title: Encrypted rootfs with Alpine Linux --- pub_date: 2020-10-08 --- author: ungleich --- twitter_handle: ungleich --- _hidden: no --- _discoverable: yes! --- abstract: How to encrypt your root filesystem with Alpine Linux --- body: ## Introduction This is a short guide on how to encrypt your root filesystem on Alpine Linux. This article assumes an EFI based system. ## Booting Alpine Linux Use the standard Alpine Linux installer to boot. Prepare networking and and apkrepos: ``` setup-interfaces ``` If you are in an IPv6 only network, setup a nameserver. At the moment Alpine Linux does not start rdnssd by default. The following works for VMs on [Data Center Light](https://datacenterlight.ch) ``` echo nameserver 2a0a:e5c0:2:a::a ``` Then setup the repos: ``` setup-apkrepos ``` Optional, if you want to continue the installation remotely from another computer via ssh: ``` setup-sshd ``` And then add your ssh key to /root/.ssh/authorized keys. We are using the key.wf service for staff at ungleich: ``` mkdir -p /root/.ssh/ wget -O ~/.ssh/authorized_keys key.wf/nico ``` ## Create partitions In this guide we assume you create 3 partitions, based on gpt: * /boot: a vfat partition usable for EFI boot (usually ~500MB) * swap: the swap partition (usually ~half RAM) * root: the partition containing the root filesystem In the the following sections we assume your disk is **/dev/sda**. If you are using NVMe, your disk might also be **/dev/nvme0n1** or similar. ``` apk add gptfdisk gdisk /dev/sda # create new partition table if it does not exist or you want to start clean # create the partitions ``` ## Format partitions ``` mkfs.vfat /dev/sda1 apk add cryptsetup # Enter YES and your password twice cryptsetup luksFormat /dev/sda3 # Create DM device cryptsetup luksOpen /dev/sda3 rootfs # Create filesystem apk add e2fsprogs mkfs.ext4 /dev/mapper/rootfs # Mount filesytems mount /dev/mapper/rootfs /mnt mkdir /mnt/boot mount /dev/sda1 /mnt/boot ``` ## Configure initramfs We need to enable rootfs decryption on boot. For this we need to add cryptsetup into the feature list of /etc/mkinitfs/mkinitfs.conf: ``` hike:/etc# cat /etc/mkinitfs/mkinitfs.conf features="ata base ide scsi usb virtio ext4 cryptsetup" ``` Regenerate the initramfs: ``` mkinitfs ``` ## Configure and install the bootloader We will be using grub for booting: ``` apk add grub-efi efibootmgr ``` Update the /etc/default/grub to contain the cryptroot kernel parameter in the GRUB_CMDLINE_LINUX_DEFAULT variable: ``` hike:/# cat /etc/default/grub GRUB_DISTRIBUTOR="Alpine" GRUB_TIMEOUT=2 GRUB_DISABLE_SUBMENU=y GRUB_DISABLE_RECOVERY=true GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=/dev/sda3 cryptdm=root" ``` Regenerate the grub configuration: ``` grub-mkconfig -o /mnt/boot/grub/grub.cfg ``` Verify it has been added correctly: ``` hike:/# grep crypt /boot/grub/grub.cfg linux /vmlinuz-lts root=UUID=fa67b307-e155-47d8-98a6-4930131b5cd3 ro modules=sd-mod,usb-storage,ext4 nomodeset quiet rootfstype=ext4 cryptroot=/dev/sda3 cryptdm=root ``` Install grub: ``` grub-install --efi-directory /mnt/boot ``` ## Install to disk All changes so far have been done in RAM. Let's persist them: ``` setup-disk /mnt ``` ## Final step If everything went well so far - it's time to reboot your fully encrypted system. The usual steps like setting up the root password or the hostname have been skipped for the sake brevity. Enjoy your full encrypted [Alpine Linux](https://alpinelinux.org/)!