation tool you run for encrypting your system.
So you need to compile using the following flags which can be found in the Build Options documentation:
./compile.sh CRYPTROOT_ENABLE=yes CRYPTROOT_PASSPHRASE=123456 CRYPTROOT_SSH_UNLOCK=yes CRYPTROOT_SSH_UNLOCK_PORT=2222
This basically setup the full-disk encryption and a SSH server which runs before your root parition is unlocked and mounted. You should run on a different port than 22 as the server SSH server in the initram and in the root filesystem use different server keys.
A GUI should open which allows you to choose the board, kernel version and other options. Choose to build an image if the setup asks you. After approx. 30 minutes you should have an
Armbian_\*.key file in
Changing the password of the LUKS container
After generating the image and copying it to your trustworthy host system you can change the password by binding the paritions of the
Armbian_\*.img file to loopback devices:
kpartx -v -a Armbian_*.img
cryptsetup luksAddKey /dev/mapper/loop0p2
cryptsetup luksRemoveKey /dev/mapper/loop0p2
cryptsetup luksDump /dev/mapper/loop0p2
kpartx -d Armbian_*.img
Now you added a new key slot and removed the previous one.
Booting the encrypted system
When you boot up your embedded system a dropbear SSH server is started on port 2222. You can use the
Armbian_\*.key to login as root:
ssh firstname.lastname@example.org -p2222 -i Armbian_*.key
cryptroot-unlockin the SSH session to unlock the root partition and continue booting.
Finally you can login on your embedded system using as usual (default credentials are root:1234):
Add an authorized key
In order to login using different SSH keys to unlock your root partition you can add your public key to
/etc/dropbear-initramfs/authorized_keys. After that you need to update your initramfs:
After a reboot you should be able to login with your SSH key instead of the previous