Alpine Linux - User contributions [en]

Raspberry Pi LVM on LUKS

2026-04-30T01:20:10Z

Harpia: Clarify the "Boot the Installer" instructions

Installing Alpine on an encrypted root article complements the existing installation instructions for Raspberry Pi, providing only the needed changes that enable booting from an encrypted media. Use it only as a reference, not as a complete walk-through for installation.

==Prepare the Installation Media==
Write the downloaded image or tarball to a disk. In this example, this bootable disk (referred to as ''/dev/sda'') will be used as a read-only installation media. The target root disk is referred to as ''/dev/sdb''.

==Boot the Installer==
Insert the installation disk into the pi and turn it on. To make sure it boots the right device, unplug any other storage media.

Once Alpine is initialized, log in and perform a "diskless installation" with <code>setup-alpine</code>. Next, we will setup the disk manually.

==Disk Setup==
Plug in the disk to be used as the encrypted root. A tool such as <code>lsblk</code> gives you an overview of all disks available. In this example, the new disk becomes ''/dev/sdb''.

Create a bootable FAT32 partition (''/dev/sdb1'') that will hold the unencrypted ''/boot'', and then a larger Linux partition (''/dev/sdb2'') that will hold the LVM physical volume. Important: if you plan to [[Raspberry_Pi_LVM_on_LUKS#Optional:_Decrypt_with_a_Keyfile|decrypt with a keydisk]], create the ''/boot'' partition on the keydisk instead.

Install the necessary packages:
{{cmd|apk add cryptsetup lvm2}}

Encrypt the Linux partition with one of the following:
{{cmd|cryptsetup luksFormat /dev/sdb2 # Raspberry Pi 5}}
{{cmd|cryptsetup luksFormat -c xchacha12,aes-adiantum-plain64 /dev/sdb2 # Raspberry Pi 4 and older}}

At this point you can follow the [[LVM_on_LUKS#Creating_the_Logical_Volumes_and_File_Systems|LVM on LUKS page]] to create and format the LVM volumes.

Mount the new root partition at ''/mnt'', the boot partition at ''/mnt/boot'' (after creating the directory), then run ''setup-disk'' like this:
{{cmd|setup-disk -m sys /mnt}}

==Verify the Installation==
''setup-disk'' should setup most things for us, but it's a good idea to inspect some critical files to avoid ending up with a system that won't boot.

Here's a list of files to check:
* ''/etc/mkinitfs/mkinitfs.conf'' should have the features <code>lvm</code> and <code>cryptsetup</code>.
* ''/boot/cmdline.txt'' should contain the following options: <code>root=/dev/vg0/root cryptroot=UUID=<encrypted_disk_uuid> cryptdm=root</code>
* ''/etc/fstab'' should have a line for <code>/dev/vg0/root</code> (and any other LVM volumes), and <code>/boot</code> (by UUID).

Finally, a friendly reminder: save a backup of that LUKS header (see <code>cryptsetup-luksHeaderBackup(8)</code>).

==Optional: Decrypt with a Keyfile==
The "keydisk" — a storage device used as a decryption key — is a convenient method to enable full-disk encryption, especially for a headless server. Unfortunately, ''mkinitfs'' does not yet support decryption keys on external devices, but there is a [https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/108 pending merge request] to implement it, as well as a decent workaround: move the entire ''/boot'' partition onto a separate device.

This assumes you've already booted a passphrase-encrypted Alpine installation, but you can include this as part of the installation procedure.

===Create the keyfile===

A keyfile can be created with ''dd'':
{{cmd|dd if{{=}}/dev/urandom of{{=}}/crypto_keyfile.bin bs{{=}}1M count{{=}}1}}

Make it read-only, owner only:
{{cmd|chmod 400 /crypto_keyfile.bin}}

Add the keyfile to the LUKS header:
{{cmd|cryptsetup luksAddKey /dev/sdb2 /crypto_keyfile.bin}}

===Prepare the Initramfs===

The root disk decryption takes place in the temporary environment called ''initramfs''. ''mkinitfs'' will copy your keyfile into the initramfs filesystem, and place it in the exact same path it was copied from (e.g. ''/boot/cryptkey'', ''/var/root.key'').

The default path is <code>/crypto_keyfile.bin</code>, but you can change it by editing <code>/etc/mkinitfs/features.d/cryptkey.files</code>.

The path to the keyfile must also be passed as a kernel command-line option in <code>/boot/cmdline.txt</code>:
<pre>
cryptkey=/crypto_keyfile.bin
</pre>

Enable the necessary features in <code>/etc/mkinitfs/mkinitfs.conf</code>:
<pre>
features="... cryptsetup cryptkey"
</pre>

Regenerate the [[Initramfs_init|initramfs]]:
<pre>
mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b /
</pre>

==See also==

* [[Raspberry Pi|Raspberry Pi - Installation]] ''(diskless-mode installation)''
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]] ''(sys-mode installation)''
* [[LVM_on_LUKS|LVM on LUKS]] ''(encryption and LVM, but beware not everything applies to the pi)''

[[Category:Storage]]
[[Category:Security]]
[[Category:Raspberry]]

Raspberry Pi LVM on LUKS

2026-04-29T21:37:33Z

Harpia: Fix "em dash" character

Installing Alpine on an encrypted root article complements the existing installation instructions for Raspberry Pi, providing only the needed changes that enable booting from an encrypted media. Use it only as a reference, not as a complete walk-through for installation.

==Prepare the Installation Media==
Write the downloaded image or tarball to a disk. In this example, this bootable disk (referred to as ''/dev/sda'') will be used as a read-only installation media. The target root disk is referred to as ''/dev/sdb''.

==Boot the Installer==
Insert the bootable disk we created earlier into the pi, and boot from it. Login and perform a "diskless installation" with <code>setup-alpine</code>. We will setup the disk manually.

==Disk setup==
Plug in the disk to be used as the encrypted root. A tool such as <code>lsblk</code> gives you an overview of all disks available. In this example, the new disk becomes ''/dev/sdb''.

Create a bootable FAT32 partition (''/dev/sdb1'') that will hold the unencrypted ''/boot'', and then a larger Linux partition (''/dev/sdb2'') that will hold the LVM physical volume. Important: if you plan to [[Raspberry_Pi_LVM_on_LUKS#Optional:_Decrypt_with_a_Keyfile|decrypt with a keydisk]], create the ''/boot'' partition on the keydisk instead.

Install the necessary packages:
{{cmd|apk add cryptsetup lvm2}}

Encrypt the Linux partition with one of the following:
{{cmd|cryptsetup luksFormat /dev/sdb2 # Raspberry Pi 5}}
{{cmd|cryptsetup luksFormat -c xchacha12,aes-adiantum-plain64 /dev/sdb2 # Raspberry Pi 4 and older}}

At this point you can follow the [[LVM_on_LUKS#Creating_the_Logical_Volumes_and_File_Systems|LVM on LUKS page]] to create and format the LVM volumes.

Mount the new root partition at ''/mnt'', the boot partition at ''/mnt/boot'' (after creating the directory), then run ''setup-disk'' like this:
{{cmd|setup-disk -m sys /mnt}}

==Verify the Installation==
''setup-disk'' should setup most things for us, but it's a good idea to inspect some critical files to avoid ending up with a system that won't boot.

