Feature: Optional LUKS encryption of rootfs #948
Conversation
Replaced all (5) occurences of `${LOOP}p${rootpart}` with `$rootdevice`. This minor refactoring makes further additions easier to merge. For example using a LUKS mapper device `/dev/mapper/cryptroot` instead of `/dev/loop0p2` as the actual root device can now be handled by just re-assigning the `$rootdevice` variable, while all other related code lines (mkfs, mount, ...) won't need to change.
This set of changes allows optional encryption of the root filesystem using LUKS when building the Armbian image. The following 4 advanced build options were added: - CRYPTROOT_ENABLE=yes # encrypt the root file system - CRYPTROOT_PASSPHRASE="1234" # passphrase to unlock root file system on boot - CRYPTROOT_SSH_UNLOCK=yes # enable ssh (dropbear) during boot to unlock root file system - CRYPTROOT_SSH_PORT=2222 # change the ssh port of the root system to avoid host key changed conflicts Implementation details: lib/configuration.sh -------------------- Add the packages `cryptsetup` and `dropbear-initramfs` if the respective build options are set. packages/bsp/common/etc/init.d/resize2fs ---------------------------------------- Added logic to handle partitions of type `crypt` (LUKS container) and automatic resizing of the LUKS container before the root filesystem can be expanded. /lib/debootstrap-ng.sh ---------------------- This file needed the most changes (mostly additions). 1. We need a 2-partition layout when using LUKS encryption (`CRYPTROOT_ENABLE=yes`) 2. We need to create the LUKS container before the filesystem can be created (mkfs) 3. We need to add the file `/etc/crypttab` with the respective partition mapping 4. `/etc/fstab` needs to mount the root filesystem from the LUKS container (crypttab) 5. `/boot/armbian.txt` and `/boot/boot.ini` need to be modified accordingly to be able to boot from a `cryptroot` 6. `update-initramfs` needs to be called, so `cryptsetup` and `dropbear` get included in the initrmafs 7. If the build options enable early boot SSH access (`CRYPTROOT_SSH_UNLOCK=yes`) a SSH keypair needs to be generated for the `dropbear` SSH daemon. This is needed for boards without a display connector. 8. If the build options specify a non-default SSH port for the root system (OpenSSH) via `CRYPTROOT_SSH_PORT=<PORT>`, we need to modify `/etc/sshd_config` accordingly. 9. The crypt device (LUKS container) needs to be closed after unmounting root when image creation is complete.
|
The idea and implementation looks good to me, thanks for the work and prior tests, but I think it can (and should be) simplified. Since I'm not sure that we want to build and distribute cryptroot-enabled images by default, some things are not needed IMO. My current thougts:
I would make this option mandatory if
I would adjust the dropbear port instead and leave changing
I believe we also need to add "ip=dhcp" (or the static network config) to the kernel command line in case we want to use the SSH unlock option
I looked at the And I would not dump the contents of |
|
Please note that you can amend and force-push any changes to your branch so you don't need to close this PR. |
|
as i said in the other post it could be made as a post install script. like nand-sata-install it could be nand-sata-encryptedroot-install somthing like that is working manually for me with the kernel 4.9 but not for the 4.14 directly on the running odroid |
|
the working script on Armbian_5.44.180510_Odroidxu4_Debian_stretch_dev_4.14.40 image apt update apt install lvm2 cryptsetup dropbear-initramfs cryptsetup luksFormat /dev/sda pvcreate --dataalignmentoffset 1s /dev/mapper/sdc mkfs.ext4 /dev/sdg/root -E discard Copy the root partition to SSDmount /dev/sdg/root /mnt sudo rsync -ahPHAXx --delete --exclude={/boot/,/dev/,/proc/,/sys/,/tmp/,/run/,/mnt/,/media/,/lost+found} / /mnt CRYPTTABecho 'sdc /dev/sda none luks,initramfs,discard' >> /mnt/etc/crypttab FSTABecho '/dev/sdg/root / ext4 defaults,noatime,nodiratime,commit=600,errors=remount-ro 0 1' >> /mnt/etc/fstab BOOTINIcp /boot/boot.ini /boot/boot.ori sed -e 's/root=.*"/root=/dev/sdg/root cryptopts=source=/dev/sda,target=sdc,lvm=sdg"/' -i /media/boot/boot.ini.default update-initramfs -u mkimage -C none -A arm -T script -d /boot/boot.ini /boot/boot.s |
It's not the |
|
OK. I'll fix that.
