diff --git a/lib/build-all.sh b/lib/build-all.sh
index 770bc2a1b..ebcd43028 100644
--- a/lib/build-all.sh
+++ b/lib/build-all.sh
@@ -207,9 +207,10 @@ for line in "${buildlist[@]}"; do
 		CPUMIN CPUMAX UBOOT_VER KERNEL_VER GOVERNOR BOOTSIZE BOOTFS_TYPE UBOOT_TOOLCHAIN KERNEL_TOOLCHAIN PACKAGE_LIST_EXCLUDE KERNEL_IMAGE_TYPE \
 		write_uboot_platform family_tweaks family_tweaks_bsp setup_write_uboot_platform uboot_custom_postprocess atf_custom_postprocess family_tweaks_s \
 		BOOTSCRIPT UBOOT_TARGET_MAP LOCALVERSION UBOOT_COMPILER KERNEL_COMPILER BOOTCONFIG BOOTCONFIG_VAR_NAME BOOTCONFIG_DEFAULT BOOTCONFIG_NEXT BOOTCONFIG_DEV \
-		MODULES MODULES_NEXT MODULES_DEV INITRD_ARCH BOOTENV_FILE BOOTDELAY MODULES_BLACKLIST MODULES_BLACKLIST_NEXT \
-		MODULES_BLACKLIST_DEV MOUNT SDCARD BOOTPATCHDIR KERNELPATCHDIR buildtext RELEASE IMAGE_TYPE OVERLAY_PREFIX ASOUND_STATE \
-		ATF_COMPILER ATF_USE_GCC ATFSOURCE ATFDIR ATFBRANCH ATFSOURCEDIR PACKAGE_LIST_RM NM_IGNORE_DEVICES DISPLAY_MANAGER family_tweaks_bsp_s
+		MODULES MODULES_NEXT MODULES_DEV INITRD_ARCH BOOTENV_FILE BOOTDELAY MODULES_BLACKLIST MODULES_BLACKLIST_NEXT CRYPTROOT_ENABLE \
+		MODULES_BLACKLIST_DEV MOUNT SDCARD BOOTPATCHDIR KERNELPATCHDIR buildtext RELEASE IMAGE_TYPE OVERLAY_PREFIX ASOUND_STATE CRYPTROOT_PASSPHRASE \
+		ATF_COMPILER ATF_USE_GCC ATFSOURCE ATFDIR ATFBRANCH ATFSOURCEDIR PACKAGE_LIST_RM NM_IGNORE_DEVICES DISPLAY_MANAGER family_tweaks_bsp_s ROOT_MAPPER
+
 
 	read BOARD BRANCH RELEASE BUILD_DESKTOP <<< $line
 	n=$[$n+1]
diff --git a/lib/configuration.sh b/lib/configuration.sh
index 809886732..599dc0f5b 100644
--- a/lib/configuration.sh
+++ b/lib/configuration.sh
@@ -23,6 +23,9 @@ CHROOT_CACHE_VERSION=6
 [[ -z $DISPLAY_MANAGER ]] && DISPLAY_MANAGER=nodm
 ROOTFS_CACHE_MAX=16 # max number of rootfs cache, older ones will be cleaned up
 
+# TODO: fixed name can't be used for parallel image building
+ROOT_MAPPER="armbian-root"
+
 [[ -z $ROOTFS_TYPE ]] && ROOTFS_TYPE=ext4 # default rootfs type is ext4
 [[ "ext4 f2fs btrfs nfs fel" != *$ROOTFS_TYPE* ]] && exit_with_error "Unknown rootfs type" "$ROOTFS_TYPE"
 
@@ -31,6 +34,11 @@ ROOTFS_CACHE_MAX=16 # max number of rootfs cache, older ones will be cleaned up
 # echo $(( $(blockdev --getsize64 /dev/sdX) / 1024 / 1024 ))
 [[ "f2fs" == *$ROOTFS_TYPE* && -z $FIXED_IMAGE_SIZE ]] && exit_with_error "Please define FIXED_IMAGE_SIZE"
 
+# a passphrase is mandatory if rootfs encryption is enabled
+if [[ $CRYPTROOT_ENABLE == yes && -z $CRYPTROOT_PASSPHRASE ]]; then
+	exit_with_error "Root encryption is enabled but CRYPTROOT_PASSPHRASE is not set"
+fi
+
 # small SD card with kernel, boot script and .dtb/.bin files
 [[ $ROOTFS_TYPE == nfs ]] && FIXED_IMAGE_SIZE=64
 
@@ -55,6 +63,7 @@ ARCH=armhf
 KERNEL_IMAGE_TYPE=zImage
 SERIALCON=ttyS0
 CAN_BUILD_STRETCH=yes
+CRYPTROOT_SSH_PORT=2022
 
