Alpine Linux - User contributions [en]

Installation

2024-05-04T15:53:50Z

Mmhiro: change ordering to reflect installation and add clarification to warning

[[Image:hdd_mount.png|left|link=]]
 

This page exists to provide a basic overview to get started. Before actually installing, it can help to skim through the [[Alpine_Linux:FAQ| Frequently Asked Questions (FAQ)]], as well as to refer to the official installation guide at [https://docs.alpinelinux.org/ docs.alpinelinux.org].

{{Tip|This is a wiki!
If something isn't correct, or is incomplete, you will have to figure it out, or ask for the correct solution in the [https://alpinelinux.org/community/ community].

And then carefully edit the wiki page.

Just as those before who did it for you.}}

== Minimal Hardware Requirements ==
{{Main|Requirements}}
* At least 128 MB of RAM. [A graphical desktop system may require up to 512 minimum.]. Note that an installation itself (from ISO) generally requires at least 320 MB during installation.
* At least 0-700 MB space on a writable storage device. [Only required in "sys" or "data" mode installations (explained below). It is optional in "diskless" mode, where it may be used to save newer data and configurations states of a running system.]

== Installation Overview ==

=== The general course of action ===
{{Note|
* For single-board-computer (SBC) architectures which can not boot .iso images, see [[Alpine_on_ARM|Alpine on ARM]] for peculiarities.
* For headless system, initial network setup may be fed by pre-built <code>apkovl</code> overlay file, custom-made or via [https://github.com/macmpi/alpine-linux-headless-bootstrap/ 3rd party]}}

As usual, starting an installation procedure requires some basic steps (additional details for all the steps follow [[Installation#Basic Installation Step Details|below]]): 

# Downloading and verifying the proper [https://alpinelinux.org/downloads/ stable-release ISO installation image-file] for the target computer's architecture with their corresponding <code>sha256</code> (checksum) and <code>GPG</code> (signature) files.
# Preparing the installation media (e.g.: CD, DVD, USB drive, SD Card, etc).
# Optionally, custom-made headless apkovl can be done by first booting the install media on some computer with a display and keyboard attached, or in a virtual machine, and doing an intermediate "diskless" setup of just the boot media (more details below), i.e. using the offical <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> to configure the system's network, possibly for dhcp if needed, a ssh server, and a login user. Choosing "disks=none" for now, yet, configure to store configs on the boot media (if it is writable, otherwise on a separate storage media). And afterwards calling <code>[[Alpine_local_backup|lbu commit]]</code> to store the configs as local backup. Then your completed setup, including its securely created own private keys, will readily get (re)loaded on every subsequent (headless) boot from your custom-build <code><hostname>.apkovl.tar.gz</code> stored on the boot media (or on an auxilary media or server location, in case the boot media is read-only).
# Booting the target computer from the prepared disk or storage device.

The boot process of the alpine installation image first copies the entire operating system into the RAM memory, and then already starts a complete Alpine Linux system from there. It will initially only provide a basic command line environment that does not depend on reading from any (possibly slow) initial boot media, anymore.

Local log-in is possible as the user <code>root</code>. Initially, the root user has no password.

At the command prompt, an interactive script named <code>setup-alpine</code> is available to configure and install the initial Alpine Linux system.

The question-and-answer dialog of <code>setup-alpine</code> takes care of the base configuration and allows to configure the system to boot into one of three different '''Alpine Linux "disk" modes''': '''"diskless"'''(none), '''"data"''', or '''"sys"'''.

These modes are explained in more detail in the following subsections.

{{Note|It is really helpful for many cases that it is possible to first only complete a basic setup of the initial "diskless" installation media in order to prepare for the installation of the target system. For example, also to download and install some specific driver or software tool. And to possibly use more specific [[Alpine_setup_scripts|setup-scripts]] afterwards in order to proceed with the final installation in a custom way. A most basic pre-setup of just the "diskless" system may be completed by running <code>setup-alpine</code> and answering "none" when asked for the disk to use, for where to store configs, and for the location of the package cache.

Examples of preparation options:

* Preparing a custom partitioning or filesystem scheme that avoids to use and/or overwrite an entire disk ([[Installation#Custom_partitioning_of_the_harddisk|details below]]).
* Installing something that may be missing in the live system to configure the hardware, e.g. by using the alpine package manager <code>[[Alpine_Package_Keeper|apk]]</code>.

Examples of proceeding options:

* <code>[[Alpine_setup_scripts#setup-lbu|setup-lbu]]</code> to configure a "local backup" location for the diskless system, and <code>[[Alpine_local_backup|lbu commit]]</code> to then save the local configuration state.
* <code>[[Alpine_setup_scripts#setup-apkcache|setup-apkcache]]</code> to configure a local package cache storage location.
* <code>[[Alpine_setup_scripts#setup-disk|setup-disk]]</code> to add a "data" mode partition, or do a classic full install of the "diskless" system onto a "sys" disk or partition.

There are many more [[Alpine_setup_scripts|setup-scripts]] available. All these tools may also be run later to adjust specific configurations. For example, to set up a graphical environment as covered under [[Installation#Post-Installation|Post-Installation]] below.
}}

==='''Diskless Mode'''===
This means the entire operating system with all applications are first loaded into RAM and then only run from there. This is the method already used to boot the .iso installation images, however <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> can also configure the installed system to continue to boot like this if "disk=none" is specified. The mode is extremely fast and can save on unnecessary disk spin-ups, power, and wear. It is similar to what other linux distributions may call a "frugal" install or boot into with a "toram" option.

