Alpine Linux - User contributions [en]

Shell management

2025-10-05T22:13:47Z

TakodaOS: Add /bin/sh section

The default shell used by Alpine Linux is the [[BusyBox]] variant of the [[BusyBox#Ash_shell|ash]] shell. This page explains how to use the default shell and various ways to change the default shell in Alpine Linux.

== Ash shell ==

Alpine Linux uses [[Busybox]] Ash shell for its default shell. It is a standard POSIX shell derived from Debian Ash variant.

One's ~/.bashrc file (or, alternatively, a different shell alias file) could be considered as a basis, say, for an {{Path|~/.ashrc}} file, reviewing it carefully for syntax/cli variants against that of Ash shell. For non-login, interactive shells refer to [[#Setting alias|Setting alias]] section.

{{Tip|Use {{pkg|checkbashisms}} script to perform basic checks for the presence of bashisms in scripts and help remove them.}}

=== Setting alias ===

For non-login shells, Busybox Ash and other POSIX shells do NOT automatically read a startup file like {{Path|~/.ashrc}}. To ensure that both login and non-login shells work consistently, use '''ENV''' environment variable in {{Path|~/.profile}} to refer {{Path|~/.ashrc}} file.

# Edit the {{Path|~/.profile}} as follows: {{Cat|~/.profile|<nowiki>...
export ENV="$HOME/.ashrc" </nowiki>}}
# Now aliases can be added in the startup file {{Path|~/.ashrc}} as follows: {{Cat|~/.ashrc|<nowiki># ~/.ashrc: interactive shell configuration for BusyBox Ash

# Custom Aliases
alias ls='ls --color=auto'
alias grep='grep --color=auto'

# You may want to put all your additions into a separate file like
# ~/.ash_aliases, instead of adding them here directly.

if [ -f ~/.ash_aliases ]; then
. ~/.ash_aliases
fi</nowiki>}}

== Available shells ==

Most of the popular shells are available in Alpine Linux repositories as can be seen from the below list.
{| class="wikitable" align="center" style="width:100%; border:1px #0771a6 solid; background:#f9f9f9; text-align:left; border-collapse:collapse;"
|-style="background:#333333; color:#ffffff; font-size: 1.2em; text-align:center;"
|width="10%" | Name
|width="36%" | URL
|Remarks
|-
|{{Pkg|bash}}|| https://www.gnu.org/software/bash/bash.html||The GNU Bourne Again shell
|-
|{{Pkg|zsh}} || https://www.zsh.org/||Very advanced and programmable command interpreter
|-
|{{Pkg|fish}} ||https://fishshell.com/||Modern interactive commandline shell
|-
|{{pkg|dash}} ||http://gondor.apana.org.au/~herbert/dash/||Small and fast POSIX-compliant shell
|-
|{{pkg|oksh}} ||https://github.com/ibara/oksh||Portable OpenBSD ksh, based on pdksh
|-
|{{pkg|loksh}} ||https://github.com/dimkr/loksh||A Linux port of OpenBSD's ksh
|-
|{{pkg|yash}} ||https://magicant.github.io/yash||Yet another shell
|-
|{{pkg|tcsh}} ||https://github.com/tcsh-org/tcsh||extended C-shell
|-
|{{pkg|nsh}} ||https://github.com/nuta/nsh||A command-line shell like fish, but POSIX compatible
|-
|{{pkg|elvish}} ||https://elv.sh||Friendly and expressive Unix shell
|-
|{{pkg|nushell}} ||https://www.nushell.sh||A new type of shell
|-
|{{pkg|murex}} ||https://murex.rocks/||Intuitive, typed and content aware shell
|}

To install any of the above shells, say for eg: {{pkg|bash}} shell: {{Cmd|# apk add {{pkg|bash}} {{pkg|bash-completion}}}}

== Change default shell ==

There are various ways to change the default user shell in Alpine Linux. You can revert back to [[#ash|ash]] shell at anytime with the same steps.

{{Note|After performing the below step, you need to log out and login again for these changes to take effect.}}

=== By hand ===

Edit {{Path|/etc/passwd}} manually using an editor of your choice. An example line for a user named <code>user</code> is: {{Cat|/etc/passwd|...
user:x:1000:1000:user:/home/user:/bin/ash
...
}}

Change {{Path|/bin/ash}} to point to the path of a shell from {{Path|/etc/shells}}. Take care to not delete/mangle the line, as it would make you unable to log in again. The <code>user</code> should be the user you are changing the default login shell for.

=== Using chsh command ===

To use {{ic|chsh}} command, install the {{pkg|shadow}} package: {{Cmd|# apk add shadow}}
And use chsh: {{Cmd|# chsh username}}
Now enter the path for the shell you want to use (e.g {{Path|/bin/zsh}})
and press {{Key|Enter}} to confirm this change. The shell should exist in {{Path|/etc/shells}}.

== /bin/sh ==

Most applications expect a POSIX-compliant shell to be present in a standard location, {{Path|/bin/sh}}. In Alpine Linux, {{Path|/bin/sh}} is linked to busybox ash by default, however it is possible to change this by installing a different -binsh package (A list of -binsh packages can be found [https://pkgs.alpinelinux.org/packages?name=*-binsh here]). Changing {{Path|/bin/sh}} may lead to a difference in script execution speed.

To use dash as {{Path|/bin/sh}}:
{{Cmd|# apk add {{pkg|dash-binsh}}}}

== See also ==

* [https://linux.die.net/man/1/dash dash Manual]
* [https://git.busybox.net/busybox/tree/shell/README Ash README]
* [https://git.busybox.net/busybox/tree/shell Ash source code]
* [https://pubs.opengroup.org/onlinepubs/9799919799/ POSIX standard]
* [https://stackoverflow.com/questions/38024160/how-to-get-etc-profile-to-run-automatically-in-alpine-docker/38025686#38025686 stackoverflow on ash shell]

[[Category:Shell]]
[[Category:System Administration]]

Install Alpine in QEMU

2025-09-04T01:56:15Z

TakodaOS: Adding nowiki tags because the template broke.

===Before You Start===

* Download the [https://alpinelinux.org/downloads latest Alpine image].
* Install QEMU on your system (e.g. <code>sudo apt install qemu</code> on Ubuntu, <code>yum -y install qemu</code> on Fedora)

If you are using Alpine Linux, you can install:

{{Cmd|# apk add {{pkg|qemu|arch=}} {{pkg|qemu-img|arch=}} {{pkg|qemu-system-x86_64|arch=}} {{pkg|qemu-ui-gtk|arch=}}}}

===Create the Virtual Machine===

Create a disk image if you want to install Alpine Linux.

{{Cmd|qemu-img create -f qcow2 alpine.qcow2 8G}}

The following command starts QEMU with the Alpine ISO image as CDROM, the default network configuration, 512MB RAM, the disk image that was created in the previous step, and CDROM as the boot device.

{{Cmd|1=qemu-system-x86_64 -m 512 -nic user -boot once=d -cdrom alpine-standard-{{AlpineLatest}}-x86_64.iso -drive file=alpine.qcow2 -display gtk -enable-kvm}}

{{Tip|Remove option <code>-enable-kvm</code> if your hardware does not support this.}}

Log in as <code>root</code> (no password) and run: {{Cmd|setup-alpine}}
Follow the [[Alpine_setup_scripts#setup-alpine|setup-alpine installation steps]].

Run <code>poweroff</code> to shut down the machine.

=== Booting the Virtual Machine ===
After the installation, QEMU can be started from disk image (<code>-boot c</code>) without CDROM.

{{Cmd|<nowiki>qemu-system-x86_64 -m 512 -nic user -drive file=alpine.qcow2</nowiki>}}

[[Category:Virtualization]]

Install Alpine in QEMU

2025-09-04T01:53:51Z

TakodaOS: Rewriting the same legacy options with the last command.

===Before You Start===

* Download the [https://alpinelinux.org/downloads latest Alpine image].
* Install QEMU on your system (e.g. <code>sudo apt install qemu</code> on Ubuntu, <code>yum -y install qemu</code> on Fedora)

If you are using Alpine Linux, you can install:

{{Cmd|# apk add {{pkg|qemu|arch=}} {{pkg|qemu-img|arch=}} {{pkg|qemu-system-x86_64|arch=}} {{pkg|qemu-ui-gtk|arch=}}}}

===Create the Virtual Machine===

Create a disk image if you want to install Alpine Linux.

{{Cmd|qemu-img create -f qcow2 alpine.qcow2 8G}}

The following command starts QEMU with the Alpine ISO image as CDROM, the default network configuration, 512MB RAM, the disk image that was created in the previous step, and CDROM as the boot device.

{{Cmd|1=qemu-system-x86_64 -m 512 -nic user -boot once=d -cdrom alpine-standard-{{AlpineLatest}}-x86_64.iso -drive file=alpine.qcow2 -display gtk -enable-kvm}}

{{Tip|Remove option <code>-enable-kvm</code> if your hardware does not support this.}}

Log in as <code>root</code> (no password) and run: {{Cmd|setup-alpine}}
Follow the [[Alpine_setup_scripts#setup-alpine|setup-alpine installation steps]].

Run <code>poweroff</code> to shut down the machine.

=== Booting the Virtual Machine ===
After the installation, QEMU can be started from disk image (<code>-boot c</code>) without CDROM.

{{Cmd|qemu-system-x86_64 -m 512 -nic user -drive file=alpine.qcow2}}

[[Category:Virtualization]]

Install Alpine in QEMU

2025-09-04T01:50:32Z

TakodaOS: As per the QEMU man pages, -boot drive and -hda are only kept for legacy purposes. I rewrote the command using the recommended options instead.

===Before You Start===

* Download the [https://alpinelinux.org/downloads latest Alpine image].
* Install QEMU on your system (e.g. <code>sudo apt install qemu</code> on Ubuntu, <code>yum -y install qemu</code> on Fedora)

If you are using Alpine Linux, you can install:

{{Cmd|# apk add {{pkg|qemu|arch=}} {{pkg|qemu-img|arch=}} {{pkg|qemu-system-x86_64|arch=}} {{pkg|qemu-ui-gtk|arch=}}}}

===Create the Virtual Machine===

Create a disk image if you want to install Alpine Linux.

{{Cmd|qemu-img create -f qcow2 alpine.qcow2 8G}}

The following command starts QEMU with the Alpine ISO image as CDROM, the default network configuration, 512MB RAM, the disk image that was created in the previous step, and CDROM as the boot device.

{{Cmd|1=qemu-system-x86_64 -m 512 -nic user -boot once=d -cdrom alpine-standard-{{AlpineLatest}}-x86_64.iso -drive file=alpine.qcow2 -display gtk -enable-kvm}}

{{Tip|Remove option <code>-enable-kvm</code> if your hardware does not support this.}}

Log in as <code>root</code> (no password) and run: {{Cmd|setup-alpine}}
Follow the [[Alpine_setup_scripts#setup-alpine|setup-alpine installation steps]].

Run <code>poweroff</code> to shut down the machine.

=== Booting the Virtual Machine ===
After the installation, QEMU can be started from disk image (<code>-boot c</code>) without CDROM.

{{Cmd|qemu-system-x86_64 -m 512 -nic user -hda alpine.qcow2}}

[[Category:Virtualization]]

LVM on LUKS

2025-08-26T22:04:48Z

TakodaOS: Okay, this should probably use Alpine Linux version numbers instead of alpine-conf's numbers. I didn't realize they were different.

This page describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition that contains the root partition and the swap partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its [[Setting up encrypted volumes with LUKS|LUKS]] subsystem is used.

'''Note:''' The <code>setup-alpine</code> installation scripts has support for encrypted installations since Alpine v3.15, and automatically encrypts swap using LVM in v3.21. For a simplistic setup it is easy to use.

Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that.

== Setting up Alpine Linux Using LVM on Top of a LUKS Partition ==

To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, several manual steps must be carried out in the Alpine Linux Live CD environment.

Follow the [[Installation#General_course_of_action|Installation guide]] to complete the [[Installation#Base_configuration|base configuration]] as a working [[Configure_Networking#Connectivity_testing|Internet access]] is mandatory to complete this installation.

The <code>parted</code> partition editor from {{pkg|parted}} package is needed for advanced partitioning and GPT disklabels. Install the following packages required to set up LVM and LUKS:{{Cmd|# apk add lvm2 cryptsetup e2fsprogs parted mkinitfs}}


=== Creating the Partition Layout ===

Depending on your motherboard, bios features and configuration, we can either use partition table in MBR (legacy BIOS) or GUID Partition Table (GPT). We'll describe both with example layouts.

{{Note|Instructions on this page uses {{path|'''/dev/sda'''}} as storage device name. To find your storage device's name, you could either use the <code>lsblk</code> command from the {{pkg|util-linux}} package or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands.}}

==== BIOS/MBR with DOS disklabel ====

We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. <br>
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to [[Dualbooting|dual boot]], stop here and seek [[Support]].}}

Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

==== UEFI with GPT disklabel ====

We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to [[Dualbooting|dual boot]], stop here and seek [[Support]].}}

Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

=== Encrypting the LVM Physical Volume Partition ===

To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:

{{Tip|If your hard drive wasn't encrypted previously, overwrite LUKS Partition with Random Data . It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.{{ic|<nowiki># dd if=/dev/urandom of=/dev/sda2 bs=1M</nowiki>}}}}

For Default settings:{{Cmd|# cryptsetup luksFormat /dev/sda2}}

Luks1 Optimized for security: {{Cmd|# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2}}

Luks2 Optimized for security:{{Cmd|# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2}}

=== Converting between LUKS2 and LUKS1 ===

It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong: {{Cmd|# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup}}

Then make sure all keys use <code>pbkdf2</code> by adding a new key with:{{Cmd|# cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2}}

Remove keys that use <code>argon2i</code> or <code>argon2id</code> with {{Cmd|# cryptsetup luksRemoveKey /dev/sda2}}.
You can check the key information using the command: {{Cmd|# cryptsetup luksDump /dev/sda2}}

Now you can try the conversion, although it may not work. {{Cmd|# cryptsetup convert /dev/sda2 --type luks1}}

=== Creating the Logical Volumes and File Systems ===

Open the LUKS partition:{{Cmd|# cryptsetup luksOpen /dev/sda2 lvmcrypt}}

Create the PV on <code>lvmcrypt</code>: {{Cmd|# pvcreate /dev/mapper/lvmcrypt}}

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:{{Cmd|# vgcreate vg0 /dev/mapper/lvmcrypt}}

==== LV Creation for BIOS/MBR ====

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>). {{Cmd|<nowiki># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</nowiki>}}

The LVs created in the previous steps are automatically marked active. To verify, enter:{{Cmd|# lvscan}}

==== LV Creation for UEFI/GPT ====

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).{{Cmd|<nowiki># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</nowiki>}}

The LVs created in the previous steps are automatically marked active. To verify, enter:{{Cmd|# lvscan}}

=== Creating and Mounting the File Systems ===

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system: {{Cmd|# mkfs.ext4 /dev/vg0/root}}

Format the swap LV: {{Cmd|# mkswap /dev/vg0/swap}}

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:{{Cmd|# mount -t ext4 /dev/vg0/root /mnt/}}

Next format your boot partition, create a mount point, then mount it:

* If you're using BIOS and MBR: {{Cmd|<nowiki># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</nowiki>}}

* If you're using UEFI and GPT:{{Cmd|<nowiki># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</nowiki>}}

Lastly, activate your swap partition:{{Cmd|# swapon /dev/vg0/swap}}

=== Installing Alpine Linux ===

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure: {{Cmd|# setup-disk -m sys /mnt/}}

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file as follows: {{Cat|/mnt/etc/fstab|/dev/vg0/swap swap swap defaults 0 0}}

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:{{Path|/mnt/etc/mkinitfs/mkinitfs.conf|features="... cryptsetup"}}

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}}

Rebuild the initial RAM disk:{{Cmd|# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)}}

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

=== Installing a bootloader ===

To get the UUID of your storage device into a file for later use, run this command:{{Cmd|# blkid -s UUID -o value /dev/sda2 > ~/uuid}}

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

==== Syslinux with BIOS ====

Install the Syslinux package: {{Cmd|# apk add syslinux}}

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code> as follows:{{Cat|/mnt/etc/update-extlinux.conf|<nowiki>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</nowiki>}}

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:{{Cmd|<nowiki># chroot /mnt/
# update-extlinux
# exit</nowiki>}}

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:{{Cmd|<nowiki># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</nowiki>}}

==== Grub with UEFI ====

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.{{Cmd|<nowiki># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin</nowiki>}}

This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.

Mount the required filesystems for the Grub EFI installer to the installation:{{Cmd|<nowiki># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</nowiki>}}

Then run chroot:{{Cmd|<nowiki># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</nowiki>}}

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:{{Cmd|<nowiki># apk add grub grub-efi efibootmgr
# apk del syslinux</nowiki>}}

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

===== Luks1 =====
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

===== Luks2 =====
{{Note|The method is still experimental and you may lose your access to you OS at the next OS update}}

Create a pre-config grub file: <code>/root/grub-pre.cfg</code>

<pre>
set crypto_uuid=00001
cryptomount -u $crypto_uuid
set root='lvmid/00002/00003'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

You can find:
* 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> remove hyphens from the UUID
* 00002 with <code>vgdisplay</code> & VG UUID
* 00003 with <code>lvdisplay</code> & LV UUID of the root partition /

<pre># (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

=== Unmounting the Volumes and Partitions ===

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

== Hardening ==

* To harden, you should disable DMA[https://web.archive.org/web/20200923091814/https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[https://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

== Mounting additional encrypted filesystems at boot ==

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.
{{Note|This does not apply for volumes
within your main encrypted partition <code>/dev/sda2</code>}}
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

== Troubleshooting ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations. Reboot and follow the [[Installation#General_course_of_action|Installation guide]] to complete the [[Installation#Base_configuration|base configuration]] again.

Setup the LUKS partition and activate the LVs: {{Cmd|<nowiki># cryptsetup luksOpen /dev/sda2 lvmcrypt
# vgchange -ay</nowiki>}}

Follow the steps in [[#Creating_and_Mounting_the_File Systems| Creating and Mounting the File Systems]].

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

=== System can't find boot device ===

* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings

=== I see "can not mount /sysroot" during boot ===

* incorrect device UUID
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code>

=== normal.mod not found ===

* re-install <code>grub-install --target=x86_64-efi</code>

=== Secure boot ===

If secure boot complains of an unsigned bootloader, you can either disable it or follow [[UEFI Secure Boot]] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

== See also ==

*[[Setting up encrypted volumes with LUKS]]
*[[Bootloaders]]
*[[UEFI Secure Boot]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*[https://www.msiism.org/files/doc/alpine-linux-fde-custom.html Installing Alpine Linux with full disk encryption on BIOS/MBR systems with a custom partition layout]
*[https://rifux.dev/docs/alpine-linux/install-luks2/ Guide to Install Alpine Linux with LUKS2, BTRFS and GRUB]
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.gentoo.org/wiki/Dm-crypt
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://wiki.gentoo.org/wiki/Syslinux

[[Category:Storage]]
[[Category:Security]]

LVM on LUKS

2025-08-26T21:54:49Z

TakodaOS: Changing v3.18 to v3.19; the feature was intended for v3.18 but a bug relating to the functionality wasn't fixed until v3.19

This page describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition that contains the root partition and the swap partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its [[Setting up encrypted volumes with LUKS|LUKS]] subsystem is used.

'''Note:''' The <code>setup-alpine</code> installation scripts has support for encrypted installations since v3.13, and automatically encrypts swap using LVM in v3.19. For a simplistic setup it is easy to use.

Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that.

== Setting up Alpine Linux Using LVM on Top of a LUKS Partition ==

To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, several manual steps must be carried out in the Alpine Linux Live CD environment.

Follow the [[Installation#General_course_of_action|Installation guide]] to complete the [[Installation#Base_configuration|base configuration]] as a working [[Configure_Networking#Connectivity_testing|Internet access]] is mandatory to complete this installation.

The <code>parted</code> partition editor from {{pkg|parted}} package is needed for advanced partitioning and GPT disklabels. Install the following packages required to set up LVM and LUKS:{{Cmd|# apk add lvm2 cryptsetup e2fsprogs parted mkinitfs}}


=== Creating the Partition Layout ===

Depending on your motherboard, bios features and configuration, we can either use partition table in MBR (legacy BIOS) or GUID Partition Table (GPT). We'll describe both with example layouts.

{{Note|Instructions on this page uses {{path|'''/dev/sda'''}} as storage device name. To find your storage device's name, you could either use the <code>lsblk</code> command from the {{pkg|util-linux}} package or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands.}}

==== BIOS/MBR with DOS disklabel ====

We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. <br>
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to [[Dualbooting|dual boot]], stop here and seek [[Support]].}}

Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

==== UEFI with GPT disklabel ====

We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to [[Dualbooting|dual boot]], stop here and seek [[Support]].}}

Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

=== Encrypting the LVM Physical Volume Partition ===

To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:

{{Tip|If your hard drive wasn't encrypted previously, overwrite LUKS Partition with Random Data . It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.{{ic|<nowiki># dd if=/dev/urandom of=/dev/sda2 bs=1M</nowiki>}}}}

For Default settings:{{Cmd|# cryptsetup luksFormat /dev/sda2}}

Luks1 Optimized for security: {{Cmd|# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2}}

Luks2 Optimized for security:{{Cmd|# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2}}

=== Converting between LUKS2 and LUKS1 ===

It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong: {{Cmd|# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup}}

Then make sure all keys use <code>pbkdf2</code> by adding a new key with:{{Cmd|# cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2}}

Remove keys that use <code>argon2i</code> or <code>argon2id</code> with {{Cmd|# cryptsetup luksRemoveKey /dev/sda2}}.
You can check the key information using the command: {{Cmd|# cryptsetup luksDump /dev/sda2}}

Now you can try the conversion, although it may not work. {{Cmd|# cryptsetup convert /dev/sda2 --type luks1}}

=== Creating the Logical Volumes and File Systems ===

Open the LUKS partition:{{Cmd|# cryptsetup luksOpen /dev/sda2 lvmcrypt}}

Create the PV on <code>lvmcrypt</code>: {{Cmd|# pvcreate /dev/mapper/lvmcrypt}}

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:{{Cmd|# vgcreate vg0 /dev/mapper/lvmcrypt}}

==== LV Creation for BIOS/MBR ====

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>). {{Cmd|<nowiki># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</nowiki>}}

The LVs created in the previous steps are automatically marked active. To verify, enter:{{Cmd|# lvscan}}

==== LV Creation for UEFI/GPT ====

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).{{Cmd|<nowiki># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</nowiki>}}

The LVs created in the previous steps are automatically marked active. To verify, enter:{{Cmd|# lvscan}}

=== Creating and Mounting the File Systems ===

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system: {{Cmd|# mkfs.ext4 /dev/vg0/root}}

Format the swap LV: {{Cmd|# mkswap /dev/vg0/swap}}

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:{{Cmd|# mount -t ext4 /dev/vg0/root /mnt/}}

Next format your boot partition, create a mount point, then mount it:

* If you're using BIOS and MBR: {{Cmd|<nowiki># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</nowiki>}}

* If you're using UEFI and GPT:{{Cmd|<nowiki># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</nowiki>}}

Lastly, activate your swap partition:{{Cmd|# swapon /dev/vg0/swap}}

=== Installing Alpine Linux ===

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure: {{Cmd|# setup-disk -m sys /mnt/}}

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file as follows: {{Cat|/mnt/etc/fstab|/dev/vg0/swap swap swap defaults 0 0}}

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:{{Path|/mnt/etc/mkinitfs/mkinitfs.conf|features="... cryptsetup"}}

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}}

Rebuild the initial RAM disk:{{Cmd|# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)}}

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

=== Installing a bootloader ===

To get the UUID of your storage device into a file for later use, run this command:{{Cmd|# blkid -s UUID -o value /dev/sda2 > ~/uuid}}

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

==== Syslinux with BIOS ====

Install the Syslinux package: {{Cmd|# apk add syslinux}}

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code> as follows:{{Cat|/mnt/etc/update-extlinux.conf|<nowiki>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</nowiki>}}

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:{{Cmd|<nowiki># chroot /mnt/
# update-extlinux
# exit</nowiki>}}

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:{{Cmd|<nowiki># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</nowiki>}}

==== Grub with UEFI ====

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.{{Cmd|<nowiki># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin</nowiki>}}

This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.

Mount the required filesystems for the Grub EFI installer to the installation:{{Cmd|<nowiki># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</nowiki>}}

Then run chroot:{{Cmd|<nowiki># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</nowiki>}}

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:{{Cmd|<nowiki># apk add grub grub-efi efibootmgr
# apk del syslinux</nowiki>}}

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

===== Luks1 =====
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

===== Luks2 =====
{{Note|The method is still experimental and you may lose your access to you OS at the next OS update}}

Create a pre-config grub file: <code>/root/grub-pre.cfg</code>

<pre>
set crypto_uuid=00001
cryptomount -u $crypto_uuid
set root='lvmid/00002/00003'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

You can find:
* 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> remove hyphens from the UUID
* 00002 with <code>vgdisplay</code> & VG UUID
* 00003 with <code>lvdisplay</code> & LV UUID of the root partition /

<pre># (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

=== Unmounting the Volumes and Partitions ===

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

== Hardening ==

* To harden, you should disable DMA[https://web.archive.org/web/20200923091814/https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[https://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

== Mounting additional encrypted filesystems at boot ==

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.
{{Note|This does not apply for volumes
within your main encrypted partition <code>/dev/sda2</code>}}
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

== Troubleshooting ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations. Reboot and follow the [[Installation#General_course_of_action|Installation guide]] to complete the [[Installation#Base_configuration|base configuration]] again.

Setup the LUKS partition and activate the LVs: {{Cmd|<nowiki># cryptsetup luksOpen /dev/sda2 lvmcrypt
# vgchange -ay</nowiki>}}

Follow the steps in [[#Creating_and_Mounting_the_File Systems| Creating and Mounting the File Systems]].

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

=== System can't find boot device ===

* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings

=== I see "can not mount /sysroot" during boot ===

* incorrect device UUID
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code>

=== normal.mod not found ===

* re-install <code>grub-install --target=x86_64-efi</code>

=== Secure boot ===

If secure boot complains of an unsigned bootloader, you can either disable it or follow [[UEFI Secure Boot]] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

== See also ==

*[[Setting up encrypted volumes with LUKS]]
*[[Bootloaders]]
*[[UEFI Secure Boot]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*[https://www.msiism.org/files/doc/alpine-linux-fde-custom.html Installing Alpine Linux with full disk encryption on BIOS/MBR systems with a custom partition layout]
*[https://rifux.dev/docs/alpine-linux/install-luks2/ Guide to Install Alpine Linux with LUKS2, BTRFS and GRUB]
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.gentoo.org/wiki/Dm-crypt
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://wiki.gentoo.org/wiki/Syslinux

[[Category:Storage]]
[[Category:Security]]

LVM on LUKS

2025-08-26T21:48:46Z

TakodaOS: Correction: Setup-disk automatically encrypts swap partitions since release 3.18 of alpine-conf

This page describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition that contains the root partition and the swap partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its [[Setting up encrypted volumes with LUKS|LUKS]] subsystem is used.

'''Note:''' The <code>setup-alpine</code> installation scripts has support for encrypted installations since v3.13, and automatically encrypts swap using LVM in v3.18. For a simplistic setup it is easy to use.

Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that.

== Setting up Alpine Linux Using LVM on Top of a LUKS Partition ==

To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, several manual steps must be carried out in the Alpine Linux Live CD environment.

Follow the [[Installation#General_course_of_action|Installation guide]] to complete the [[Installation#Base_configuration|base configuration]] as a working [[Configure_Networking#Connectivity_testing|Internet access]] is mandatory to complete this installation.

The <code>parted</code> partition editor from {{pkg|parted}} package is needed for advanced partitioning and GPT disklabels. Install the following packages required to set up LVM and LUKS:{{Cmd|# apk add lvm2 cryptsetup e2fsprogs parted mkinitfs}}


=== Creating the Partition Layout ===

Depending on your motherboard, bios features and configuration, we can either use partition table in MBR (legacy BIOS) or GUID Partition Table (GPT). We'll describe both with example layouts.

{{Note|Instructions on this page uses {{path|'''/dev/sda'''}} as storage device name. To find your storage device's name, you could either use the <code>lsblk</code> command from the {{pkg|util-linux}} package or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands.}}

==== BIOS/MBR with DOS disklabel ====

We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. <br>
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | Boot partition | ext4 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to [[Dualbooting|dual boot]], stop here and seek [[Support]].}}

Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%</pre>

To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot
2 99.6MB 1000GB 1000GB primary ext4</pre>

==== UEFI with GPT disklabel ====

We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:

<pre>+---------------------------+------------------------+-----------------------+
| Partition name | Partition purpose | Filesystem type |
+---------------------------+------------------------+-----------------------+
| /dev/sda1 | EFI system partition | fat32 |
| /dev/sda2 | LUKS container | LUKS |
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |
| |-> /dev/vg01/root | Root partition | ext4 |
| |-> /dev/vg01/boot | Boot partition | ext4 |
| |-> /dev/vg01/swap | Swap partition | swap |
+---------------------------+------------------------+-----------------------+</pre>

{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to [[Dualbooting|dual boot]], stop here and seek [[Support]].}}

Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.

<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>

=== Encrypting the LVM Physical Volume Partition ===

To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:

{{Tip|If your hard drive wasn't encrypted previously, overwrite LUKS Partition with Random Data . It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.{{ic|<nowiki># dd if=/dev/urandom of=/dev/sda2 bs=1M</nowiki>}}}}

For Default settings:{{Cmd|# cryptsetup luksFormat /dev/sda2}}

Luks1 Optimized for security: {{Cmd|# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2}}

Luks2 Optimized for security:{{Cmd|# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2}}

=== Converting between LUKS2 and LUKS1 ===

It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong: {{Cmd|# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup}}

Then make sure all keys use <code>pbkdf2</code> by adding a new key with:{{Cmd|# cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2}}

Remove keys that use <code>argon2i</code> or <code>argon2id</code> with {{Cmd|# cryptsetup luksRemoveKey /dev/sda2}}.
You can check the key information using the command: {{Cmd|# cryptsetup luksDump /dev/sda2}}

Now you can try the conversion, although it may not work. {{Cmd|# cryptsetup convert /dev/sda2 --type luks1}}

=== Creating the Logical Volumes and File Systems ===

Open the LUKS partition:{{Cmd|# cryptsetup luksOpen /dev/sda2 lvmcrypt}}

Create the PV on <code>lvmcrypt</code>: {{Cmd|# pvcreate /dev/mapper/lvmcrypt}}

Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:{{Cmd|# vgcreate vg0 /dev/mapper/lvmcrypt}}

==== LV Creation for BIOS/MBR ====

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>). {{Cmd|<nowiki># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</nowiki>}}

The LVs created in the previous steps are automatically marked active. To verify, enter:{{Cmd|# lvscan}}

==== LV Creation for UEFI/GPT ====

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).{{Cmd|<nowiki># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</nowiki>}}

The LVs created in the previous steps are automatically marked active. To verify, enter:{{Cmd|# lvscan}}

=== Creating and Mounting the File Systems ===

Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system: {{Cmd|# mkfs.ext4 /dev/vg0/root}}

Format the swap LV: {{Cmd|# mkswap /dev/vg0/swap}}

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:{{Cmd|# mount -t ext4 /dev/vg0/root /mnt/}}

Next format your boot partition, create a mount point, then mount it:

* If you're using BIOS and MBR: {{Cmd|<nowiki># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</nowiki>}}

* If you're using UEFI and GPT:{{Cmd|<nowiki># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</nowiki>}}

Lastly, activate your swap partition:{{Cmd|# swapon /dev/vg0/swap}}

=== Installing Alpine Linux ===

In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure: {{Cmd|# setup-disk -m sys /mnt/}}

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.

{{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}}

The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file as follows: {{Cat|/mnt/etc/fstab|/dev/vg0/swap swap swap defaults 0 0}}

Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:{{Path|/mnt/etc/mkinitfs/mkinitfs.conf|features="... cryptsetup"}}

If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.

{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the <code>keymap</code> feature to the list above.}}

{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}}

Rebuild the initial RAM disk:{{Cmd|# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)}}

The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.

=== Installing a bootloader ===

To get the UUID of your storage device into a file for later use, run this command:{{Cmd|# blkid -s UUID -o value /dev/sda2 > ~/uuid}}

{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}

==== Syslinux with BIOS ====

Install the Syslinux package: {{Cmd|# apk add syslinux}}

Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code> as follows:{{Cat|/mnt/etc/update-extlinux.conf|<nowiki>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</nowiki>}}

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>

Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:{{Cmd|<nowiki># chroot /mnt/
# update-extlinux
# exit</nowiki>}}

: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.

Write the MBR (without partition table) to the <code>/dev/sda</code> device:{{Cmd|<nowiki># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</nowiki>}}

==== Grub with UEFI ====

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.{{Cmd|<nowiki># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin</nowiki>}}

This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.

Mount the required filesystems for the Grub EFI installer to the installation:{{Cmd|<nowiki># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</nowiki>}}

Then run chroot:{{Cmd|<nowiki># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</nowiki>}}

Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:{{Cmd|<nowiki># apk add grub grub-efi efibootmgr
# apk del syslinux</nowiki>}}

Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):

<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>

The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>

If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.

===== Luks1 =====
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

===== Luks2 =====
{{Note|The method is still experimental and you may lose your access to you OS at the next OS update}}

Create a pre-config grub file: <code>/root/grub-pre.cfg</code>

<pre>
set crypto_uuid=00001
cryptomount -u $crypto_uuid
set root='lvmid/00002/00003'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>

You can find:
* 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> remove hyphens from the UUID
* 00002 with <code>vgdisplay</code> & VG UUID
* 00003 with <code>lvdisplay</code> & LV UUID of the root partition /

<pre># (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>

=== Unmounting the Volumes and Partitions ===

Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>

== Hardening ==

* To harden, you should disable DMA[https://web.archive.org/web/20200923091814/https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[https://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

== Mounting additional encrypted filesystems at boot ==

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.
{{Note|This does not apply for volumes
within your main encrypted partition <code>/dev/sda2</code>}}
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.

Create a keyfile and add it to the LUKS partition:

<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>

Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:

<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>

Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:

<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>

Enable the dmcrypt and lvm services to start on boot:

<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>

After a reboot the partition should be decrypted and mounted automatically.

== Troubleshooting ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations. Reboot and follow the [[Installation#General_course_of_action|Installation guide]] to complete the [[Installation#Base_configuration|base configuration]] again.

Setup the LUKS partition and activate the LVs: {{Cmd|<nowiki># cryptsetup luksOpen /dev/sda2 lvmcrypt
# vgchange -ay</nowiki>}}

Follow the steps in [[#Creating_and_Mounting_the_File Systems| Creating and Mounting the File Systems]].

Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

=== System can't find boot device ===

* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings

=== I see "can not mount /sysroot" during boot ===

* incorrect device UUID
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code>

=== normal.mod not found ===

* re-install <code>grub-install --target=x86_64-efi</code>

=== Secure boot ===

If secure boot complains of an unsigned bootloader, you can either disable it or follow [[UEFI Secure Boot]] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

== See also ==

*[[Setting up encrypted volumes with LUKS]]
*[[Bootloaders]]
*[[UEFI Secure Boot]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*[https://www.msiism.org/files/doc/alpine-linux-fde-custom.html Installing Alpine Linux with full disk encryption on BIOS/MBR systems with a custom partition layout]
*[https://rifux.dev/docs/alpine-linux/install-luks2/ Guide to Install Alpine Linux with LUKS2, BTRFS and GRUB]
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.gentoo.org/wiki/Dm-crypt
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://wiki.gentoo.org/wiki/Syslinux

[[Category:Storage]]
[[Category:Security]]

Setting up encrypted volumes with LUKS

2025-08-26T21:44:23Z

TakodaOS: Correction: Setup-disk automatically encrypts swap partitions since release 3.18 of alpine-conf

[https://en.wikipedia.org/wiki/Linux%20Unified%20Key%20Setup LUKS] allows encrypting a partition and mapping it as a virtual block device, which can then be used as a normal partition. Guides for other Linux distributions should serve as a general references for installing Alpine onto a LUKS encrypted disk.

The following approaches are known to work:

* Plain LUKS
* [[LVM on LUKS]]

The installer has built-in support for encryption, and will automatically enable LVM to encrypt swap partitions, but it will not encrypt the boot partition. The [[Bootloaders#GRUB|GRUB]] bootloader supports BIOS and EFI boot with an encrypted boot partition.

== mkinitfs and LUKS ==

For those familiar with setting up FDE on other Linux distributions, this section contains only Alpine-specific knowledge required and understanding [[mkinitfs]].

First of all, the <code>cryptsetup</code> feature needs to be added to {{path|/etc/mkinitfs/mkinitfs.conf}}. Additionally, the following kernel parameters are required:

* <code>cryptroot</code> kernel parameter should point to the encrypted block device.
* <code>cryptdm</code>: the name that will be given to the device.
* <code>root</code> kernel parameter should point to the mapped block device: <code>/dev/mapper/<name used in cryptdm></code>.
* <code>rootfstype</code>: the filesystem type of the root partition (e.g.: <code>btrfs</code>).

For example, if you use grub with GPT partition table using ext4 without LVM the {{path|/etc/default/grub}} file will be as follows:{{Cat|/etc/default/grub|<nowiki>GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4 quiet rootfstype=ext4 cryptroot=UUID=a7dc90c4-6746-417e-b25b-cb8769ee6334 cryptdm=alpine-rootfs root=/dev/mapper/alpine-rootfs"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
GRUB_ENABLE_CRYPTODISK=y
</nowiki>}}

== Decrypting non-root volumes during boot ==
{{Main|LVM on LUKS#Mounting additional encrypted filesystems at boot}}
To have an encrypted non-root volume be decrypted prior to automatically mounting it somewhere via <code>/etc/fstab</code>, configure <code>dmcrypt</code> in the {{path|/etc/conf.d/dmcrypt}} file. The comments inside that file should guide you, but as a simple example, here's what you should include in that file to decrypt and map a partition to some volume named, say, “<code>myvolume</code>”, given its UUID (here represented using a series of <code>X</code>s), using a passphrase {{Cat|/etc/conf.d/dmcrypt|<nowiki>...
target=myvolume
source=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
key=/etc/keys/myvolume.key #not needed as passphrase is used in this example
...</nowiki>}}

In {{path|/etc/fstab}} file, then, you would include the following line as follows:{{Cat|/etc/fstab|<nowiki>...
/dev/mapper/myvolume <path> <fstype> <options>
...</nowiki>}}

substituting in the proper parameters.