 # single ext4 partition is the default and preferred configuration
 #BOOTFS_TYPE=''
@@ -139,6 +148,10 @@ PACKAGE_LIST_DESKTOP="xserver-xorg xserver-xorg-video-fbdev gvfs-backends gvfs-f
 PACKAGE_LIST_DESKTOP_RECOMMENDS="mirage galculator hexchat xfce4-screenshooter network-manager-openvpn-gnome mpv fbi cups-pk-helper \
 	cups geany atril xarchiver leafpad"
 
+# rootfs encryption related packages
+if [[ $CRYPTROOT_ENABLE == yes ]]; then
+	PACKAGE_LIST="$PACKAGE_LIST cryptsetup dropbear-initramfs"
+fi
 
 case $DISPLAY_MANAGER in
 	nodm)
diff --git a/lib/debootstrap-ng.sh b/lib/debootstrap-ng.sh
index 4cfbbbbe6..a3aaaa633 100644
--- a/lib/debootstrap-ng.sh
+++ b/lib/debootstrap-ng.sh
@@ -312,6 +312,12 @@ prepare_partitions()
 		local bootfs=ext4
 		local bootpart=1
 		[[ -z $BOOTSIZE || $BOOTSIZE -le 8 ]] && BOOTSIZE=64 # MiB, For cleanup processing only
+	elif [[ $CRYPTROOT_ENABLE == yes ]]; then
+		# 2 partition setup for encrypted /root and non-encrypted /boot
+		local bootfs=ext4
+		local bootpart=1
+		local rootpart=2
+		[[ -z $BOOTSIZE || $BOOTSIZE -le 8 ]] && BOOTSIZE=64 # MiB
 	else
 		# single partition ext4 root
 		local rootpart=1
@@ -395,13 +401,29 @@ prepare_partitions()
 	rm -f $SDCARD/etc/fstab
 	if [[ -n $rootpart ]]; then
 		local rootdevice="${LOOP}p${rootpart}"
-		display_alert "Creating rootfs" "$ROOTFS_TYPE"
+
+		if [[ $CRYPTROOT_ENABLE == yes ]]; then
+			display_alert "Encrypting partition with LUKS" "" "ext"
+			echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksFormat $rootdevice -
+			echo -n $CRYPTROOT_PASSPHRASE | cryptsetup luksOpen $rootdevice $ROOT_MAPPER -
+			# TODO: pass /dev/mapper to Docker
+			rootdevice=/dev/mapper/$ROOT_MAPPER # used by `mkfs` and `mount` commands
+		fi
+
 		check_loop_device "$rootdevice"
+		display_alert "Creating rootfs" "$ROOTFS_TYPE on $rootdevice"
 		mkfs.${mkfs[$ROOTFS_TYPE]} ${mkopts[$ROOTFS_TYPE]} $rootdevice
 		[[ $ROOTFS_TYPE == ext4 ]] && tune2fs -o journal_data_writeback $rootdevice > /dev/null
 		[[ $ROOTFS_TYPE == btrfs ]] && local fscreateopt="-o compress-force=zlib"
 		mount ${fscreateopt} $rootdevice $MOUNT/
-		local rootfs="UUID=$(blkid -s UUID -o value $rootdevice)"
+		# create fstab (and crypttab) entry
+		if [[ $CRYPTROOT_ENABLE == yes ]]; then
+			# map the LUKS container partition via its UUID to be the 'cryptroot' device
+			echo "$ROOT_MAPPER UUID=$(blkid -s UUID -o value ${LOOP}p${rootpart}) none luks" >> $SDCARD/etc/crypttab
+			local rootfs=$rootdevice # used in fstab
+		else
+			local rootfs="UUID=$(blkid -s UUID -o value $rootdevice)"
+		fi
 		echo "$rootfs / ${mkfs[$ROOTFS_TYPE]} defaults,noatime,nodiratime${mountopts[$ROOTFS_TYPE]} 0 1" >> $SDCARD/etc/fstab
 	fi
 	if [[ -n $bootpart ]]; then
@@ -417,7 +439,11 @@ prepare_partitions()
 
 	# stage: adjust boot script or boot environment
 	if [[ -f $SDCARD/boot/armbianEnv.txt ]]; then
-		echo "rootdev=$rootfs" >> $SDCARD/boot/armbianEnv.txt
+		if [[ $CRYPTROOT_ENABLE == yes ]]; then
+			echo "rootdev=$rootdevice cryptdevice=UUID=$(blkid -s UUID -o value ${LOOP}p${rootpart}):$ROOT_MAPPER" >> $SDCARD/boot/armbianEnv.txt
+		else
+			echo "rootdev=$rootfs" >> $SDCARD/boot/armbianEnv.txt
+		fi
 		echo "rootfstype=$ROOTFS_TYPE" >> $SDCARD/boot/armbianEnv.txt
 	elif [[ $rootpart != 1 ]]; then
 		local bootscript_dst=${BOOTSCRIPT##*:}
@@ -428,8 +454,12 @@ prepare_partitions()
 
