From 4c53bac58950587c1b4ed7652a153346095b29c9 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Thu, 8 Oct 2020 21:01:49 +0200 Subject: [PATCH] [blog] alpine linux encrypted rootfs --- .../contents.lr | 171 ++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 content/u/blog/encrypted-rootfs-with-alpine-linux/contents.lr diff --git a/content/u/blog/encrypted-rootfs-with-alpine-linux/contents.lr b/content/u/blog/encrypted-rootfs-with-alpine-linux/contents.lr new file mode 100644 index 0000000..af93b03 --- /dev/null +++ b/content/u/blog/encrypted-rootfs-with-alpine-linux/contents.lr @@ -0,0 +1,171 @@ +title: Encrypted rootfs with Alpine Linux +--- +pub_date: 2020-10-08 +--- +author: ungleich +--- +twitter_handle: ungleich +--- +_hidden: no +--- +_discoverable: yes! +--- +abstract: +How to encrypt your root filesystem with Alpine Linux +--- +body: + +## Introduction + +This is a short guide on how to encrypt your root filesystem on Alpine +Linux. This article assumes an EFI based system. + +## Booting Alpine Linux + +Use the standard Alpine Linux installer to boot. Prepare networking +and and apkrepos: + +``` +setup-interfaces +``` + +If you are in an IPv6 only network, setup a nameserver. At the moment +Alpine Linux does not start rdnssd by default. The following works for +VMs on [Data Center Light](https://datacenterlight.ch) + +``` +echo nameserver 2a0a:e5c0:2:a::a +``` + +Then setup the repos: + +``` +setup-apkrepos +``` + +Optional, if you want to continue the installation remotely from +another computer via ssh: + +``` +setup-sshd +``` + +And then add your ssh key to /root/.ssh/authorized keys. We are using +the key.wf service for staff at ungleich: + +``` +mkdir -p /root/.ssh/ +wget -O ~/.ssh/authorized_keys key.wf/nico +``` + +## Create partitions + +In this guide we assume you create 3 partitions, based on gpt: + +* /boot: a vfat partition usable for EFI boot (usually ~500MB) +* swap: the swap partition (usually ~half RAM) +* root: the partition containing the root filesystem + +In the the following sections we assume your disk is **/dev/sda**. If you +are using NVMe, your disk might also be **/dev/nvme0n1** or similar. + +``` +apk add gptfdisk +gdisk /dev/sda +# create new partition table if it does not exist or you want to start clean +# create the partitions +``` + +## Format partitions + +``` +mkfs.vfat /dev/sda1 +apk add cryptsetup + +# Enter YES and your password twice +cryptsetup luksFormat /dev/sda3 + +# Create DM device +cryptsetup luksOpen /dev/sda3 rootfs + +# Create filesystem +apk add e2fsprogs +mkfs.ext4 /dev/mapper/rootfs + +# Mount filesytems +mount /dev/mapper/rootfs /mnt +mkdir /mnt/boot +mount /dev/sda1 /mnt/boot + +``` + +## Configure initramfs + +We need to enable rootfs decryption on boot. For this we need to add +cryptsetup into the feature list of /etc/mkinitfs/mkinitfs.conf: + +``` +hike:/etc# cat /etc/mkinitfs/mkinitfs.conf +features="ata base ide scsi usb virtio ext4 cryptsetup" +``` + +Regenerate the initramfs: + +``` +mkinitfs +``` + +## Configure and install the bootloader + +We will be using grub for booting: + +``` +apk add grub-efi efibootmgr +``` + +Update the /etc/default/grub to contain the cryptroot kernel +parameter in the GRUB_CMDLINE_LINUX_DEFAULT variable: + +``` +hike:/# cat /etc/default/grub +GRUB_DISTRIBUTOR="Alpine" +GRUB_TIMEOUT=2 +GRUB_DISABLE_SUBMENU=y +GRUB_DISABLE_RECOVERY=true +GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=/dev/sda3 cryptdm=root" +``` + +Regenerate the grub configuration: + +``` +grub-mkconfig -o /mnt/boot/grub/grub.cfg +``` + +Verify it has been added correctly: + +``` +hike:/# grep crypt /boot/grub/grub.cfg + linux /vmlinuz-lts root=UUID=fa67b307-e155-47d8-98a6-4930131b5cd3 ro modules=sd-mod,usb-storage,ext4 nomodeset quiet rootfstype=ext4 cryptroot=/dev/sda3 cryptdm=root +``` + +Install grub: + +``` +grub-install --efi-directory /mnt/boot +``` + +## Install to disk + +All changes so far have been done in RAM. Let's persist them: + +``` +setup-disk /mnt +``` + +## Final step + +If everything went well so far - it's time to reboot your fully +encrypted system. The usual steps like setting up the root password or +the hostname have been skipped for the sake brevity. + +Enjoy your full encrypted Alpine Linux!