Banana-pi encrypted sata disk bootstrap

Follow some annotation how to bootstrap banana-pi with encrypted sata disk.

Update: an extended guide is available here including notes on how to configure firewall, email server, etc.

Prerequisites

• banana-pi
• power supply usb micro 5V 2A
• banana-pi dedicated sata cable
• hdd 2.5" sata
• sd card (at least 2gb)
• hdmi cable (for initial setup)
• usb keyboard (for decryption password at bootstrap)

Preamble

Pro

• entire operating system ( except boot that runs from sd card ) is encrypted

Cons

• sata write speed test shows a slow down from ~40mb/s to ~15mb/s
• dual threaded kernel worker at 90% during write operation ( this is normal then testing a 500mb continuous file writing )

Cautions

• backup all your data present in the sata disk before to proceed, encrypting whole disk with this method imply partitioning and formatting

Overview

SD card partition layout

• /dev/mmcblk0p1 (boot partition ~20mb)
• /dev/mmcblk0p2 (sd card root partition ~1.8gb)

SATA disk partition layout

• /dev/sda1 (encrypted root partition)

Bootstrap path

• /dev/mmcblk0p1 ( uImage [linux kernel] then uInitrd [initial ramdisk] )
• /dev/sda1 (root filesystem)

Steps

Install operating system in the sd card

• download bananian ( https://www.bananian.org/download ). Note : follow instructions valid for 15.04 ( Wheezy ). For the 15.08 ( Jessie ) Look at the end of the page notes.
• download win32diskimager ( for windows user ) http://sourceforge.net/projects/win32diskimager/
• unzip the bananian and store the operating system to the sd card using win32diskimager or dd command if linux user

Install needed packages

• install cryptsetup using apt-get install cryptsetup
• install initial ramdisk util with apt-get install initramfs-tools
• install Uimage tool apt-get install uboot-mkimage

Install operating system in the sata disk

• boot from sd card

Create partition

• fdisk /dev/sda and create 1 primary partition for entire disk

Encrypt partition and create filesystem

• initialize encrypted partition using cryptsetup -y -v luksFormat /dev/sda1 ( for more information see https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Simple_partition_layout_with_LUKS )
• open the encrypted partition using cryptsetup luksOpen /dev/sda1 cryptroot ( This will allow to mount the unencrypted filesystem using the /dev/mapper/cryptroot device ).
• create ext4 filesystem using mkfs -t ext4 /dev/mapper/cryptroot

Setup crypt table and create initial ramdisk

• edit /etc/crypttab inserting follow cryptroot  /dev/sda1  none  luks spacing fields using the tab key
• edit /etc/fstab inserting follow /dev/mapper/cryptroot / ext4 defaults 1 2

Mount encrypted partition and copy operating system

• mount the unencrypted filesystem using mkdir /x ; mount /dev/mapper/cryptroot /x
• copy the operating system from the sd card to the sata disk using rsync -arx --exclude="/x*" / /x

Create initial ramdisk and set uInitrd image

• mount the sd card p0 partition with mkdir /b ; mount /dev/mmcblk0p1 /b
• create initial ramdisk with mkinitramfs -o /b/initrd
• create uInitrd image with cd /b ; mkimage -A arm -O linux -T ramdisk -C gzip -a 0 -e 0 -d initrd uInitrd

Adjusting kernel parameters

• edit /b/uEnv.txt as follow

bootargs=console=ttyS0,115200 console=tty0 sunxi_g2d_mem_reserve=0 sunxi_ve_mem_reserve=0 disp.screen0_output_mode=EDID:1280x720p50 hdmi.audio=EDID:0 console=tty1 cryptdevice=/dev/sda1:cryptroot root=/dev/mapper/cryptroot rootfstype=ext4 elevator=deadline raid=noautodetect rootwait

aload_script=fatload mmc 0 0x43000000 script.bin;

aload_kernel=fatload mmc 0 0x48000000 uImage; fatload mmc 0 0x49000000 uInitrd; bootm 0x48000000 0x49000000;

uenvcmd=run aload_script aload_kernel

Reboot

• umount /b ; sync ; reboot

Notes

• the initial ramdisk is a gzipped archive ( you can see the content by follow mkdir /tmp/initrd ; cd /tmp/initrd ; gunzip -c /b/initrd| cpio -i ; ls ). This special post-kernel image contains some routines for bootstrap that will starts withing the init script ( see /tmp/initrd/init ).

Bananian 15.08 ( Jessie )

Replace above sections with follow if using 15.08 bananian.

Install needed packages

• apt-get install cryptsetup initramfs-tools u-boot-tools

Create initial ramdisk and set uInitrd image

• mount the sd card p0 partition with mkdir /b ; mount /dev/mmcblk0p1 /b
• create initial ramdisk with mkinitramfs -o /b/initrd
• create uInitrd image with cd /b ; mkimage -A arm -T ramdisk -C none -n uInitrd -d initrd uInitrd

Adjusting kernel parameters

• replace /b/boot.cmd contents with follow

setenv bootargs console=ttyS0,115200 console=tty0 console=tty1 sunxi_g2d_mem_reserve=0 sunxi_ve_mem_reserve=0 hdmi.audio=EDID:0 disp.screen0_output_mode=EDID:1680x1050p60 cryptdevice=/dev/sda1:cryptroot root=/dev/mapper/cryptroot rootfstype=ext4 elevator=deadline rootwait

setenv bootm_boot_mode sec

fatload mmc 0 0x43000000 script.bin

fatload mmc 0 0x41000000 uImage

fatload mmc 0 0x50000000 uInitrd

bootm 0x41000000 0x50000000

• compile boot.cmd to boot.scr with mkimage -C none -A arm -T script -d boot.cmd boot.scr

---

Banana-pi encrypted sata disk bootstrap by Lorenzo Delana is licensed under a Creative Commons Attribution 4.0 International License.