 	# if we have boot.ini = remove armbianEnv.txt and add UUID there if enabled
 	if [[ -f $SDCARD/boot/boot.ini ]]; then
-		sed -i -e "s/rootfstype \"ext4\"/rootfstype \"$ROOTFS_TYPE\"/" $SDCARD/boot/boot.ini
-		sed -i 's/^setenv rootdev .*/setenv rootdev "'$rootfs'"/' $SDCARD/boot/boot.ini
+		if [[ $CRYPTROOT_ENABLE == yes ]]; then
+			local rootpart="UUID=$(blkid -s UUID -o value ${LOOP}p${rootpart})"
+			sed -i 's/^setenv rootdev .*/setenv rootdev "\/dev\/mapper\/'$ROOT_MAPPER' cryptdevice='UUID="$(blkid -s UUID -o value ${LOOP}p${rootpart})"':'$ROOT_MAPPER'"/' $SDCARD/boot/boot.ini
+		else
+			sed -i 's/^setenv rootdev .*/setenv rootdev "'$rootfs'"/' $SDCARD/boot/boot.ini
+		fi
 		[[ -f $SDCARD/boot/armbianEnv.txt ]] && rm $SDCARD/boot/armbianEnv.txt
 	fi
 
@@ -481,6 +511,8 @@ create_image()
 	sync
 	[[ $BOOTSIZE != 0 ]] && umount -l $MOUNT/boot
 	[[ $ROOTFS_TYPE != nfs ]] && umount -l $MOUNT
+	[[ $CRYPTROOT_ENABLE == yes ]] && cryptsetup luksClose $ROOT_MAPPER
+
 	losetup -d $LOOP
 	rm -rf --one-file-system $DESTIMG $MOUNT
 	mkdir -p $DESTIMG
diff --git a/lib/distributions.sh b/lib/distributions.sh
index 34b6ef421..62148a469 100644
--- a/lib/distributions.sh
+++ b/lib/distributions.sh
@@ -212,6 +212,19 @@ install_common()
 		unmanaged-devices=$NM_IGNORE_DEVICES
 		EOF
 	fi
+
+	# Set the port of the dropbear ssh deamon in the initramfs to a different one if configured
+	# this avoids the typical 'host key changed warning' - `WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!`
+	[[ -f $SDCARD/etc/dropbear-initramfs/config ]] && sed -i 's/^#DROPBEAR_OPTIONS=/DROPBEAR_OPTIONS="-p '$CRYPTROOT_SSH_PORT'"/' $SDCARD/etc/dropbear-initramfs/config
+	if [[ $CRYPTROOT_ENABLE == yes ]]; then
+		if [[ -f $SRC/userpatches/dropbear_authorized_keys ]]; then
+			# TODO: check for supported key types in Dropbear
+			mkdir -p $SDCARD/etc/dropbear-initramfs/
+			cp $SRC/userpatches/dropbear_authorized_keys $SDCARD/etc/dropbear-initramfs/authorized_keys
+		else
+			display_alert "Authorized keys file not found in userpatches, cryptsetup SSH unlock will be disabled" "" "wrn"
+		fi
+	fi
 }
 
 install_distribution_specific()
diff --git a/lib/general.sh b/lib/general.sh
index 6c46b0568..95a7a2bfe 100644
--- a/lib/general.sh
+++ b/lib/general.sh
@@ -530,7 +530,7 @@ prepare_host()
 	nfs-kernel-server btrfs-tools ncurses-term p7zip-full kmod dosfstools libc6-dev-armhf-cross \
 	curl patchutils python liblz4-tool libpython2.7-dev linux-base swig libpython-dev aptly acl \
 	locales ncurses-base pixz dialog systemd-container udev lib32stdc++6 libc6-i386 lib32ncurses5 lib32tinfo5 \
-	bison libbison-dev flex libfl-dev"
+	bison libbison-dev flex libfl-dev cryptsetup"
 
 	local codename=$(lsb_release -sc)
 	display_alert "Build host OS release" "${codename:-(unknown)}" "info"
diff --git a/lib/image-helpers.sh b/lib/image-helpers.sh
index 86629631d..47b06c28b 100644
--- a/lib/image-helpers.sh
+++ b/lib/image-helpers.sh
@@ -54,6 +54,7 @@ unmount_on_exit()
 	umount -l $SDCARD >/dev/null 2>&1
 	umount -l $MOUNT/boot >/dev/null 2>&1
 	umount -l $MOUNT >/dev/null 2>&1
+	[[ $CRYPTROOT_ENABLE == yes ]] && cryptsetup luksClose $ROOT_MAPPER
 	losetup -d $LOOP >/dev/null 2>&1
 	rm -rf --one-file-system $SDCARD
 	exit_with_error "debootstrap-ng was interrupted"