Here's a list of files to check:
* ''/etc/mkinitfs/mkinitfs.conf'' should have the features <code>lvm</code> and <code>cryptsetup</code>.
* ''/boot/cmdline.txt'' should contain the following options: <code>root=/dev/vg0/root cryptroot=UUID=<encrypted_disk_uuid> cryptdm=root</code>
* ''/etc/fstab'' should have a line for <code>/dev/vg0/root</code> (and any other LVM volumes), and <code>/boot</code> (by UUID).

Finally, a friendly reminder: save a backup of that LUKS header (see <code>cryptsetup-luksHeaderBackup(8)</code>).

==Optional: Decrypt with a Keyfile==
The "keydisk" — a storage device used as a decryption key — is a convenient method to enable full-disk encryption, especially for a headless server. Unfortunately, ''mkinitfs'' does not yet support decryption keys on external devices, but there is a [https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/108 pending merge request] to implement it, as well as a decent workaround: move the entire ''/boot'' partition onto a separate device.

This assumes you've already booted a passphrase-encrypted Alpine installation, but you can include this as part of the installation procedure.

===Create the keyfile===

A keyfile can be created with ''dd'':
{{cmd|dd if{{=}}/dev/urandom of{{=}}/crypto_keyfile.bin bs{{=}}1M count{{=}}1}}

Make it read-only, owner only:
{{cmd|chmod 400 /crypto_keyfile.bin}}

Add the keyfile to the LUKS header:
{{cmd|cryptsetup luksAddKey /dev/sdb2 /crypto_keyfile.bin}}

===Prepare the Initramfs===

The root disk decryption takes place in the temporary environment called ''initramfs''. ''mkinitfs'' will copy your keyfile into the initramfs filesystem, and place it in the exact same path it was copied from (e.g. ''/boot/cryptkey'', ''/var/root.key'').

The default path is <code>/crypto_keyfile.bin</code>, but you can change it by editing <code>/etc/mkinitfs/features.d/cryptkey.files</code>.

The path to the keyfile must also be passed as a kernel command-line option in <code>/boot/cmdline.txt</code>:
<pre>
cryptkey=/crypto_keyfile.bin
</pre>

Enable the necessary features in <code>/etc/mkinitfs/mkinitfs.conf</code>:
<pre>
features="... cryptsetup cryptkey"
</pre>

Regenerate the [[Initramfs_init|initramfs]]:
<pre>
mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b /
</pre>

==See also==

* [[Raspberry Pi|Raspberry Pi - Installation]] ''(diskless-mode installation)''
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]] ''(sys-mode installation)''
* [[LVM_on_LUKS|LVM on LUKS]] ''(encryption and LVM, but beware not everything applies to the pi)''

[[Category:Storage]]
[[Category:Security]]
[[Category:Raspberry]]

Raspberry Pi LVM on LUKS

2026-04-29T21:31:38Z

Harpia: Add link to the section for keydisk decryption

Installing Alpine on an encrypted root article complements the existing installation instructions for Raspberry Pi, providing only the needed changes that enable booting from an encrypted media. Use it only as a reference, not as a complete walk-through for installation.

==Prepare the Installation Media==
Write the downloaded image or tarball to a disk. In this example, this bootable disk (referred to as ''/dev/sda'') will be used as a read-only installation media. The target root disk is referred to as ''/dev/sdb''.

==Boot the Installer==
Insert the bootable disk we created earlier into the pi, and boot from it. Login and perform a "diskless installation" with <code>setup-alpine</code>. We will setup the disk manually.

==Disk setup==
Plug in the disk to be used as the encrypted root. A tool such as <code>lsblk</code> gives you an overview of all disks available. In this example, the new disk becomes ''/dev/sdb''.

Create a bootable FAT32 partition (''/dev/sdb1'') that will hold the unencrypted ''/boot'', and then a larger Linux partition (''/dev/sdb2'') that will hold the LVM physical volume. Important: if you plan to [[Raspberry_Pi_LVM_on_LUKS#Optional:_Decrypt_with_a_Keyfile|decrypt with a keydisk]], create the ''/boot'' partition on the keydisk instead.

Install the necessary packages:
{{cmd|apk add cryptsetup lvm2}}

Encrypt the Linux partition with one of the following:
{{cmd|cryptsetup luksFormat /dev/sdb2 # Raspberry Pi 5}}
{{cmd|cryptsetup luksFormat -c xchacha12,aes-adiantum-plain64 /dev/sdb2 # Raspberry Pi 4 and older}}

At this point you can follow the [[LVM_on_LUKS#Creating_the_Logical_Volumes_and_File_Systems|LVM on LUKS page]] to create and format the LVM volumes.

Mount the new root partition at ''/mnt'', the boot partition at ''/mnt/boot'' (after creating the directory), then run ''setup-disk'' like this:
{{cmd|setup-disk -m sys /mnt}}

==Verify the Installation==
''setup-disk'' should setup most things for us, but it's a good idea to inspect some critical files to avoid ending up with a system that won't boot.

Here's a list of files to check:
* ''/etc/mkinitfs/mkinitfs.conf'' should have the features <code>lvm</code> and <code>cryptsetup</code>.
* ''/boot/cmdline.txt'' should contain the following options: <code>root=/dev/vg0/root cryptroot=UUID=<encrypted_disk_uuid> cryptdm=root</code>
* ''/etc/fstab'' should have a line for <code>/dev/vg0/root</code> (and any other LVM volumes), and <code>/boot</code> (by UUID).

Finally, a friendly reminder: save a backup of that LUKS header (see <code>cryptsetup-luksHeaderBackup(8)</code>).

==Optional: Decrypt with a Keyfile==
The "keydisk" - a storage device used as a decryption key — is a convenient method to enable full-disk encryption, especially for a headless server. Unfortunately, ''mkinitfs'' does not yet support decryption keys on external devices, but there is a [https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/108 pending merge request] to implement it, as well as a decent workaround: move the entire ''/boot'' partition onto a separate device.

This assumes you've already booted a passphrase-encrypted Alpine installation, but you can include this as part of the installation procedure.

===Create the keyfile===

A keyfile can be created with ''dd'':
{{cmd|dd if{{=}}/dev/urandom of{{=}}/crypto_keyfile.bin bs{{=}}1M count{{=}}1}}

Make it read-only, owner only:
{{cmd|chmod 400 /crypto_keyfile.bin}}

Add the keyfile to the LUKS header:
{{cmd|cryptsetup luksAddKey /dev/sdb2 /crypto_keyfile.bin}}

===Prepare the Initramfs===

The root disk decryption takes place in the temporary environment called ''initramfs''. ''mkinitfs'' will copy your keyfile into the initramfs filesystem, and place it in the exact same path it was copied from (e.g. ''/boot/cryptkey'', ''/var/root.key'').

The default path is <code>/crypto_keyfile.bin</code>, but you can change it by editing <code>/etc/mkinitfs/features.d/cryptkey.files</code>.

The path to the keyfile must also be passed as a kernel command-line option in <code>/boot/cmdline.txt</code>:
<pre>
cryptkey=/crypto_keyfile.bin
</pre>

Enable the necessary features in <code>/etc/mkinitfs/mkinitfs.conf</code>:
<pre>
features="... cryptsetup cryptkey"
</pre>

Regenerate the [[Initramfs_init|initramfs]]:
<pre>
mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b /
</pre>

==See also==

* [[Raspberry Pi|Raspberry Pi - Installation]] ''(diskless-mode installation)''
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]] ''(sys-mode installation)''
* [[LVM_on_LUKS|LVM on LUKS]] ''(encryption and LVM, but beware not everything applies to the pi)''

[[Category:Storage]]
[[Category:Security]]
[[Category:Raspberry]]

Raspberry Pi LVM on LUKS

2026-04-29T21:24:21Z

Harpia: Rephrase and clarify some lines regarding keydisks

Installing Alpine on an encrypted root article complements the existing installation instructions for Raspberry Pi, providing only the needed changes that enable booting from an encrypted media. Use it only as a reference, not as a complete walk-through for installation.

