ungleich-public
/
ungleich-staticcms
6
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
ungleich-staticcms/content/u/blog/encrypted-rootfs-with-alpin.../contents.lr

172 lines
3.4 KiB
Markdown
Raw Permalink Blame History

title: Encrypted rootfs with Alpine Linux
---
pub_date: 2020-10-08
---
author: ungleich
---
twitter_handle: ungleich
---
_hidden: no
---
_discoverable: yes!
---
abstract:
How to encrypt your root filesystem with Alpine Linux
---
body:
## Introduction
This is a short guide on how to encrypt your root filesystem on Alpine
Linux. This article assumes an EFI based system.
## Booting Alpine Linux
Use the standard Alpine Linux installer to boot. Prepare networking
and and apkrepos:
```
setup-interfaces
```
If you are in an IPv6 only network, setup a nameserver. At the moment
Alpine Linux does not start rdnssd by default. The following works for
VMs on [Data Center Light](https://datacenterlight.ch)
```
echo nameserver 2a0a:e5c0:2:a::a
```
Then setup the repos:
```
setup-apkrepos
```
Optional, if you want to continue the installation remotely from
another computer via ssh:
```
setup-sshd
```
And then add your ssh key to /root/.ssh/authorized keys. We are using
the key.wf service for staff at ungleich:
```
mkdir -p /root/.ssh/
wget -O ~/.ssh/authorized_keys key.wf/nico
```
## Create partitions
In this guide we assume you create 3 partitions, based on gpt:
* /boot: a vfat partition usable for EFI boot (usually ~500MB)
* swap: the swap partition (usually ~half RAM)
* root: the partition containing the root filesystem
In the the following sections we assume your disk is **/dev/sda**. If you
are using NVMe, your disk might also be **/dev/nvme0n1** or similar.
```
apk add gptfdisk
gdisk /dev/sda
# create new partition table if it does not exist or you want to start clean
# create the partitions
```
## Format partitions
```
mkfs.vfat /dev/sda1
apk add cryptsetup
# Enter YES and your password twice
cryptsetup luksFormat /dev/sda3
# Create DM device
cryptsetup luksOpen /dev/sda3 rootfs
# Create filesystem
apk add e2fsprogs
mkfs.ext4 /dev/mapper/rootfs
# Mount filesytems
mount /dev/mapper/rootfs /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
```
## Configure initramfs
We need to enable rootfs decryption on boot. For this we need to add
cryptsetup into the feature list of /etc/mkinitfs/mkinitfs.conf:
```
hike:/etc# cat /etc/mkinitfs/mkinitfs.conf
features="ata base ide scsi usb virtio ext4 cryptsetup"
```
Regenerate the initramfs:
```
mkinitfs
```
## Configure and install the bootloader
We will be using grub for booting:
```
apk add grub-efi efibootmgr
```
Update the /etc/default/grub to contain the cryptroot kernel
parameter in the GRUB_CMDLINE_LINUX_DEFAULT variable:
```
hike:/# cat /etc/default/grub
GRUB_DISTRIBUTOR="Alpine"
GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=/dev/sda3 cryptdm=root"
```
Regenerate the grub configuration:
```
grub-mkconfig -o /mnt/boot/grub/grub.cfg
```
Verify it has been added correctly:
```
hike:/# grep crypt /boot/grub/grub.cfg
linux /vmlinuz-lts root=UUID=fa67b307-e155-47d8-98a6-4930131b5cd3 ro modules=sd-mod,usb-storage,ext4 nomodeset quiet rootfstype=ext4 cryptroot=/dev/sda3 cryptdm=root
```
Install grub:
```
grub-install --efi-directory /mnt/boot
```
## Install to disk
All changes so far have been done in RAM. Let's persist them:
```
setup-disk /mnt
```
## Final step
If everything went well so far - it's time to reboot your fully
encrypted system. The usual steps like setting up the root password or
the hostname have been skipped for the sake brevity.
Enjoy your full encrypted [Alpine Linux](https://alpinelinux.org/)!
Reference in New Issue View Git Blame Copy Permalink