Custom configurations and package installations may optionally still be preserved or "persist" across reboots by using the Alpine local backup tool <code>[[Alpine_local_backup|lbu]]</code>. It enables committing and reverting system states by using .apkovl files that are saved to writable storage and loaded when booting. If additional or updated packages have been added to the system, these may also be made available for automatic (re)installation during the boot phase without any (re)downloading, by enabling a [[Alpine_Package_Keeper#Local_Cache|local package cache]] on the writable storage.

[[https://gitlab.alpinelinux.org/alpine/alpine-conf/-/issues/10473 FIXME-1]: Storing local configs and the package cache on '''internal disks still require''' [[Alpine_local_backup#Saving_and_loading_ISO_image_customizations|some manual steps]] to have the partition listed, i.e. making a /etc/fstab entry, mountpoint, and mount, *before* running setup-alpine. The linked workaround also still requires to commit these configurations to disk manually before rebooting.]

If a writable partition is available, <code>setup-alpine</code> can be told to store the configs and the package cache on that writable partition. (Later, another directory on that same partition or another available partition may also be mounted as /home, or for example, for selected important applications to keep their run-time and user data on it.)

The boot device of the newly configured local "diskless" system may remain the initial (and possibly read-only) installation media. But it is also possible to copy the boot system to a partition (e.g. /dev/sdXY) with <code>[[Alpine_setup_scripts#setup-bootable|setup-bootable]]</code>.

==='''Data Disk Mode'''===
This mode also runs from system RAM, thus it enjoys the same accelerated operation speed as "diskless" mode. However, swap storage and the entire {{Path|/var}} directory tree get mounted from a persistent storage device (two newly created partitions). The directory {{Path|/var}} holds e.g. all log files, mailspools, databases, etc., as well as <code>[[Alpine_local_backup|lbu]]</code> backup commits and the package cache. This mode is useful for having RAM accelerated servers with variable amounts of user-data that exceed the available RAM size. It enables the entire current system state (not just the boot state) to survive a system crash in accordance with the particular filesystem guarantees.

[[https://gitlab.alpinelinux.org/alpine/alpine-conf/-/issues/10474 FIXME-2]]: Setup-alpine will create the data partition and mount it as /var, but '''setup-alpine's "data" disk mode can not yet configure lbu config storage settings automatically'''. The '''current workaround''', is to select "none" at the 'where to store configs' prompt (as the new data partition is not listed anyway) and configure lbu manually after <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> exits, and before rebooting:

# Identify the created data partition, e.g. <code>/dev/sd''XY''</code>, and its filesystemtype, e.g. using <code>''lsblk''</code>
# Manually edit the lbu backups location in <code>/etc/lbu/lbu.conf</code> and configure <code>LBU_MEDIA=sd''XY''</code> (according to the previous findings).
# Save the configuration on that partition for the next boot with <code>lbu commit</code>.
# If (a new) partition fails to get mounted, execute: <code>mkdir /media/''sdXY'' ; echo "/dev/sd''XY'' /media/sd''XY'' ''fstype'' noauto,rw 0 0" >> /etc/fstab</code>, and try <code>lbu commit</code> again.

In data disk mode, the boot device may also remain the initial (and possibly read-only) installation media, or be copied to a partition (e.g. /dev/sdXY) with <code>[[Alpine_setup_scripts#setup-bootable|setup-bootable]]</code>.

==='''System Disk Mode'''===
This is a traditional hard-disk install.

If this mode is selected, the <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> script creates three partitions on the selected storage device, {{Path|/boot}}, {{Path|swap}} and {{Path|/}} (the filesystem root). This mode may, for example, be used for generic [[:Category:Desktop|desktop]] and development machines.

For custom partitioning, see [[Setting up disks manually]].

To install along side another operating systems, see [[Dualbooting]].

== Preparing for the installation ==

{{Note|This "Additional Details" section needs to be consolidated with the work at '''[https://docs.alpinelinux.org https://docs.alpinelinux.org] (not finished)'''
(Restructuring things there, moving and linking from here or there?).}}

=== Verifying the downloaded image-file ===

{| class="wikitable" style="width:95%; align=center"
|+ Commands to verify the checksum and GPG signature of a downloaded image-file on different systems.
|-
! width=100px | OS type
! <code>SHA256</code> check !! <code>SHA256</code> calculation (to be compared manually) !! <code>GPG</code> signature verification
|-
! Linux
| <code>sha256sum -c alpine-*.iso.sha256</code> || || <code>curl https://alpinelinux.org/keys/ncopa.asc | gpg --import ;</code>
<code> gpg --verify alpine-<version>.iso.asc alpine-<version>.iso</code>
|-
! MACOS
| - ? - || <code>shasum -a 256 alpine-*.iso</code> || - ? -
|-
! OpenBSD
| <code>sha256 -C alpine-*.sha256 alpine-*.iso</code> || || <code>doas pkg_add gnupg;
ftp -o - https://alpinelinux.org/keys/ncopa.asc | gpg --import ;
gpg --verify alpine-<version>.iso.asc alpine-<version>.iso</code>
|-
! FreeBSD
| - ? - || <code>/usr/local/bin/shasum -a 256 alpine-*.iso</code> || - ? -
|-
! NetBSD
| - ? - || <code>/usr/local/bin/shasum -a 256 alpine-*.iso</code> || - ? -
|-
! Windows
| - ? - || <code>certutil -hashfile alpine-*.iso SHA256</code> || - ? -
|}

=== Flashing (direct data writing) the installation image-file onto a device or media ===
{{Seealso|Burning ISOs}}

{{Note|These instructions are exclusively for x86_64 and x86. For ARM boards, see [[Alpine on ARM#Preparing installation media]].}}

==== Unix/Linux ====

Under Unix (and thus Linux), "everything is a file" and the data in the image-file can be written to a device or media with the <code>dd</code> command. Afterward, executing the <code>eject</code> command removes the target device from the system and ensures the write cache is completely flushed.

{{Cmd|dd if{{=}}<iso-file-to-read-in> of{{=}}<target-device-node-to-write-out-to> bs{{=}}4M; eject <target-device-node-to-write-to>}}

Be careful to correctly identify the target device as any data on it '''will''' be lost! All connected "bulk storage devices" can be listed with <code><nowiki>lsblk</nowiki></code> and <code><nowiki>blkid</nowiki></code>.

# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdX 0:0 0 64,0G 0 disk
├─sdX1 0:1 0 2G 0 part
└─sdX2 0:2 0 30G 0 part /mnt/sdX2

# blkid
/dev/sdX1: LABEL="some" UUID="..." TYPE="vfat"
/dev/sdX2: LABEL="other" UUID="..." TYPE="ext4"

For example, if /dev/sdX is the desired target device, first make sure you un-mount all mounted partitions of the target device. For example sdX1 and sdX2:

{{Cmd|umount /dev/sdX1 /dev/sdX2}}

For <code>dd</code>'s output-file (<code>of=</code>), however, do '''not''' specify a partition number. For example, write to sdX, '''not''' sdX1:

Warning: '''This will overwrite the target device /dev/sdX''', so before executing, make sure you have a backup of the data if you can't afford to lose it.

{{Cmd|dd if{{=}}~/Downloads/alpine-standard-3.00.0-x86_64.iso of{{=}}/dev/sdX bs{{=}}4M; eject /dev/sdX}}

==== Windows ====

For example, there is the [https://rufus.ie/ Rufus] program. Rufus will enable you to create bootable USB flash drives under Windows.

Rufus has been tested and works for Alpine Linux 3.12.x with the following settings:
* '''Partition scheme''': <code>MBR</code>
* '''Target system''': <code>BIOS or UEFI</code>
* '''File system''': <code>FAT32</code>
* '''Cluster size''': <code>4096 bytes (default)</code>

=== Verifying the written installation media ===

After detaching and re-attaching the device, a bit-wise comparison can verify the data written to the device (instead of just data buffered in RAM). If the comparison terminates with an end-of-file error on the .iso file side, all the contents from the image have been written (and re-read) successfully:

# cmp ~/Downloads/alpine-standard-3.00.0-x86_64.iso /dev/sdX
cmp: EOF on alpine-standard-3.00.0-x86_64.iso

=== Booting from external devices ===

Insert the boot media to a proper drive or port of the computer and turn the machine on, or restart it, if already running.

If the computer does not automatically boot from the desired device, one needs to bring up the boot menu and choose the media to boot from. Depending on the computer, the menu may be accessed by repeatedly pressing a key quickly when booting starts. Some computers require that you press the button ''before'' starting the computer and hold it down while the computer boots. Typical keys are: {{key|F9}}-{{key|F12}}, sometimes {{key|F7}} or {{key|F8}}. If these don't bring up the boot menu, it may be necessary to enter the BIOS configuration and adjust the boot settings, for which typical keys are: {{key|Del}} {{key|F1}} {{key|F2}} {{key|F6}} or {{key|Esc}}.

== Installation Step Details ==

=== Custom partitioning of the harddisk ===

It is possible to specify configurations for RAID, encryption, LVM, etc. as well as manual partitioning.

For "diskless" or "data disk" mode installs, manual partitioning may be needed to prepare the harddisk for committing local backups of the system state with <code>[[Alpine_local_backup|lbu commit]]</code>, to have a place for a package cache, or to use it for a /var mount.

For a "sys" install, custom partitioning is needed only if the desired scheme differs from overwriting an entire disk, or using the default set of a /boot, swap and root partition on the disk.

See [[Setting up disks manually]] for the alpine options for RAID, encryption, LVM, etc. and manual partitioning.

=== Questions asked by <code>setup-alpine</code> ===
[[File:Installation-alpine-alpine-setup-3-setup-scripts.png|350px|thumb|right|Example <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> session]]

The <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> script offers the following configuration options:

* '''Keyboard Layout''' (Local keyboard language and usage mode, e.g. ''us'' and variant of ''us-nodeadkeys''.)
* '''Hostname''' (The name for the computer.)
* '''Network''' (For example, automatic IP address discovery with the "DHCP" protocol.)
* '''DNS Servers''' (Domain Name Servers to query. If unsure, leave DNS domain name blank and using <code>[https://quad9.net/ 9.9.9.9 2620:fe::fe]</code> for DNS is typically adequate.)
* '''Root password''' (the password used to login to the root account)
* '''Timezone''' (Optionally display times/dates in your local time zone)
* '''HTTP/FTP Proxy''' (Proxy server to use for accessing the web/ftp. Use "none" for direct connections to websites and FTP servers.)
* '''Mirror''' (From where to download packages. Choose the organization you trust giving your usage patterns to.)
* '''Setup a user''' (Setting up a regular user account)
* '''NTP''' (Network Time Protocol client used for keeping the system clock in sync with a time server. Package "chrony" is part of the default install image.)
* '''SSH''' (Secure SHell remote access server. "OpenSSH" is part of the default install image. Use "none" to disable remote login, e.g. on laptops.)
* '''Disk Mode''' (Select between diskless (disk="none"), "data" or "sys", as described above.)
{{Warning|After this step, the data on the chosen device will be overwritten!}}

=== Preparing for the first boot ===

If <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> has finished configuring the "sys" disk mode, the system should be ready to reboot right away (see next subsection).

If the new local system was configured to run in "diskless" or "data" mode, and you do not want keep booting from the initial (and possibly read-only) installation media, the boot system needs to be copied to another device or partition.

The target partition may be identified using {{ic|lsblk}} (after installing it with {{ic|apk add {{pkg|lsblk}}}}) and/or {{ic|blkid}}, similar to previously identifying the initial installation media device.

The procedure to copy the boot system is explained at [[Alpine_setup_scripts#setup-bootable|setup-bootable]]

Once everything is in place, save your customized configuration with {{ic|lbu commit}} before rebooting.

=== Rebooting and testing the new system ===

First, remove the initial installation media from the boot drive, or detach it from the port it's connected to.

The system may now be power-cycled or rebooted to confirm everything is working correctly.

The relevant commands for this are {{ic|poweroff}} or {{ic|reboot}}.

=== Completing the installation ===

The installation script installs only the base operating system. '''No''' applications e.g. web server, mail server, desktop environment, or web browsers are installed.

Please look under [[Installation#Post-Installation|Post-Installation]] below, for some common things to do after installation.

= Further Installation Instructions =

{{Note| Specific topics should be kept on separate, individually manageable topic-pages and only get listed with a direct reference (link) on this general page.}}

=== Installation ===

* [[Kernels]] ''(kernel selection, e.g. for VMs or RPi)''
* [[How to make a custom ISO image with mkimage]] ''(installation media with its own configuration)''
* [[Directly booting an ISO file]] ''(without flashing it to a disk or device)''
* [[Dualbooting|Dual/multi-boot install to HDD partition]]
* [[Netboot Alpine Linux using iPXE]]
Also see other [[:Category:Installation|Installation Category]] pages.

=== Post-Installation ===



* [[Setting up a new user]] ''(to allow remote, console, or graphical logins)''
* [[Tutorials_and_Howtos#Networking_2|Setting up Networking]] ''(including non-standard configurations)''
* [[Alpine_Package_Keeper|Package Management (apk)]] ''(how to search/add/del packages etc.)''
** [[Alpine_Package_Keeper#Upgrade_a_Running_System|Upgrading Alpine]] ''(checking for and installing updates)''
** [[Repositories#Managing_repositories|Enable the community repository]] ''(access to additional packages)''
* [[Alpine_Linux:FAQ#Why_don.27t_I_have_man_pages_or_where_is_the_.27man.27_command.3F|man command/man pages]]
* [[Change default shell]]
* [[Running glibc programs]] ''(installation and development)''
 

* [[Alpine_local_backup|Local backup utility <code>lbu</code>]] ''(persisting RAM system configurations)''
** [[Back Up a Flash Memory Installation]] ''("diskless mode" systems)''
** [[Manually editing a existing apkovl]] ''(the stored custom configs)''
 

* [[OpenRC|Init System (OpenRC)]] ''(configure a service to automatically boot at next reboot)''
** [[Writing Init Scripts]]
** [[Multiple Instances of Services]]
 

* [[Alpine setup scripts#setup-xorg-base|<code>setup-xorg-base</code>]] ''(setup graphical base environment)''
** [[Tutorials_and_Howtos#Desktop|Desktop Environments]]
 

* [[Hosting services on Alpine]] ''(links to several mail/web/ssh server setup pages)''
 

* [[How to get regular stuff working]] ''(things one may miss in a too lightweight installation )''
* Running applications and services in their own [[Firejail Security Sandbox]]

=== Broader Usage Guides ===

* See: [[Tutorials and Howtos]]

= General Documentation =

{{Tip| Alpine Linux packages stay close to the upstream design. Therefore, all upstream documentation about configuring a software package, as well as good configuration guides from other distributions that stay close to upstream, e.g. those in the [https://wiki.archlinux.org/ ArchWiki], are to a large degree, also applicable to configuring the software on Alpine Linux, thus can be very useful.}}

* [[Alpine_Linux:FAQ|FAQs]]
* [[Alpine_Linux:Contribute|How to Contribute]]
* [[Developer Documentation]]
* [[Alpine_Linux:Wiki_etiquette|Wiki etiquette]] ''(to collaborate on this documentation)''
* [[Comparison with other distros]] ''(how common things are done on Alpine)''

----
[[Category:Installation]]

LVM on LUKS

2024-05-04T15:45:38Z

Mmhiro: Clarity in the introduction.

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition that contains the root partition and the swap partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

'''Note:''' The <code>setup-alpine</code> installation scripts has support for encrypted installations since v3.13. The default encryption options will not encrypt the swap partition and will not use LUKS, but is much easier to use.

Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that.

== Storage Device Name ==

To find your storage device's name, you could either install {{pkg|util-linux}} (<code>apk add util-linux</code>) and find your device using the <code>lsblk</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the {{path|/dev/sda}} device as installation destination. If your environment uses a different name for your storage device, use the corresponding device name in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (i.e. you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

{{Note|On versions of OpenRC prior to 0.45 use <code>urandom</code> instead of <code>seedrng</code>}}

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add seedrng boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

<pre># setup-ntp
# setup-apkrepos
# apk update
# setup-sshd</pre>

Here's where we deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted mkinitfs</pre>

== Creating the Partition Layout ==

Depending on your motherboard, bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
We'll describe both with example layouts.

=== BIOS/MBR with DOS disklabel ===

We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. 
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

<pre># dd if=/dev/urandom of=/dev/sda2 bs=1M</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Luks1 Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2</pre>

Luks2 Optimized for security:

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

=== Converting between LUKS2 and LUKS1 ===

It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong:

<pre># cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup</pre>

Then make sure all keys use <code>pbkdf2</code> by adding a new key with:

<pre># cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2</pre>

Remove keys that use <code>argon2i</code> or <code>argon2id</code> with <code>cryptsetup luksRemoveKey /dev/sda2</code>. You can check the key information using <code>cryptsetup luksDump /dev/sda2</code>.

Now you can try the conversion, although it may not work.

<pre># cryptsetup convert /dev/sda2 --type luks1</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point, then mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, run this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then run chroot:

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

==== Luks1 ====

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

==== Luks2 ====
{{Note|The method is still experimental and you may lose your access to you OS at the next OS update}}

Create a pre-config grub file: <code>/root/grub-pre.cfg</code>

<pre>
set crypto_uuid=00001
cryptomount -u $crypto_uuid
set root='lvmid/00002/00003'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

You can find:
* 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> remove hyphens from the UUID
* 00002 with <code>vgdisplay</code> & VG UUID
* 00003 with <code>lvdisplay</code> & LV UUID of the root partition /

<pre># (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings

== I see "can not mount /sysroot" during boot ==

* incorrect device UUID
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code>

== normal.mod not found ==

* re-install <code>grub-install --target=x86_64-efi</code>

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://web.archive.org/web/20200923091814/https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[https://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.
{{Note|This does not apply for volumes
within your main encrypted partition <code>/dev/sda2</code>}}
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*[https://www.msiism.org/files/doc/alpine-linux-fde-custom.html Installing Alpine Linux with full disk encryption on BIOS/MBR systems with a custom partition layout]
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.gentoo.org/wiki/Dm-crypt
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://wiki.gentoo.org/wiki/Syslinux

[[Category:Storage]]
[[Category:Security]]

Setting up encrypted volumes with LUKS

2024-05-04T15:38:51Z

Mmhiro: Alpine Linux installer now has encryption option

[https://en.wikipedia.org/wiki/Linux%20Unified%20Key%20Setup LUKS] allows encrypting a partition and mapping it as a virtual block device, which can then be used as a normal partition. Guides for other Linux distributions should serve as a general references for installing Alpine onto a LUKS encrypted disk.

The installer has built-in support for encryption. The default installer will not encrypt the swap partition and the boot partition. To setup Alpine Linux with an encrypted swap partition, refer to [[LVM on LUKS]]. The GRUB bootloader supports BIOS and EFI boot with an encrypted boot partition.

== mkinitfs and LUKS ==

For those familiar with setting up FDE on other Linux distributions, this section contains only Alpine-specific knowledge required is understanding [[mkinitfs]].

First of all, the <code>cryptsetup</code> feature needs to be added to <code>/etc/mkinitfs/mkinitfs.conf</code>. Additionally, the following kernel parameters are required:

* <code>cryptroot</code> kernel parameter should point to the encrypted block device.
* <code>root</code> kernel parameter should point to the mapped block device (e.g.: the <code>ext4</code>/<code>btrfs</code> volume that is exposed once the encrypted partition is unlocked).
* <code>rootfstype</code>: The filesystem type of the root partition (e.g.: <code>btrfs</code>).

== See also ==

* [https://wiki.archlinux.org/index.php/Dm-crypt dm-crypt on ArchWiki]

[[Category:Storage]]
[[Category:Security]]

Migrating from whirlpool hash for LUKS partitions

2022-12-02T08:10:40Z

Mmhiro: Created page with "{{Draft}} See: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13004 OpenSSL 3.0 has desginated the whirlpool hash as [https://wiki.openssl.org/index.php/OpenSSL_3.0#Provider_implemented_digests legacy]. This means it may not be loaded by default by OpenSSL so you cannot decrypt partitions using whirlpool. This is an issue for Alpine users because since v3.17 OpenSSL 3.0 is default, and multiple articles on this wiki recommended the use of whirlpool. In some case..."

{{Draft}}

See: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13004

OpenSSL 3.0 has desginated the whirlpool hash as [https://wiki.openssl.org/index.php/OpenSSL_3.0#Provider_implemented_digests legacy]. This means it may not be loaded by default by OpenSSL so you cannot decrypt partitions using whirlpool. This is an issue for Alpine users because since v3.17 OpenSSL 3.0 is default, and multiple articles on this wiki recommended the use of whirlpool. In some cases (i.e. with an encrypted boot partition) a user may not be able to boot their system at all.

== Migrate Away from Whirlpool ==

This has been tested on a LUKS1 partition. I am not responsible if you lose all your data.

'''If you suffer a power failure, kernel panic, or any interruption during the reencryption step, your data may be permanently lost.'''

First, get a LiveCD with cryptsetup (I used Fedora 37). Older versions of cryptsetup require <code>cryptsetup-reencrypt</code> to modify LUKS1 partitions, while newer versions (2.5.0 or 2.6.0 or later) use <code>cryptsetup reencrypt</code>.

Then backup your drive. At the minimum, dump the headers using
<pre>cryptsetup --header-backup-file=backup_file_location.bin luksHeaderBackup /dev/partition</pre>
You should store the header on a USB stick or some other form of persistent media.

If you have keys that cannot be typed in (i.e. keyfiles) then you will have to either
# find '''one''' key that you want to preserve (you must know the keyslot, in this document it will be called N)
# or remove all keyfiles using <code>luksRemoveKey</code>

I removed my keyfile slot using <code>luksRemoveKey</code> and then confirmed that my password still worked using <code>cryptsetup luksOpen --test-passphrase /dev/partition</code>. If you mess up, you can try recovering your keys using <code>luksHeaderRestore</code>.

Make sure that the device is not opened (if you had to get files off of it, run <code>cryptsetup luksClose device_name</code>). If you are preserving keyslot N, run
<pre>cryptsetup reencrypt --keep-key --key-slot N --key-file keyfile.bin --hash sha512 /dev/partition
</pre>
If you are not specifying a keyfile, run
<pre>cryptsetup reencrypt --keep-key --key-slot N --hash sha512 /dev/partition
</pre>
and enter all passwords into the prompts. You can specify another hash if you want to, but sha512 is probably your best choice right now.

Once the command is done (should take a few seconds), verify that you can successfully open and mount your partition.

'''If you use an encrypted boot''', then you must also reinstall grub. Open your partition with cryptsetup and mount it. Enter the directory and run
<pre>
mount -t proc /proc proc/
mount -t sysfs /sys sys/
mount --rbind /dev dev/
chroot . /bin/ash
</pre>
Then run <code>grub-install</code>. The command line will differ depending on your setup (EFI vs. MBR). On MBR run
<pre> grub-install /dev/sdX </pre>

LVM on LUKS

2022-12-02T07:27:23Z

Mmhiro: whirlpool is a legacy hash in OpenSSL 3.0, used in Alpine 3.17. This breaks decryption in initramfs.

= Introduction =

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.

Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that.

== Storage Device Name ==

To find your storage device's name, you could either install {{pkg|util-linux}} (<code>apk add util-linux</code>) and find your device using the <code>lsblk</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.

The following documentation uses the {{path|/dev/sda}} device as installation destination. If your environment uses a different name for your storage device, use the corresponding device name in the examples.

= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =

To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Temporary Installation Environment ==

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.

Run the scripts in this order:

<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>

If you are configuring static networking (i.e. you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.

If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.

<pre># passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start</pre>

Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}

<pre># setup-ntp
# setup-apkrepos
# apk update
# setup-sshd</pre>

Here's where we deviate from the install script.

Install the following packages required to set up LVM and LUKS:

{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}

<pre># apk add lvm2 cryptsetup e2fsprogs parted mkinitfs</pre>

Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:

<pre># apk add haveged
# rc-service haveged start</pre>

== Creating the Partition Layout ==

Depending on your motherboard, bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
We'll describe both with example layouts.

=== BIOS/MBR with DOS disklabel ===

We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. 
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

=== UEFI with GPT disklabel ===

We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}

Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

== Optional: Overwrite LUKS Partition with Random Data ==

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We'll use {{pkg|haveged}} as it is considerably faster than {{path|/dev/urandom}} when generating pseudo-random numbers (it's almost as high in throughput as {{path|/dev/zero}}), and is (supposedly) very close to truly random.

<pre># haveged -n 0 | dd of=/dev/sda2</pre>

== Encrypting the LVM Physical Volume Partition ==

To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:

Default settings:

<pre># cryptsetup luksFormat /dev/sda2</pre>

Luks1 Optimized for security:

<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2</pre>

Luks2 Optimized for security:

<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2</pre>

=== Converting between LUKS2 and LUKS1 ===

It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong:

<pre># cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup</pre>

Then make sure all keys use <code>pbkdf2</code> by adding a new key with:

<pre># cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2</pre>

Remove keys that use <code>argon2i</code> or <code>argon2id</code> with <code>cryptsetup luksRemoveKey /dev/sda2</code>. You can check the key information using <code>cryptsetup luksDump /dev/sda2</code>.

Now you can try the conversion, although it may not work.

<pre># cryptsetup convert /dev/sda2 --type luks1</pre>

== Creating the Logical Volumes and File Systems ==

Open the LUKS partition:

<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>

Create the PV on <code>lvmcrypt</code>:

<pre># pvcreate /dev/mapper/lvmcrypt</pre>

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:

<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>

=== LV Creation for BIOS/MBR ===

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

=== LV Creation for UEFI/GPT ===

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).

<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>

The LVs created in the previous steps are automatically marked active. To verify, enter:

<pre># lvscan</pre>

== Creating and Mounting the File Systems ==

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:

<pre># mkfs.ext4 /dev/vg0/root</pre>

Format the swap LV:

<pre># mkswap /dev/vg0/swap</pre>

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:

<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>

Next format your boot partition, create a mount point, then mount it:

* If you're using BIOS and MBR:

<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>

* If you're using UEFI and GPT:

<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>

Lastly, activate your swap partition:

<pre># swapon /dev/vg0/swap</pre>

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:

<pre># setup-disk -m sys /mnt/</pre>

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file:

<pre>/dev/vg0/swap swap swap defaults 0 0</pre>

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:

<pre>features="... cryptsetup"</pre>

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}}

Rebuild the initial RAM disk:

<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

== Installing a bootloader ==

To get the UUID of your storage device into a file for later use, run this command:

<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

=== Syslinux with BIOS ===

Install the Syslinux package:

<pre># apk add syslinux</pre>

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:

<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

<pre># chroot /mnt/
# update-extlinux
# exit</pre>

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:

<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>

=== Grub with UEFI ===

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>

This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.

Mount the required filesystems for the Grub EFI installer to the installation:

<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>

Then run chroot:

<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:

<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

==== Luks1 ====

<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

==== Luks2 ====
{{Note|The method is still experimental and you may lose your access to you OS at the next OS update}}

Create a pre-config grub file: <code>/root/grub-pre.cfg</code>

<pre>
set crypto_uuid=00001
cryptomount -u $crypto_uuid
set root='lvmid/00002/00003'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

You can find:
* 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> remove hyphens from the UUID
* 00002 with <code>vgdisplay</code> & VG UUID
* 00003 with <code>lvdisplay</code> & LV UUID of the root partition /

<pre># (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

== Unmounting the Volumes and Partitions ==

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.

Setup the LUKS partition and activate the LVs:

<pre># cryptsetup luksOpen /dev/sda2
# vgchange -ay</pre>

[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

== System can't find boot device ==

* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings

== I see "can not mount /sysroot" during boot ==

* incorrect device UUID
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code>

== normal.mod not found ==

* re-install <code>grub-install --target=x86_64-efi</code>

== Secure boot ==

If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

= Hardening =

* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf]{{dead link}} and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

= Mounting additional encrypted filesystems at boot =

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.
{{Note|This does not apply for volumes
within your main encrypted partition <code>/dev/sda2</code>}}
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://wiki.gentoo.org/wiki/Syslinux
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*https://wiki.gentoo.org/wiki/Dm-crypt

[[Category:Storage]]
[[Category:Security]]

Setting up ZFS on LUKS

2022-12-02T07:26:24Z

Mmhiro: whirlpool is a legacy hash in OpenSSL 3.0, used in Alpine 3.17. This breaks decryption in initramfs.

= Native Encryption =

ZFS now has native support for encryption. This has many advantages over ZFS on LUKS including multi-disk, encrypted zfs send, portable across *BSD/Linux and others.

For a Root on ZFS guide with native encryption, see [https://openzfs.github.io/openzfs-docs/Getting%20Started/Alpine%20Linux/Root%20on%20ZFS/1-preparation.html here].

= Introduction =

This documentation describes how to set up Alpine Linux using ZFS with a pool that is located in an encrypted partition. To encrypt the partition the Device Mapper crypt (dm-crypt) module and Linux Unified Key Setup (LUKS) is used.

Note that you must install the <code>/boot/</code> directory on an unecrypted partition to boot correctly.

We'll be using the syslinux bootloader and traditional BIOS booting.

== Requirements ==

* An instance Alpine on a medium other than the one you'll boot from, see [[Installation|official installation guide.]]
{{Note|We can't use the live environment from the installation isos, because we'll install the ZFS kernel module and that isn't possible with a read-only /boot (as provided by the iso).}}

== Hard Disk Device Name ==

The following documentation uses the <code>/dev/sda</code> device as the installation destination. If your environment uses a different device name for your hard disk, use the corresponding device name in the examples.

= Setting up Alpine Linux Using ZFS on Top of a LUKS Partition =

To install Alpine Linux in a ZFS pool on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

== Preparing the Installation Environment ==

Before you begin to install Alpine Linux on the medium you intend to boot from, prepare the installation you already have:

* Update the <code>apk</code> cache:

# apk update

* Install the following packages required to set up ZFS and LUKS:

# apk add haveged cryptsetup e2fsprogs syslinux zfs zfs-$(uname -r | rev | cut -d'-' -f1 | rev)
# modprobe zfs

* Optionally, start the <code>haveged</code> service for unpredictable random numbers used for encryption:

# rc-service haveged start

== Creating the Partition Layout ==

Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted ZFS pool.

* Start the <code>fdisk</code> utility to set up partitions:

# fdisk /dev/sda

:* Create the <code>/boot/</code> partition:
::* Enter <code>n</code> → <code>p</code> → <code>1</code> → <code>1</code> → <code>100m</code> to create a new 100 MB primary partition.

:* Set the <code>/boot/</code> partition active:
::* Enter <code>a</code> → <code>1</code>.

:* Create the LUKS partition:
::* Enter <code>n</code> → <code>p</code> → <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the partition size. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively, press <code>Enter</code> to set the maximum available size.

:* To verify the settings, press <code>p</code>. The output should look similar to this:
<pre>
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 206847 204800 100M 83 Linux
/dev/sda2 206848 41943039 41736192 19.9G 83 Linux
</pre>
* Press <code>w</code> to save the changes.

* Optionally, fill the LUKS partition with random values:

# haveged -n 0 | dd of=/dev/sda2

{{Note|Depending on the size of the partition, this process can take from several minutes to many hours.}}

== Encrypting the ZFS Partition ==

* To encrypt the partition which will later contain the LVM PV:

# cryptsetup luksFormat /dev/sda2

:{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping when prompting for the password to encrypt the partition at boot time. If you changed the keyboard map in the temporary environment, the password you enter during encrypting the partition in this step, may not match the password you will enter during the system boots.}}
: If you prefer setting an individual hashing algorithm and hashing schema:
:* To run a benchmark:

# cryptsetup benchmark

:* To encrypt the partition using individual settings, enter, for example:

# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2

== Creating the filesystems ==

* Open the LUKS partition:

# cryptsetup open --type luks /dev/sda2 crypt

=== Creating the ZFS pool ===

# zpool create -o ashift=12 -O normalization=formD -O atime=off -m none -R /mnt -O compression=lz4 tank /dev/mapper/crypt

Meaning of the <code>zpool create</code> options:

{| cellpadding="5" border="1" class="wikitable"
|-
! Option
! Meaning
|-
| zpool create
| Creating the zpool
|-
| -o ashift=12
| 4K blocks
|-
| -O normalization=formD
| Set the default Unicode (UTF-8) normalization to 'formD'
|-
| -O atime=off
| Disabling updates to file access time. This reduces writes to disk, but might cause issues with mailers, like <code>mutt</code>.
|-
| -m none
| No mountpoint, as we'll handle this later.
|-
| -R /mnt
| Set the altroot to <code>/mnt</code>. It's like a temporary mountpoint for the pool.
|-
| -O compression=lz4
| Use lz4 compression for the pool. Is generally recommended.
|-
| tank
| The pool name. <code>tank</code> will be used in throughout this guide.
|-
| /dev/mapper/crypt
| The path to the block device ZFS will use.
|}

After completing this, confirm that the pool has been created:

# zpool status

Should return something like:
<pre>
pool: tank
state: ONLINE
scan: none requested
config:

NAME STATE READ WRITE CKSUM
tank ONLINE 0 0 0
crypt ONLINE 0 0 0

errors: No known data errors
</pre>

=== Creating the required datasets ===

# zfs create -o mountpoint=none -o canmount=off tank/ROOT
# zfs create -o mountpoint=/ tank/ROOT/alpine

=== Creating optional datasets (feel free to add your own) ===

# zfs create -o mountpoint=/home tank/HOME
# zfs create -o mountpoint=/var/log tank/LOG

== Creating the <code>/boot</code> filesystem ==

# mkfs.ext4 /dev/sda1

== Mounting the <code>/boot</code> filesystem ==

* Create <code>/mnt/boot/</code> directory and mount the <code>/dev/sda1</code> partition in this directory:

# mkdir /mnt/boot/
# mount -t ext4 /dev/sda1 /mnt/boot/

== Installing Alpine Linux ==

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure.

* Install Alpine Linux:

# setup-disk -m sys /mnt/

: The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the <code>fstab</code> file (but we'll have to edit it manually later), which are currently mounted in the <code>/mnt/</code> directory.

: {{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll write the MBR to the disk manually.}}

* To enable the operating system to decrypt the LUKS partition at boot time, create the <code>/mnt/etc/crypttab</code> file. Enter the following line into the file to decrypt the <code>/dev/sda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:

crypt /dev/sda2 none luks

* Delete the zfs entries in <code>/mnt/etc/fstab</code> as ZFS mounts them automagically. Your fstab should look similar to this:

UUID=6b4f2c9c-0a0f-4a8c-a73b-d2b47920ad6f /boot ext4 rw,relatime,stripe=4,data=ordered 0 2

* Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> and <code>zfs</code> module to the <code>features</code> parameter:

features="ata base ide scsi usb virtio ext4 lvm cryptsetup zfs"

* Rebuild the initial RAM disk:

# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)

: The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

* Edit the <code>/mnt/etc/update-extlinux.conf</code> file, set the root ZFS dataset and append the following kernel options to the <code>default_kernel_opts</code> parameter:

root=tank/ROOT/alpine
default_kernel_opts="... cryptroot=/dev/sda2 cryptdm=crypt rootfstype=zfs"

: The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file. The <code>rootfstype</code> option sets the root filesystem type to zfs.

* Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:

# chroot /mnt/
# update-extlinux
# exit

: Ignore the errors the <code>update-extlinux</code> utility displays.

* Write the MBR to the <code>/dev/sda</code> device:

# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda

== Unmounting the filesystems ==

* Unmount <code>/mnt/boot/</code>:

# umount /mnt/boot/

* Unmount all zfs filesystems:

# zfs unmount -a

* Export all zfs pools:

# zpool export -a

* Close the <code>lvmcrypt</code> device:

# cryptsetup luksClose crypt

* Reboot the system:

# reboot

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations:

* [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]]

* Load the ZFS kernel module:

# modprobe zfs

* [[#Mounting_the_File_Systems|Mount the file systems]]

# zpool import -R /mnt tank
# mount -t ext4 /dev/sda1 /mnt/boot

* Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.

* [[#Unmounting_the_Volumes_and_Partitions|Unmount the volumes and partitions]]

{{Todo|Multiple Disk ZFS on LUKS?}}

[[Category:Storage]]
[[Category:Security]]