[blog] alpine linux encrypted rootfs

This commit is contained in:
Nico Schottelius 2020-10-08 21:01:49 +02:00
parent fb06ad92d0
commit 4c53bac589

View file

@ -0,0 +1,171 @@
title: Encrypted rootfs with Alpine Linux
---
pub_date: 2020-10-08
---
author: ungleich
---
twitter_handle: ungleich
---
_hidden: no
---
_discoverable: yes!
---
abstract:
How to encrypt your root filesystem with Alpine Linux
---
body:
## Introduction
This is a short guide on how to encrypt your root filesystem on Alpine
Linux. This article assumes an EFI based system.
## Booting Alpine Linux
Use the standard Alpine Linux installer to boot. Prepare networking
and and apkrepos:
```
setup-interfaces
```
If you are in an IPv6 only network, setup a nameserver. At the moment
Alpine Linux does not start rdnssd by default. The following works for
VMs on [Data Center Light](https://datacenterlight.ch)
```
echo nameserver 2a0a:e5c0:2:a::a
```
Then setup the repos:
```
setup-apkrepos
```
Optional, if you want to continue the installation remotely from
another computer via ssh:
```
setup-sshd
```
And then add your ssh key to /root/.ssh/authorized keys. We are using
the key.wf service for staff at ungleich:
```
mkdir -p /root/.ssh/
wget -O ~/.ssh/authorized_keys key.wf/nico
```
## Create partitions
In this guide we assume you create 3 partitions, based on gpt:
* /boot: a vfat partition usable for EFI boot (usually ~500MB)
* swap: the swap partition (usually ~half RAM)
* root: the partition containing the root filesystem
In the the following sections we assume your disk is **/dev/sda**. If you
are using NVMe, your disk might also be **/dev/nvme0n1** or similar.
```
apk add gptfdisk
gdisk /dev/sda
# create new partition table if it does not exist or you want to start clean
# create the partitions
```
## Format partitions
```
mkfs.vfat /dev/sda1
apk add cryptsetup
# Enter YES and your password twice
cryptsetup luksFormat /dev/sda3
# Create DM device
cryptsetup luksOpen /dev/sda3 rootfs
# Create filesystem
apk add e2fsprogs
mkfs.ext4 /dev/mapper/rootfs
# Mount filesytems
mount /dev/mapper/rootfs /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
```
## Configure initramfs
We need to enable rootfs decryption on boot. For this we need to add
cryptsetup into the feature list of /etc/mkinitfs/mkinitfs.conf:
```
hike:/etc# cat /etc/mkinitfs/mkinitfs.conf
features="ata base ide scsi usb virtio ext4 cryptsetup"
```
Regenerate the initramfs:
```
mkinitfs
```
## Configure and install the bootloader
We will be using grub for booting:
```
apk add grub-efi efibootmgr
```
Update the /etc/default/grub to contain the cryptroot kernel
parameter in the GRUB_CMDLINE_LINUX_DEFAULT variable:
```
hike:/# cat /etc/default/grub
GRUB_DISTRIBUTOR="Alpine"
GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=/dev/sda3 cryptdm=root"
```
Regenerate the grub configuration:
```
grub-mkconfig -o /mnt/boot/grub/grub.cfg
```
Verify it has been added correctly:
```
hike:/# grep crypt /boot/grub/grub.cfg
linux /vmlinuz-lts root=UUID=fa67b307-e155-47d8-98a6-4930131b5cd3 ro modules=sd-mod,usb-storage,ext4 nomodeset quiet rootfstype=ext4 cryptroot=/dev/sda3 cryptdm=root
```
Install grub:
```
grub-install --efi-directory /mnt/boot
```
## Install to disk
All changes so far have been done in RAM. Let's persist them:
```
setup-disk /mnt
```
## Final step
If everything went well so far - it's time to reboot your fully
encrypted system. The usual steps like setting up the root password or
the hostname have been skipped for the sake brevity.
Enjoy your full encrypted Alpine Linux!