==Prepare the Installation Media==
Write the downloaded image or tarball to a disk. In this example, this bootable disk (referred to as ''/dev/sda'') will be used as a read-only installation media. The target root disk is referred to as ''/dev/sdb''.

==Boot the Installer==
Insert the bootable disk we created earlier into the pi, and boot from it. Login and perform a "diskless installation" with <code>setup-alpine</code>. We will setup the disk manually.

==Disk setup==
Plug in the disk to be used as the encrypted root. A tool such as <code>lsblk</code> gives you an overview of all disks available. In this example, the new disk becomes ''/dev/sdb''.

Create a bootable FAT32 partition (''/dev/sdb1'') that will hold the unencrypted ''/boot'', and then a larger Linux partition (''/dev/sdb2'') that will hold the LVM physical volume. Important: if you plan to decrypt with a keydisk, create the ''/boot'' partition on the keydisk instead.

Install the necessary packages:
{{cmd|apk add cryptsetup lvm2}}

Encrypt the Linux partition with one of the following:
{{cmd|cryptsetup luksFormat /dev/sdb2 # Raspberry Pi 5}}
{{cmd|cryptsetup luksFormat -c xchacha12,aes-adiantum-plain64 /dev/sdb2 # Raspberry Pi 4 and older}}

At this point you can follow the [[LVM_on_LUKS#Creating_the_Logical_Volumes_and_File_Systems|LVM on LUKS page]] to create and format the LVM volumes.

Mount the new root partition at ''/mnt'', the boot partition at ''/mnt/boot'' (after creating the directory), then run ''setup-disk'' like this:
{{cmd|setup-disk -m sys /mnt}}

==Verify the Installation==
''setup-disk'' should setup most things for us, but it's a good idea to inspect some critical files to avoid ending up with a system that won't boot.

Here's a list of files to check:
* ''/etc/mkinitfs/mkinitfs.conf'' should have the features <code>lvm</code> and <code>cryptsetup</code>.
* ''/boot/cmdline.txt'' should contain the following options: <code>root=/dev/vg0/root cryptroot=UUID=<encrypted_disk_uuid> cryptdm=root</code>
* ''/etc/fstab'' should have a line for <code>/dev/vg0/root</code> (and any other LVM volumes), and <code>/boot</code> (by UUID).

Finally, a friendly reminder: save a backup of that LUKS header (see <code>cryptsetup-luksHeaderBackup(8)</code>).

==Optional: Decrypt with a Keyfile==
The "keydisk" - a storage device used as a decryption key — is a convenient method to enable full-disk encryption, especially for a headless server. Unfortunately, ''mkinitfs'' does not yet support decryption keys on external devices, but there is a [https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/108 pending merge request] to implement it, as well as a decent workaround: move the entire ''/boot'' partition onto a separate device.

This assumes you've already booted a passphrase-encrypted Alpine installation, but you can include this as part of the installation procedure.

===Create the keyfile===

A keyfile can be created with ''dd'':
{{cmd|dd if{{=}}/dev/urandom of{{=}}/crypto_keyfile.bin bs{{=}}1M count{{=}}1}}

Make it read-only, owner only:
{{cmd|chmod 400 /crypto_keyfile.bin}}

Add the keyfile to the LUKS header:
{{cmd|cryptsetup luksAddKey /dev/sdb2 /crypto_keyfile.bin}}

===Prepare the Initramfs===

The root disk decryption takes place in the temporary environment called ''initramfs''. ''mkinitfs'' will copy your keyfile into the initramfs filesystem, and place it in the exact same path it was copied from (e.g. ''/boot/cryptkey'', ''/var/root.key'').

The default path is <code>/crypto_keyfile.bin</code>, but you can change it by editing <code>/etc/mkinitfs/features.d/cryptkey.files</code>.

The path to the keyfile must also be passed as a kernel command-line option in <code>/boot/cmdline.txt</code>:
<pre>
cryptkey=/crypto_keyfile.bin
</pre>

Enable the necessary features in <code>/etc/mkinitfs/mkinitfs.conf</code>:
<pre>
features="... cryptsetup cryptkey"
</pre>

Regenerate the [[Initramfs_init|initramfs]]:
<pre>
mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b /
</pre>

==See also==

* [[Raspberry Pi|Raspberry Pi - Installation]] ''(diskless-mode installation)''
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]] ''(sys-mode installation)''
* [[LVM_on_LUKS|LVM on LUKS]] ''(encryption and LVM, but beware not everything applies to the pi)''

[[Category:Storage]]
[[Category:Security]]
[[Category:Raspberry]]

Raspberry Pi LVM on LUKS

2026-04-29T19:30:13Z

Harpia: Remove detailed bootable disk creation from a tarball, as writing an .img works and is easier. Fix section header indentation in the keyfile instructions.

Installing Alpine on an encrypted root article complements the existing installation instructions for Raspberry Pi, providing only the needed changes that enable booting from an encrypted media. Use it only as a reference, not as a complete walk-through for installation.

==Prepare the Installation Media==
Write the downloaded image or tarball to a disk. In this example, this bootable disk (referred to as ''/dev/sda'') will be used as a read-only installation media. The target root disk is referred to as ''/dev/sdb''.

==Boot the Installer==
Insert the bootable disk we created earlier into the pi, and boot from it. Login and perform a "diskless installation" with <code>setup-alpine</code>. We will setup the disk manually.

==Disk setup==
Plug in the disk to be used as the encrypted root. A tool such as <code>lsblk</code> gives you an overview of all disks available. In this example, the new disk becomes ''/dev/sdb''.

Create a bootable FAT32 partition (''/dev/sdb1'') that will hold the unencrypted ''/boot'', and then a larger Linux partition (''/dev/sdb2'') that will hold the LVM physical volume.

Install the necessary packages:
{{cmd|apk add cryptsetup lvm2}}

Encrypt the Linux partition with one of the following:
{{cmd|cryptsetup luksFormat /dev/sdb2 # Raspberry Pi 5}}
{{cmd|cryptsetup luksFormat -c xchacha12,aes-adiantum-plain64 /dev/sdb2 # Raspberry Pi 4 and older}}

At this point you can follow the [[LVM_on_LUKS#Creating_the_Logical_Volumes_and_File_Systems|LVM on LUKS page]] to create and format the LVM volumes.

Mount the new root partition at ''/mnt'', the boot partition at ''/mnt/boot'' (after creating the directory), then run ''setup-disk'' like this:
{{cmd|setup-disk -m sys /mnt}}

==Verify the Installation==
''setup-disk'' should setup most things for us, but it's a good idea to inspect some critical files to avoid ending up with a system that won't boot.

Here's a list of files to check:
* ''/etc/mkinitfs/mkinitfs.conf'' should have the features <code>lvm</code> and <code>cryptsetup</code>.
* ''/boot/cmdline.txt'' should contain the following options: <code>root=/dev/vg0/root cryptroot=UUID=<encrypted_disk_uuid> cryptdm=root</code>
* ''/etc/fstab'' should have a line for <code>/dev/vg0/root</code> (and any other LVM volumes), and <code>/boot</code> (by UUID).

Finally, a friendly reminder: save a backup of that LUKS header (see <code>cryptsetup-luksHeaderBackup(8)</code>).

==Optional: Decrypt with a Keyfile==
The "keydisk" - a storage device used as a decryption key — is a convenient method to enable full-disk encryption, especially for a headless server. Unfortunately, this functionality is not yet supported, but there is a [https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/108 pending merge request] to implement it.

For now, we can achieve the same by moving the entire ''/boot'' partition to a separate device.

This assumes you've already booted a passphrase-encrypted Alpine installation, but you can include this as part of the installation procedure, and even use a keyfile alone instead of a passphrase.

===Create the keyfile===

A keyfile can be created with ''dd'':
{{cmd|dd if{{=}}/dev/urandom of{{=}}/crypto_keyfile.bin bs{{=}}1M count{{=}}1}}

Make it read-only, owner only:
{{cmd|chmod 400 /crypto_keyfile.bin}}

Add the keyfile to the LUKS header:
{{cmd|cryptsetup luksAddKey /dev/sdb2 /crypto_keyfile.bin}}

===Prepare the Initramfs===

The root disk decryption takes place in the temporary environment called ''initramfs''. ''mkinitfs'' will copy your keyfile into the initramfs filesystem, and place it in the exact same path it was copied from (e.g. ''/boot/cryptkey'', ''/var/root.key'').

The default path is <code>/crypto_keyfile.bin</code>, but you can change it by editing <code>/etc/mkinitfs/features.d/cryptkey.files</code>.

The path to the keyfile must also be passed as a kernel command-line option in <code>/boot/cmdline.txt</code>:
<pre>
cryptkey=/crypto_keyfile.bin
</pre>

Enable the necessary features in <code>/etc/mkinitfs/mkinitfs.conf</code>:
<pre>
features="... cryptsetup cryptkey"
</pre>

Regenerate the [[Initramfs_init|initramfs]]:
<pre>
mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b /
</pre>

==See also==

* [[Raspberry Pi|Raspberry Pi - Installation]] ''(diskless-mode installation)''
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]] ''(sys-mode installation)''
* [[LVM_on_LUKS|LVM on LUKS]] ''(encryption and LVM, but beware not everything applies to the pi)''

[[Category:Storage]]
[[Category:Security]]
[[Category:Raspberry]]

User talk:Zcrayfish

2024-05-29T02:25:34Z

Harpia: /* About "undo revision 26759" */ new section

=== thanks for the help ===
thanks for the formatting help [https://wiki.alpinelinux.org/w/index.php?title=Setting_up_disks_manually&diff=prev&oldid=26562]
[[User:Alpinetony|Alpinetony]] [[User talk:Alpinetony|💬]] 22:24, 4 March 2024 (UTC)
:any time! \o/ –[[User:zcrayfish|zcrayfish]] ([[User talk:zcrayfish|talk]]•[[Special:Contributions/zcrayfish|contribs]]•[[Special:EmailUser/zcrayfish|send email]]) 08:43, 7 March 2024 (UTC)

== About "undo revision 26759" ==

:Revision comment does not match what was done with the page. Most content removed. Accident?

Yes, thanks for fixing that. Damn... I pressed the "edit section" button instead of "edit page". I thought I was editing just the section, and that the rest of the page would be untouched.

Raspberry Pi LVM on LUKS

2024-05-24T21:00:45Z

Harpia: Remove unnecessary "run as root" note

=Installing Alpine on an encrypted root=

This article complements the existing installation instructions for Raspberry Pi,
providing only the needed changes that enable booting from an encrypted media. Use it only as a reference, not as a complete walk-through for installation.

==Prepare the Installation Media==
[[Create_a_Bootable_Device#Manually_copying_Alpine_files|Create a bootable disk]]. Basically, you'll create and format a FAT32 partition in an MBR partition table, set the boot flag on it, mount it and extract the downloaded tarball into it. You may skip those bootloader steps, because the tarball already has everything you need to boot.

As a preference of the author, this bootable disk (referred to as ''/dev/sda'') is just an installer, and will not be changed during the installation. The target root disk is referred to as ''/dev/sdb''.

==Boot the Installer==
Insert the bootable disk we created earlier into the pi, and boot from it. Login and perform a diskless installation with <code>setup-alpine</code>. Next, we'll setup the disk.

==Disk setup==
Plug in the disk to be used as the encrypted root. A tool such as <code>lsblk</code> gives you an overview of all disks available. In this example, the new disk becomes ''/dev/sdb''.

Create a bootable FAT32 partition (''/dev/sdb1'') that will hold the unencrypted ''/boot'', and then a larger Linux partition (''/dev/sdb2'') that will hold the LVM physical volume.

Install the necessary packages:
{{cmd|apk add cryptsetup lvm2}}

Encrypt the Linux partition with one of the following:
{{cmd|cryptsetup luksFormat /dev/sdb2 # Raspberry Pi 5}}
{{cmd|cryptsetup luksFormat -c xchacha12,aes-adiantum-plain64 /dev/sdb2 # Raspberry Pi 4 and older}}

At this point you can follow the [[LVM_on_LUKS#Creating_the_Logical_Volumes_and_File_Systems|LVM on LUKS page]] to create and format the LVM volumes.

Mount the new root partition at ''/mnt'', the boot partition at ''/mnt/boot'' (after creating the directory), then run ''setup-disk'' like this:
{{cmd|setup-disk -m sys /mnt}}

==Verify the Installation==
''setup-disk'' should setup most things for us, but it's a good idea to inspect some critical files to avoid ending up with a system that won't boot.

Here's a list of files to check:
* ''/etc/mkinitfs/mkinitfs.conf'' should have the features <code>lvm</code> and <code>cryptsetup</code>.
* ''/boot/cmdline.txt'' should contain the following options: <code>root=/dev/vg0/root cryptroot=UUID=<encrypted_disk_uuid> cryptdm=root</code>
* ''/etc/fstab'' should have a line for <code>/dev/vg0/root</code> (and any other LVM volumes), and <code>/boot</code> (by UUID).

Finally, a friendly reminder: save a backup of that LUKS header (see <code>cryptsetup-luksHeaderBackup(8)</code>).

=Decrypt with a Keyfile=
The "keydisk" - a storage device used as a decryption key — is a convenient method to enable full-disk encryption, especially for a headless server. Unfortunately, this functionality is not yet supported, but there is a [https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/108 pending merge request] to implement it.

For now, we can achieve the same by moving the entire ''/boot'' partition to a separate device.

This assumes you've already booted a passphrase-encrypted Alpine installation, but you can include this as part of the installation procedure, and even use a keyfile alone instead of a passphrase.

==Create the keyfile==

A keyfile can be created with ''dd'':
{{cmd|dd if{{=}}/dev/urandom of{{=}}/crypto_keyfile.bin bs{{=}}1M count{{=}}1}}

Make it read-only, owner only:
{{cmd|chmod 400 /crypto_keyfile.bin}}

Add the keyfile to the LUKS header:
{{cmd|cryptsetup luksAddKey /dev/sdb2 /crypto_keyfile.bin}}

==Prepare the Initramfs==

The root disk decryption takes place in the temporary environment called ''initramfs''. ''mkinitfs'' will copy your keyfile into the initramfs filesystem, and place it in the exact same path it was copied from (e.g. ''/boot/cryptkey'', ''/var/root.key'').

The default path is <code>/crypto_keyfile.bin</code>, but you can change it by editing <code>/etc/mkinitfs/features.d/cryptkey.files</code>.

The path to the keyfile must also be passed as a kernel command-line option in <code>/boot/cmdline.txt</code>:
<pre>
cryptkey=/crypto_keyfile.bin
</pre>

Enable the necessary features in <code>/etc/mkinitfs/mkinitfs.conf</code>:
<pre>
features="... cryptsetup cryptkey"
</pre>

Regenerate the [[Initramfs_init|initramfs]]:
<pre>
mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b /
</pre>

=See Also=
* [[Raspberry Pi|Raspberry Pi - Installation]] ''(diskless-mode installation)''
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]] ''(sys-mode installation)''
* [[LVM_on_LUKS|LVM on LUKS]] ''(encryption and LVM, but beware not everything applies to the pi)''

Raspberry Pi LVM on LUKS

2024-05-24T20:55:12Z

Harpia:

=Installing Alpine on an encrypted root=

This article complements the existing installation instructions for Raspberry Pi,
providing only the needed changes that enable booting from an encrypted media. Use it only as a reference, not as a complete walk-through for installation.

==Prepare the Installation Media==
[[Create_a_Bootable_Device#Manually_copying_Alpine_files|Create a bootable disk]]. Basically, you'll create and format a FAT32 partition in an MBR partition table, set the boot flag on it, mount it and extract the downloaded tarball into it. You may skip those bootloader steps, because the tarball already has everything you need to boot.

As a preference of the author, this bootable disk (referred to as ''/dev/sda'') is just an installer, and will not be changed during the installation. The target root disk is referred to as ''/dev/sdb''.

Most commands here — if not all — must be run as root.

==Boot the Installer==
Insert the bootable disk we created earlier into the pi, and boot from it. Login and perform a diskless installation with <code>setup-alpine</code>. Next, we'll setup the disk.

==Disk setup==
Plug in the disk to be used as the encrypted root. A tool such as <code>lsblk</code> gives you an overview of all disks available. In this example, the new disk becomes ''/dev/sdb''.

Create a bootable FAT32 partition (''/dev/sdb1'') that will hold the unencrypted ''/boot'', and then a larger Linux partition (''/dev/sdb2'') that will hold the LVM physical volume.

Install the necessary packages:
{{cmd|apk add cryptsetup lvm2}}

Encrypt the Linux partition with one of the following:
{{cmd|cryptsetup luksFormat /dev/sdb2 # Raspberry Pi 5}}
{{cmd|cryptsetup luksFormat -c xchacha12,aes-adiantum-plain64 /dev/sdb2 # Raspberry Pi 4 and older}}

At this point you can follow the [[LVM_on_LUKS#Creating_the_Logical_Volumes_and_File_Systems|LVM on LUKS page]] to create and format the LVM volumes.

Mount the new root partition at ''/mnt'', the boot partition at ''/mnt/boot'' (after creating the directory), then run ''setup-disk'' like this:
{{cmd|setup-disk -m sys /mnt}}

==Verify the Installation==
''setup-disk'' should setup most things for us, but it's a good idea to inspect some critical files to avoid ending up with a system that won't boot.

Here's a list of files to check:
* ''/etc/mkinitfs/mkinitfs.conf'' should have the features <code>lvm</code> and <code>cryptsetup</code>.
* ''/boot/cmdline.txt'' should contain the following options: <code>root=/dev/vg0/root cryptroot=UUID=<encrypted_disk_uuid> cryptdm=root</code>
* ''/etc/fstab'' should have a line for <code>/dev/vg0/root</code> (and any other LVM volumes), and <code>/boot</code> (by UUID).

Finally, a friendly reminder: save a backup of that LUKS header (see <code>cryptsetup-luksHeaderBackup(8)</code>).

=Decrypt with a Keyfile=
The "keydisk" - a storage device used as a decryption key — is a convenient method to enable full-disk encryption, especially for a headless server. Unfortunately, this functionality is not yet supported, but there is a [https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/108 pending merge request] to implement it.

For now, we can achieve the same by moving the entire ''/boot'' partition to a separate device.

This assumes you've already booted a passphrase-encrypted Alpine installation, but you can include this as part of the installation procedure, and even use a keyfile alone instead of a passphrase.

==Create the keyfile==

A keyfile can be created with ''dd'':
{{cmd|dd if{{=}}/dev/urandom of{{=}}/crypto_keyfile.bin bs{{=}}1M count{{=}}1}}

Make it read-only, owner only:
{{cmd|chmod 400 /crypto_keyfile.bin}}

Add the keyfile to the LUKS header:
{{cmd|cryptsetup luksAddKey /dev/sdb2 /crypto_keyfile.bin}}

==Prepare the Initramfs==

The root disk decryption takes place in the temporary environment called ''initramfs''. ''mkinitfs'' will copy your keyfile into the initramfs filesystem, and place it in the exact same path it was copied from (e.g. ''/boot/cryptkey'', ''/var/root.key'').

The default path is <code>/crypto_keyfile.bin</code>, but you can change it by editing <code>/etc/mkinitfs/features.d/cryptkey.files</code>.

The path to the keyfile must also be passed as a kernel command-line option in <code>/boot/cmdline.txt</code>:
<pre>
cryptkey=/crypto_keyfile.bin
</pre>

Enable the necessary features in <code>/etc/mkinitfs/mkinitfs.conf</code>:
<pre>
features="... cryptsetup cryptkey"
</pre>

Regenerate the [[Initramfs_init|initramfs]]:
<pre>
mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b /
</pre>

=See Also=
* [[Raspberry Pi|Raspberry Pi - Installation]] ''(diskless-mode installation)''
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]] ''(sys-mode installation)''
* [[LVM_on_LUKS|LVM on LUKS]] ''(encryption and LVM, but beware not everything applies to the pi)''

Tutorials and Howtos

2024-05-22T17:26:59Z

Harpia: Add new page - Sys-mode installation, LVM on LUKS, Raspberry Pi

==== Raspberry Pi ====

* [[Raspberry Pi Bluetooth Speaker|Raspberry Pi - Bluetooth Speaker]]
* [[Raspberry Pi|Raspberry Pi - Installation]]
* [[Linux Router with VPN on a Raspberry Pi|Raspberry Pi - Router with VPN]]
* [[Linux Router with VPN on a Raspberry Pi (IPv6)|Raspberry Pi - Router with VPN (IPv6)]]
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]]
* [[Raspberry Pi LVM on LUKS|Raspberry Pi - Sys mode install - LVM on LUKS]]
* [[RPI Video Receiver|Raspberry Pi - Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''
* [[Raspberry Pi 3 - Browser Client]] - kiosk or digital sign
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]
* [[Raspberry Pi 3 - Setting Up Bluetooth]]
* [[Raspberry Pi 4 - Persistent system acting as a NAS and Time Machine]]
* [[How to set up Alpine as a wireless router|Raspberry Pi Zero W - Wireless router]] ''(Setting up a firewalled, Wireless AP with wired network on a Pi Zero W)''

Raspberry Pi LVM on LUKS

2024-05-22T17:23:27Z

Harpia: Document all particularities of booting the pi from encrypted root, plus cryptkey usage; Motivation came from my difficulties getting it done - many things are not obvious and not documented.

=Installing Alpine on an encrypted root=

This article complements the existing installation instructions for Raspberry Pi,
providing only the needed changes that enable booting from an encrypted media. Use it only as a reference, not as a complete walk-through for installation.

==Preparation==
[[Create_a_Bootable_Device#Manually_copying_Alpine_files|Create a bootable disk]]. Basically, you'll create and format a FAT32 partition in an MBR partition table, set the boot flag on it, mount it and extract the downloaded tarball into it. You may skip those bootloader steps, because the tarball already has everything you need to boot.

As a preference of the author, this bootable disk (referred to as ''/dev/sda'') is just an installer, and will not be changed during the installation. The target root disk is referred to as ''/dev/sdb''.

Most commands here — if not all — must be run as root.

==Boot the Installer==
Insert the bootable disk we created earlier into the pi, and boot from it. Login and perform a diskless installation with <code>setup-alpine</code>. Next, we'll setup the disk.

==Disk setup==
Plug in the disk to be used as the encrypted root. A tool such as <code>lsblk</code> gives you an overview of all disks available. In this example, the new disk becomes ''/dev/sdb''.

Create a bootable FAT32 partition (''/dev/sdb1'') that will hold the unencrypted ''/boot'', and then a larger Linux partition (''/dev/sdb2'') that will hold the LVM physical volume.

Install the necessary packages:
{{cmd|apk add cryptsetup lvm2}}

Encrypt the Linux partition with one of the following:
{{cmd|cryptsetup luksFormat /dev/sdb2 # Raspberry Pi 5}}
{{cmd|cryptsetup luksFormat -c xchacha12,aes-adiantum-plain64 /dev/sdb2 # Raspberry Pi 4 and older}}

At this point you can follow the [[LVM_on_LUKS#Creating_the_Logical_Volumes_and_File_Systems|LVM on LUKS page]] to create and format the LVM volumes.

Mount the new root partition at ''/mnt'', the boot partition at ''/mnt/boot'' (after creating the directory), then run ''setup-disk'' like this:
{{cmd|setup-disk -m sys /mnt}}

==Verify the Installation==
''setup-disk'' should setup most things for us, but it's a good idea to inspect some critical files to avoid ending up with a system that won't boot.

Here's a list of files to check:
* ''/etc/mkinitfs/mkinitfs.conf'' should have the features <code>lvm</code> and <code>cryptsetup</code>.
* ''/boot/cmdline.txt'' should contain the following options: <code>root=/dev/vg0/root cryptroot=UUID=<encrypted_disk_uuid> cryptdm=root</code>
* ''/etc/fstab'' should have a line for <code>/dev/vg0/root</code> (and any other LVM volumes), and <code>/boot</code> (by UUID).

Finally, a friendly reminder: save a backup of that LUKS header (see <code>cryptsetup-luksHeaderBackup(8)</code>).

=Decrypt with a Keyfile=
The "keydisk" - a storage device used as a decryption key — is a convenient method to enable full-disk encryption, especially for a headless server. Unfortunately, this functionality is not yet supported, but there is a [https://gitlab.alpinelinux.org/alpine/mkinitfs/-/merge_requests/108 pending merge request] to implement it.

For now, we can achieve the same by moving the entire ''/boot'' partition to a separate device.

This assumes you've already booted a passphrase-encrypted Alpine installation, but you can include this as part of the installation procedure, and even use a keyfile alone instead of a passphrase.

==Create the keyfile==

A keyfile can be created with ''dd'':
{{cmd|dd if{{=}}/dev/urandom of{{=}}/crypto_keyfile.bin bs{{=}}1M count{{=}}1}}

Make it read-only, owner only:
{{cmd|chmod 400 /crypto_keyfile.bin}}

Add the keyfile to the LUKS header:
{{cmd|cryptsetup luksAddKey /dev/sdb2 /crypto_keyfile.bin}}

==Prepare the Initramfs==

The root disk decryption takes place in the temporary environment called ''initramfs''. ''mkinitfs'' will copy your keyfile into the initramfs filesystem, and place it in the exact same path it was copied from (e.g. ''/boot/cryptkey'', ''/var/root.key'').

The default path is <code>/crypto_keyfile.bin</code>, but you can change it by editing <code>/etc/mkinitfs/features.d/cryptkey.files</code>.

The path to the keyfile must also be passed as a kernel command-line option in <code>/boot/cmdline.txt</code>:
<pre>
cryptkey=/crypto_keyfile.bin
</pre>

Enable the necessary features in <code>/etc/mkinitfs/mkinitfs.conf</code>:
<pre>
features="... cryptsetup cryptkey"
</pre>

Regenerate the [[Initramfs_init|initramfs]]:
<pre>
mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b /
</pre>

=See Also=
* [[Raspberry Pi|Raspberry Pi - Installation]] ''(diskless-mode installation)''
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]] ''(sys-mode installation)''
* [[LVM_on_LUKS|LVM on LUKS]] ''(encryption and LVM, but beware not everything applies to the pi)''

Raspberry Pi

2024-05-21T15:30:43Z

Harpia: Add a section explaining how to enable and connect to the serial console

{{warning | 11 Feb 2021 - There is currently a known bug upstream [https://github.com/raspberrypi/firmware/issues/1529 kernel/initramfs cannot be loaded from subdirectory with same name as volume label]. Since the kernel is installed to <code>boot/</code>, you must not use a label named <code>boot</code> for the fat32 partition. }}

{{TOC right}}

This tutorial explains how to install Alpine Linux on a Raspberry Pi. Alpine Linux will be installed in [[Installation#Diskless_Mode|diskless mode]], hence, [[Alpine local backup|Alpine Local Backup (lbu)]] is required to save modifications between reboots.

For scenarios where there is not expected to be significant changes to disk after setup (like running a static HTTP server), this is likely preferable, as running the entire system from memory will improve performance (by avoiding the slow SD card) and improve the SD card life (by reducing the writes to the card, as all logging will happen in RAM). Diskless installations still allow you to install packages, save local files, and tune the system to your needs.

If any of the following apply, then installation in [[Classic install or sys mode on Raspberry Pi|sys-mode installation]] is likely more appropriate.

* There will be constant changes to the disk after initial setup (for example, if you expect people to login and save files to their home directories)
* Logs should persists across reboots
* Plan to install packages which consume more space than can be loaded into RAM
* Plan to install kernel modules (such as ZFS)

== Compability list ==
As of Alpine 3.19:
* '''armhf''' (defconfig bcmrpi) - Raspberry Pi 1, Zero, ZeroW, cm1
* '''armv7''' (defconfig bcm2709) - Raspberry Pi 2, 3, 3+, Zero2W, cm3, cm3+
* '''aarch64''' (defconfig bcm2711) - Raspberry Pi 3, 3+, 4, 400, Zero2W, cm3, cm3+, cm4, 5

== Preparation ==

# [https://alpinelinux.org/downloads/ Download] the Alpine for Raspberry Pi tarball. Use the compability list above when choosing image/file to download.
# [[Create_a_Bootable_Device#Manually_copying_Alpine_files|Create a bootable FAT32 partition on your SD card.]] The partitioning and formatting part of the instructions on the linked page could be done using a graphical partitioning tool such as [https://en.wikipedia.org/wiki/GNOME_Disks gnome-disks], just make sure the partition type is <code>W95 FAT32 (LBA)</code>. (The current type can be found in the "Type" column in the output of <code>fdisk -l</code>.)
# Extract the tarball to the root of the bootable FAT32 partition.

To setup a headless system, a bootstrapping configuration overlay file [https://github.com/macmpi/alpine-linux-headless-bootstrap headless.apkovl.tar.gz] may be added to enable basic networking, so that following configuration steps can be performed under <code>ssh</code>. Pi Zero may be configured with simple USB ethernet-gadget networking with another computer sharing its internet connection.

It is recommended to create a '''usercfg.txt''' file on boot partition to configure low-level system settings, as '''config.txt''' may be replaced during bootloader/system upgrades: details can be found [https://www.raspberrypi.com/documentation/computers/config_txt.html here]. 
However, note some [https://www.raspberrypi.com/documentation/computers/config_txt.html#include settings] can only be set in '''config.txt''', and will have no effect when specified in '''usercfg.txt''' (e.g. <code>gpu_mem</code>). Some interesting values include:
* To enable the UART console: <code>enable_uart=1</code>
* To enable audio: <code>dtparam=audio=on</code>
* By default system will use legacy video driver: some [https://www.raspberrypi.com/documentation/computers/legacy_config_txt.html#legacy-video-options options] may be used to adjust displays modes (e.g. if you see black edges around your screen after booting the Pi, you can add <code>disable_overscan=1</code>). Alternatively Linux DRM-KMS driver may be used (see below).
* If you plan to install on a Pi Compute Module 4 with I/O board, you may need to add: <code>otg_mode=1</code>

Recent versions include Broadcom firmware files. If you're using an older Alpine version, see [[#Wireless_support_with_older_Alpine_images|section below]].

== Installation ==

Follow these steps to install Alpine Linux in Diskless Mode:

# Insert the SD card into the Raspberry Pi and power it on
# Login into the Alpine system as root. Leave the password empty.
# Type <code>setup-alpine</code>
# Once the installation is complete, commit the changes by typing <code>lbu commit -d</code>

Type <code>reboot</code> to verify that the installation was indeed successful.

== Post Installation ==

=== Update the System ===

After installation, make sure your system is up-to-date:

{{cmd|apk update
apk upgrade}}

Don't forget to save the changes:

{{cmd|lbu commit -d}}

Note: this does not upgrade the kernel. In order to upgrade the kernel, a full upgrade of the Alpine Linux version must be performed as described in [[Upgrading Alpine#Upgrading Alpine Linux on other removable media (such as CF/USB)|upgrading Alpine Linux for removable media]].

=== Linux Kernel Graphics Modes ===
By default system configuration will use legacy video driver: this driver has some limitations and is lacking support. 
It is recommended to enable Linux DRM-KMS driver by adding the following to '''usercfg.txt''':
# Enable DRM VC4 V3D driver
dtoverlay=vc4-kms-v3d
max_framebuffers=2

# Don't have the firmware create an initial video= setting in cmdline.txt.
# Use the kernel's default instead.
disable_fw_kms_setup=1
Note: This overlay disables legacy video [https://www.raspberrypi.com/documentation/computers/legacy_config_txt.html#legacy-video-options options].

Install the Mesa drivers (Pi4 and Pi5):

{{cmd|apk add {{pkg|mesa-dri-gallium|arch=a*}}}}

Then reboot:

{{cmd|lbu_commit -d; reboot}}

=== Wireless drivers ===
As of Alpine 3.17, Wifi and Bluetooth drivers are available within install image: they are part of <code>linux-firmware-brcm</code> (and linked dependencies). 
Since kernel 6.1.25 (i.e. Alpine 3.18), onboard bluetooth is enabled & autoprobed by default (it may be disabled by setting [https://github.com/raspberrypi/rpi-firmware/tree/master/overlays krnbt] off).

== Troubleshooting ==
<code>raspinfo</code> utility can be used as a first step to diagnose issues: it will make a log report of essential Pi system configuration, and is often used as a reference to submit questions or bug reports within Raspberry Pi community (Forums, Github, etc). 
It can be installed with <code>raspberrypi-utils-raspinfo</code> subpackage.

=== Long boot time when running headless ===

If no peripherals are connected, the system might hang for an exceptionally long period of time while it attempts to accumulate entropy.

If this is the case, simply plugging in any USB device should work around this issue, since it increases the amount of entropy available to the kernel via interrupts.

=== apk indicating 'No space left on device' ===

Note some models of the Raspberry Pi such as the 3A+ only have 512M of RAM, which on fresh Alpine deployment will only leave around 200M for tmpfs root. It's important to keep this limitation in mind when using these boards.

=== Clock-related error messages ===

During the booting time, you might notice errors related to the hardware clock. Many Raspberry Pi does not have a hardware clock, thus you need to disable the hwclock daemon and enable swclock:

{{cmd|rc-update add swclock boot # enable the software clock
rc-update del hwclock boot # disable the hardware clock}}

== Persistent storage ==
=== Traditional disk-based (sys) installation ===
{{Merge|Classic install or sys mode on Raspberry Pi|There's an existing page for sys-installations on RasPi.}}

It is also possible to switch to a fully disk-based installation. This is not yet formally supported, but can be done somewhat manually. This frees all the memory otherwise needed for the root filesystem, allowing more installed packages.

Split your SD card into two partitions: the FAT32 boot partition described above (in this example it'll be <code>mmcblk0p1</code>) , and a second partition to hold the root filesystem (here it'll be <code>mmcblk0p2</code>). Boot and configure your diskless system as above, then create a root filesystem:

{{cmd|apk add {{pkg|e2fsprogs|arch=a*}}
mkfs.ext4 /dev/mmcblk0p2}}

Now do a disk install via a mountpoint. The <code>setup-disk</code> script will give some errors about syslinux/extlinux, but you can ignore them.
The Raspberry Pi doesn't need them to boot.

{{cmd|<nowiki>mkdir /stage
mount /dev/mmcblk0p2 /stage
setup-disk -o /media/mmcblk0p1/MYHOSTNAME.apkovl.tar.gz /stage
# (ignore errors about syslinux/extlinux)</nowiki>}}

Add a line to <code>/stage/etc/fstab</code> to mount the Pi's boot partition again:

{{cmd|/dev/mmcblk0p1 /media/mmcblk0p1 vfat defaults 0 0}}

Now add a <code>root=/dev/mmcblk0p2</code> parameter to the Pi's boot command line, either <code>cmdline-rpi2.txt</code> or <code>cmdline-rpi.txt</code> depending on model:

{{cmd|<nowiki>mount -o remount,rw /media/mmcblk0p1
sed -i '$ s/$/ root=\/dev\/mmcblk0p2/' /media/mmcblk0p1/cmdline-rpi2.txt</nowiki>}}

You might also consider <code>overlaytmpfs=yes</code> here, which will cause the underlying SD card root filesystem to be mounted read-only, with an overlayed tmpfs for modifications which will be discarded at shutdown.

N.B. the contents of /boot will be ignored when the Pi boots. It will use the kernel, initramfs, and modloop images from the FAT32 boot partition. To update the kernel, initfs or modules, you will need to manually (generate and) copy these to the boot partition or you could use bind mount, in which case,
copying the files to boot partition manually, is not needed.

{{cmd|<nowiki>echo /media/mmcblk0p1/boot /boot none defaults,bind 0 0 >> /etc/fstab</nowiki>}}

=== Loopback image with overlayfs ===

When you install Alpine in diskless mode, the entire system is loaded into memory at boot. If you want additional storage (for example, if you need more space than offered by your RAM) we need to create loop-back storage onto the SD card mounted with overlayfs.

First, make the SD card writable again and change fstab to always do so:
{{cmd|mount /media/mmcblk0p1 -o rw,remount
sed -i 's/vfat\ ro,/vfat\ rw,/' /etc/fstab}}

Create the loop-back file, this example is 1 GB:

{{cmd|dd if=/dev/zero of=/media/mmcblk0p1/persist.img bs=1024 count=0 seek=1048576}}

Install the ext utilities:

{{cmd|apk add e2fsprogs}}

Format the loop-back file:

{{cmd|mkfs.ext4 /media/mmcblk0p1/persist.img}}

Mount the storage:

{{cmd|echo "/media/mmcblk0p1/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0" >> /etc/fstab
mkdir /media/persist
mount -a}}

Make the overlay folders, we are using the /usr directory here, but you can use /home or anything else.
{{Warning|Overlay workdir needs to be an empty directory on the same filesystem mount as the upper directory. So each overlay must use its own workdir.}}

{{cmd|mkdir /media/persist/usr
mkdir /media/persist/.work_usr
echo "overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work_usr 0 0" >> /etc/fstab
mount -a}}

Your /etc/fstab should look something like this:
{{Cmd|/dev/cdrom /media/cdrom iso9660 noauto,ro 0 0
/dev/usbdisk /media/usb vfat noauto,ro 0 0
/dev/mmcblk0p1 /media/mmcblk0p1 vfat rw,relatime,fmask=0022,dmask=0022,errors=remount-ro 0 0
/media/mmcblk0p1/persist.img /media/persist ext4 rw,relatime,errors=remount-ro 0 0
overlay /usr overlay lowerdir=/usr,upperdir=/media/persist/usr,workdir=/media/persist/.work_usr 0 0}}

Now commit the changes: (optionally remove the e2fsprogs, but it does contain repair tools)
{{cmd|lbu_commit -d}}

Remember, with this setup if you install things and you have done this overlay for /usr, you must not commit the 'apk add', otherwise, while it boots it will try and install it to memory, not to the persistent storage.

If you do want to install something small at boot, you can use <code>apk add</code> and <code>lbu commit -d</code>.

If it is something a bit bigger, then you can use <code>apk add</code> but then not commit it. It will be persistent (in <code>/user</code>), but be sure to check everything you need is in that directory and not in folders you have not made persistent.

== Netboot ==

=== Netbooting Raspberry Pi 4 ===

The Raspberry Pi 4 bootloader can be configured to boot from the network [https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#raspberry-pi-4-bootloader-configuration]. Configure the bootloader with at least

{{cmd|<nowiki>BOOT_ORDER=0xf142
TFTP_PREFIX=1</nowiki>}}

and optionally also {{cmd|<nowiki>TFTP_IP=x.x.x.x</nowiki>}} where <code>x.x.x.x</code> is the IP address of your TFTP server.

If not configuring <code>TFTP_IP</code> in the bootloader, you'll need to configure your DHCP server to advertise the TFTP server IP address. This varies depending on your DHCP server; use the following details if applicable:

# Vendor class: <code>PXEClient:Arch:00000:UNDI:002001</code>
# Filename: <code>/</code>

The minimal set of files that your TFTP server needs to host are:

# <code>bcm2711-rpi-4-b.dtb</code> (from [https://raw.githubusercontent.com/raspberrypi/firmware/master/boot/bcm2711-rpi-4-b.dtb raspberrypi/firmware/master/boot/bcm2711-rpi-4-b.dtb])
# <code>cmdline.txt</code> (see below)
# <code>config.txt</code> (see below)
# <code>fixup4.dat</code> (from [https://raw.githubusercontent.com/raspberrypi/firmware/master/boot/fixup4.dat raspberrypi/firmware/master/boot/fixup4.dat], alternatively <code>fixup4cd.dat</code> for the cut down version)
# <code>initramfs-rpi4</code> (from [https://dl-cdn.alpinelinux.org/alpine/edge/releases/aarch64/netboot/initramfs-rpi4 alpine/edge/releases/aarch64/netboot/initramfs-rpi4])
# <code>start4.elf</code> (from [https://raw.githubusercontent.com/raspberrypi/firmware/master/boot/start4.elf raspberrypi/firmware/master/boot/start4.elf], alternatively <code>start4cd.elf</code> for the cut down version)
# <code>vmlinuz-rpi4</code> (from [https://dl-cdn.alpinelinux.org/alpine/edge/releases/aarch64/netboot/vmlinuz-rpi4 alpine/edge/releases/aarch64/netboot/vmlinuz-rpi4])

<code>config.txt</code>:
{{cmd|<nowiki>[pi4]
kernel=vmlinuz-rpi4
initramfs initramfs-rpi4
arm_64bit=1
</nowiki>}}

<code>cmdline.txt</code>:
{{cmd|<nowiki>modules=loop,squashfs console=ttyAMA0,115200 ip=dhcp alpine_repo=http://dl-cdn.alpinelinux.org/alpine/edge/main modloop=http://dl-cdn.alpinelinux.org/alpine/edge/releases/aarch64/netboot/modloop-rpi4</nowiki>}}

Instead of using the <nowiki>http://dl-cdn.alpinelinux.org/alpine/edge/releases/aarch64/netboot/</nowiki> base URL above, pinning to a specific point in time is preferred. Raspberry Pi 4 netboot files are available from https://dl-cdn.alpinelinux.org/alpine/edge/releases/aarch64/netboot-20230329/ onward.

With the above configured the Raspberry Pi 4 should be able to boot from the network without an SD card.

=== Wireless support with older Alpine images ===

In Alpine 3.14, the WiFi drivers for the Raspberry Pi were moved from <code>linux-firmware-brcm</code> to the <code>linux-firmware-cypress</code> package (source?). Since the images seem to be an outdated version of the former, Wi-Fi will work during installation, but after the first update it will break.
Use the ethernet interface to download the required packages:

{{cmd|apk add {{pkg|linux-firmware-cypress|arch=a*}}}}

And reboot.

If you need Wi-Fi, you'll need to [https://github.com/RPi-Distro/firmware-nonfree/tree/master/brcm download] the latest Broadcom drivers to your SD card.
(Replace /mnt/sdcard with the correct mount point.)

git clone --depth 1 https://github.com/RPi-Distro/firmware-nonfree.git
cp firmware-nonfree/brcm/* /mnt/sdcard/firmware/brcm

== Enable the Serial Console ==
Besides having <code>enable_uart=1</code> in ''usercfg.txt'', the kernel command-line option <var>console</var> needs to be changed to <code>console=serial0,115200</code> in ''cmdline.txt''.

From a Linux desktop, connect to it with something like this:

{{cmd|cu -l /dev/ttyUSB0 -s 115200}}

== See Also ==

* [[Classic install or sys mode on Raspberry Pi]] - a variant.
* [[Raspberry Pi 3 - Setting Up Bluetooth]]
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]
* [[Raspberry Pi 3 - Browser Client]]
* [[Linux Router with VPN on a Raspberry Pi]]
* [[Create a bootable SDHC from a Mac]]
* Build custom Raspberry Pi images based on Alpine via [https://github.com/tolstoyevsky/pieman Pieman]
* [[Tutorials and Howtos#Raspberry Pi]]

[[Category:Installation]]
[[Category: Raspberry]]