OK. I'll check if the dropbear port can be configured and fix that. |
|
Using a Question: If I read your script correctly, you are using the SD card only for the |
It is not the default option, but I looked through dropbear-initramfs scripts after my comment and the init-premount script tries to configure networking explicitly even if the kernel parameter is missing. Though dropbear-initramfs postinstall script still outputs this
No, don't think that is necessary for now, but it will require documentation for manual network configuration (w/o DHCP, yes, some people may want this for some reason) and a clarification that wireless network is not supported in this scenario.
I see. I expected
Something like should work |
According to upstream feedback: armbian#948 (comment) Removed default passphrase when LUKS encryption is enabled and the related warnings. Also made `CRYPTROOT_PASSPHRASE` mandatory along with `CRYPTROOT_ENABLE=YES` and abort if missing.
According to upstream feedback: armbian#948 (comment) Allow configuration of the dropbear SSH port instead of the sshd port of the root system. This leaves `/etc/ssh/sshd_config` unchanged. Renamed the configuration variable to `CRYPTROOT_SSH_UNLOCK_PORT`.
According to upstream feedback: armbian#948 (comment) Don't dump the contents of armbianEnv.txt or boot.ini to the terminal.
I pushed all requested changes to my development branch. However, I did a regular push and don't know what you mean by |
OK. I only tested with Ethernet (LAN) of the Odroid HC1 and there it works with DHCP without adding the Were should the documentation for this be done? Do you want me to take care of that and mention the limitations as of now? |
|
@zciendor
|
[WIP] Feature: Optional LUKS encryption of rootfs
This was already implemented with armbian#948, before but never made it into the master branch yet. Probably because the development branch has been abandoned in the meantime and it is to much effort now to merge it into master. It includes all the cleanup changes from commit 08743d3 and has been successfully tested on an Odroid HC1. In addition to what is currently in the `luks` branch the following improvments where done/added: 1. update_initramfs() function in debbootstrap-ng.sh, which needs to be invoked after the partition layout and /etc/crypttab was created. Else `cryptroot-unlock` won't work and you'll run into: https://serverfault.com/questions/907254/cryproot-unlock-with-dropbear-timeout-while-waiting-for-askpass Apart from that it might be useful to always run `update-initramfs` at the end of the build process anyway, in case customize_image (userpatches) made some changes to the initramfs tools configs. 2. CRYPTROOT_SSH_UNLOCK=yes/no config option. It's by default set to yes, but it might be desired by some users to disable enable SSH/dropbear access while still having LUKS support. E.g. if they have a device that has a display and keyboard. 3. If no `authorized_keys` file is provided via userpatches, a new SSH key pair is generated and for convenience copied to the output directory along with the final image.
I had an issue with that command, so I changed it with some help to this one: sed -e 's!root=.*"!root=/dev/sdg/root cryptopts=source=/dev/sda,target=sdc,lvm=sdg"!' -i /media/boot/boot.ini.default Which is working but could not find the file - so there is still work for me to search this file. Okay, I crashed my System with this ( No init found. Try passing init= bootarg.). Thankfully I did an SD Card Backup so I could revert. Is anyone still here to tell me what I am doing wrong? I changed the init.d file on the standard root partition. Maby it was the wrong one? |
Initial implementation for feature request #947
This set of changes allows optional encryption of the root filesystem using LUKS when building the Armbian image.
The following 4 advanced build options were added:
CRYPTROOT_ENABLE=yes # encrypt the root file systemCRYPTROOT_PASSPHRASE="1234" # mandatory passphrase to unlock root file system on bootCRYPTROOT_SSH_UNLOCK=yes # enable ssh (dropbear) during boot to unlock root file systemCRYPTROOT_SSH_UNLOCK_PORT=2222 # change the ssh port of the boot system to avoid host key changed conflictsImplementation details:
lib/configuration.sh
Add the packages
cryptsetupanddropbear-initramfsif the respective build options are set.packages/bsp/common/etc/init.d/resize2fs
Added logic to handle partitions of type
crypt(LUKS container) and automatic resizing of theLUKS container before the root filesystem can be expanded.
/lib/debootstrap-ng.sh
This file needed the most changes (mostly additions).
CRYPTROOT_ENABLE=yes)/etc/crypttabwith the respective partition mapping/etc/fstabneeds to mount the root filesystem from the LUKS container (crypttab)/boot/armbian.txtand/boot/boot.inineed to be modified accordingly to be able to boot from acryptrootupdate-initramfsneeds to be called, socryptsetupanddropbearget included in the initramfsCRYPTROOT_SSH_UNLOCK=yes) a SSH keypair needs to be generated for thedropbearSSH daemon. This is needed for boards without a display connector.CRYPTROOT_SSH_UNLOCK_PORT=<PORT>, we need to modify/etc/dropbear-initramfs/configaccordingly.The text was updated successfully, but these errors were encountered: