inspired from https://habet.dev/blog/raspberry-pi-encrypted-boot-with-ssh/ (archived at https://web.archive.org/web/20220821171435/https://habet.dev/blog/raspberry-pi-encrypted-boot-with-ssh/)
Download Debian for Orange Pi 5 with custom kernel
http://www.orangepi.org/html/hardWare/computerAndMicrocontrollers/service-and-support/Orange-pi-5.html which currently points to https://drive.google.com/drive/folders/1F2uc8v_EQnvsNrevDihwoymOJlFgM-dZ
Use 2 sdcards: one for boot & make the final image and the other to write the image to.
Fix from tutorial (discard option was not added): Edit /etc/crypttab and add an entry with your encrypted (raw) partition’s UUID:
crypted UUID=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa none luks,initramfs,discard
then update boot packages/initramfs with
update-initramfs -u
Remove OrangePi's default autologin:
rm /usr/lib/systemd/system/getty@.service.d/override.conf
rm /usr/lib/systemd/system/serial-getty@.service.d/override.conf