-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Full root encryption via LUKS (cryptsetup) #947
Comments
Initial implementationDevelopment branch: https://github.com/zhiverbox/armbian-build/tree/development The above pull request solves all these challenges by introducing 4 additional and optional build options:
The implementation has been tested on the Looking forward for testing, feedback and hopefully upstream acceptance |
I aprove
I would to run that process with a 4.14 linux kernel but it doesn't work and i dont know why. thanks for all your jobs |
This was already implemented with armbian#948, before but never made it into the master branch yet. Probably because the development branch has been abandoned in the meantime and it is to much effort now to merge it into master. It includes all the cleanup changes from commit 08743d3 and has been successfully tested on an Odroid HC1. In addition to what is currently in the `luks` branch the following improvments where done/added: 1. update_initramfs() function in debbootstrap-ng.sh, which needs to be invoked after the partition layout and /etc/crypttab was created. Else `cryptroot-unlock` won't work and you'll run into: https://serverfault.com/questions/907254/cryproot-unlock-with-dropbear-timeout-while-waiting-for-askpass Apart from that it might be useful to always run `update-initramfs` at the end of the build process anyway, in case customize_image (userpatches) made some changes to the initramfs tools configs. 2. CRYPTROOT_SSH_UNLOCK=yes/no config option. It's by default set to yes, but it might be desired by some users to disable enable SSH/dropbear access while still having LUKS support. E.g. if they have a device that has a display and keyboard. 3. If no `authorized_keys` file is provided via userpatches, a new SSH key pair is generated and for convenience copied to the output directory along with the final image.
Redo of implementation for feature request #947 on current master
When using Armbian for development boards only, the lack of root encryption isn't probably a big deal. However, when using Armbian on more "consumer friendly" / "production ready" boards like the
Odroid HC1/HC2
for live/production use cases, root-encryption is a MUST.Problem:
Adding a LUKS container after the Armbian image has been built or even flashed is almost impossible.
Solution:
The best way is to adjust the Armbian build script to prepare a flashable image with a 2-partition layout:
cryptsetup
in the initramfs to unlock the root partitionChallenges:
~/.ssh/known_hosts
. This can be solved by running dropbear (boot) and OpenSSH (root) on different ports. From a security (obscurity) perspective, it's slightly better to run OpenSSH on a different port than the default one (22). This protects against lazy port scans.LUKS volume key
and thepassphrase
to unlock that key. If the resulting image is re-distributed to other users than the person who built the image, those users still have to generate a new volume key and re-encrypt the root partition before flashing.The text was updated successfully, but these errors were encountered: