Tag Archives: luks

Add LUKS partition to Orange PI 5b

Yesterday I got a brand new Orange PI 5b, and installed Ubuntu 22.04 in it. Everything went smoothly. My Orange Pi 5b has 16GB RAM, 256GB MMC Disk, 8 CPU. And yes, it runs quite fast.

I guess these instructions can work for other versions of Orange PI, but this was tested for Orange Pi 5b

I plan to use it for my travel desktop, with a 14-inch LED HDMI flat screen, keyboard, and mouse.

I’m used to and can not live without having my data encrypted. So in case it is lost or stolen, my information will remain confidential.

But the recommended steps to install Ubuntu in my Orange PI 5b do not include a way to encrypt the /home filesystem

When installed, it simply splits the disk into two partitions:

  • /dev/mmcblk0p1, 512MB, where the kernel and initrd image resides, and
  • /dev/mmcblk0p2, where the / filesystem is, using the rest of the disk

I prefer not to encrypt the / filesystem, for several reasons like, it is costly, hardware-wise, having to encrypt/decrypt every time we read or write any file in the system. So I prefer only to encrypt the /home dir.

Download Ubuntu-22.04 for Orange PI 5b from

https://github.com/Joshua-Riek/ubuntu-rockchip/releases
Specifically, the one named “ubuntu-22.04.3-preinstalled-desktop-arm64-orangepi-5b.img.xz”

There is no current way to install Ubuntu directly to the MMC disk, so we use two stages:

  • using another Linux workstation we copy the image to a microSD
  • Then we boot our Orange PI 5b from that SD
  • Using the provided scripts, we install, we transfer the contents of the SD to the MMC disk.
  • Finally, we power off the Orange PI 5b, remove the SD card, and we can start our Ubuntu from the MMC disk.

1- Copy Ubuntu to the SD

Do this from a Linux desktop computer, I guess it could be done in Windows or Mac as well using their tools to copy images to SD cards:

fdisk -l <- find where your SD card is. In my case, it is on /dev/sdX
xz -dc ubuntu-22.04.3-preinstalled-desktop-arm64-orangepi-5b.img.xz|sudo dd of=/dev/sdX

extract the SD card from your Linux desktop

2- Boot from SD

Insert the SD card into your Orange PI 5b and start it.

It won’t be long until it is booted, a small configuration wizard is shown, and you are in.

3- Install Ubuntu into your MMC.

My MMC is on /dev/mmcblk0, you can find it by using:

fdisk -l 

and look for the MMC disk (checking the disk size for example)

This will install Ubuntu to your MMC, it may take some minutes, depending on the speed of your SD card, etc.

sudo u-boot-install-mtd /dev/mmcblk0
sudo ubuntu-rockchip-install /dev/mmcblk0

We will then install gparted, and reduce /dev/mmcblk0p2 to, for example, 25GB, leaving the rest of the disk free, and unused.

apt update
apt install gparted
gparted /dev/mmcblk0
Inside gparted, reduce /dev/mmcblk0p2 to approx 25GB

4- Create the luks partition

We can then create a new partition /dev/mtdblock0p3, create it with luks, open the luks, and format the luks mapped device:

fdisk /dev/mmcblk0 <- Create /dev/mtdblock0p3
cryptsetup luksFormat --pbkdf-memory 512000 /dev/mmcblk0p3
cryptsetup luksOpen /dev/mmcblk0p3 homefs
mkfs.ext4 /dev/mapper/homefs

NOTE: If you lose your luks password your info is lost, and there is no way to recover it easily.

chrooting into the MMC disk

Now, we will mount everything under /mnt/chroot

mkdir /mnt/chroot
mount /dev/mmcblk0p2 /mnt/chroot
mount /dev/mmcblk0p1 /mnt/chroot/boot
mount /dev/mapper/homefs /mnt/chroot/home
mount -t proc none /mnt/chroot/proc/
mount -t sysfs none /mnt/chroot/sys/
mount -o bind /dev /mnt/chroot/dev/
mount -o bind /dev/pts /mnt/chroot/dev/pts/

We copy the contents of /home into /mnt/chroot/home, there should not be too much info, just the skel of the user you just created when it was installed above.

rsync -avPH /home/* /mnt/chroot/home/

Configuring luks

Now we take note of the luks partition (/dev/mtdblock0p3) UUID as we will need it when defining the luks partition in the next steps:

blkid

/dev/mmcblk0p3: UUID="571c8ca6-4332-4fda-a856-52d8dd0d6a92"

We then chroot into /mnt/chroot

LANG=C chroot /mnt/chroot/

And edit /etc/crypttab adding just one line, notice the UUID is the one we found above!

homefs UUID="571c8ca6-4332-4fda-a856-52d8dd0d6a92" none luks,initramfs,discard

In /etc/fstab we add a new line requesting our system to mount the mapped filesystem (the one created when luks is opened) in /home:

/dev/mapper/homefs /home ext4 discard,errors=remount-ro 0 0

We are about to finish! We have not to indicate the system that, on boot, it should request for the luks password to decrypt the disk when booting:

echo "CRYPTSETUP=y" >> /etc/cryptsetup-initramfs/conf-hook

We then create, and update our initramfs to include the new devices/modules (dm-crypt) needed when initially booting.

update-initramfs -u

Sites consulted

I used the following sites as a guide to creating this document. They were mostly for Debian and for using luks for/in Ubuntu. And created my steps to reach my goal: to encrypt /home partition in Ubuntu 22.04 for Orange Pi 5b.

https://github.com/Joshua-Riek/ubuntu-rockchip/discussions/435
https://habet.dev/blog/raspberry-pi-encrypted-boot-with-ssh/
https://askubuntu.com/questions/1287837/luks-disk-encryption-on-raspberry-pi-4-and-ubuntu-desktop-20-10
https://gist.github.com/cpainchaud/bac37abd5e3274c33f143c85c94dbed1