Do not forget to enable the <code>localmount</code> service:

<code>rc-update add localmount</code>

Otherwise they will not be mounted automatically.

== See also ==

* [[LVM on LUKS]]
* [[mkinitfs|Initramfs init]]
* [[Full disk encryption secure boot]]
* [[Setting up a laptop|Setting up a secured laptop]]
* [https://wiki.archlinux.org/index.php/Dm-crypt dm-crypt on ArchWiki]

[[Category:Storage]]
[[Category:Security]]

Btrfs

2025-08-23T15:34:20Z

TakodaOS: Adding a better introduction to Btrfs and easier instructions. Moving a link and adding another resource.

[https://wikipedia.org/wiki/Btrfs Btrfs] is a CoW (copy on write) filesystem with checksums, snapshots, compression and more.

== Installation ==
<code>setup-disk</code> can automatically set up a root filesystem with Btrfs using environment variables. Export <code>ROOTFS</code> before running <code>setup-disk</code> or <code>setup-alpine</code> like so:

{{Cmd|<nowiki># export ROOTFS=btrfs</nowiki>}}

The filesystem utilities and modules will automatically be set up.

=== Manual Installation ===

Installing Btrfs is relatively straight forward. Install the package and tell Alpine to load the module on startup:

{{Cmd|# apk add {{pkg|btrfs-progs}}
<nowiki># echo btrfs >> /etc/modules</nowiki>}}

To load the module immediately, you can use the following command:

{{Cmd|# modprobe btrfs}}

If btrfs is used for root filesystem, ensure that the initramfs is generated with the btrfs module, otherwise the system may fail to boot.

To do so edit the {{path|/etc/mkinitfs/mkinitfs.conf}} and ensure that "btrfs" is in the list of features as follows:{{Cat|/etc/mkinitfs/mkinitfs.conf|features{{=}}"ata base cdrom ext4 keymap kms mmc nvme raid scsi usb virtio btrfs"}}

After making the above change, issue the command to regenerate the initramfs:{{Cmd|# mkinitfs}}

== Configuration ==

=== Mounting a subvolume ===

To mount a subvolume {{ic|@alpine}} located in the btrfs partition {{Path|/dev/nvme0n1p3}}, the command is: {{Cmd|<nowiki># mount -o subvol=@alpine /dev/nvme0n1p3 /mnt</nowiki>}}

=== Mounting a subvolume on boot ===

To mount a volume on boot, add a new entry to your {{path|/etc/fstab}} file as follows: {{cat|/etc/fstab|<nowiki>...
UUID=abcdef-0055-4958-990f-1413ed1186ec /var/data btrfs defaults,nofail,subvol=@ 0 0</nowiki>}}

If you use more specific mounting options like for example:{{cat|/etc/fstab|<nowiki>...
UUID=005f5994-f51c-4360-8c9b-589fa59ea6fc /mnt/hddext btrfs nofail,rw,noatime,commit=64,nossd,autodefrag,compress=zstd:10 0 2</nowiki>}}

Do not forget to install additional dependencies. If you enabled on the fly compression you need to install zstd: {{cmd|# apk add {{pkg|zstd}}}}

More information about mounting can be found in the official [https://btrfs.readthedocs.io Btrfs wiki]

=== Enable btrfs-scan service ===

To ensure that that btrfs partitions are cleanly mounted, enable the {{ic|btrfs-scan}} service from the {{pkg|btrfs-progs}}package: {{Cmd|# rc-update add btrfs-scan boot}}

=== apk-snap ===

The {{ic|apk-snap}} script from {{pkg|apk-snap}} package triggers filesystem snapshots before and after every apk commit.
The {{pkg|apk-snap}} package is currently available in [[Repositories#Testing|testing]] repository. It can be safely installed by following the [[Repositories#Using_testing_repository|guidelines]].

This package autointalls {{pkg|snapper}} package and provides necessary apk hooks and script that causes {{ic|snapper}} to automatically take a pre and post snapshot before and after apk transactions, similar to how YaST does with OpenSuse. This provides a simple way to undo changes to a system after an apk transaction.

By default the '''/''' (root) snapshots taken by snapper are saved in the '''/.snapshot''' folder. To make it easier to manage the snapshots created by snapper, it is better to mainain it outside of '''/(root)''' folder. To achieve this, create a subvolume {{ic|@snaps_root}} in the btrfs partition and mount the above subvolume on '''/.snapshot''' folder by having an entry in {{Path|etc/fstab}} file as follows: {{Cat|/etc/fstab|<nowiki>...
UUID=823a3283-30a7-4fef-b50b-8a2230c71b5b /.snapshots btrfs compress=zlib:3,subvol=@snaps_root 0 0</nowiki>}}

=== Bootloader ===

If the initrd and kernel are installed inside the btrfs root subvolume instead of EFI partition, configuring the bootloader properly is important. For sample configuration, refer to the following pages for [[Bootloaders#Manual_configuration|rEFInd]] and [[Immutable root with atomic upgrades#GRUB|GRUB]] bootloaders.

== Troubleshooting ==

=== Mount failed ===

If you try mounting a Btrfs volume via your {{path|/etc/fstab}} and if it doesn't show up, this is related to {{Issue|9539|Can't mount BTRFS volume using fstab}}. This could be because Btrfs does not know about the drives during boot. To avoid this issue [[#Enable btrfs-scan service|enable the btrfs-scan service]]. The volume should mount correctly after a reboot.

== See also ==

* [https://btrfs.readthedocs.io Btrfs documentation]
* [https://garrit.xyz/posts/2021-12-31-btrfs-on-alpine BTRFS on Alpine Linux]
* [https://web.archive.org/web/20221127043947/https://nparsons.uk/blog/using-btrfs-on-alpine-linux Using BTRFS on Alpine Linux]
* [https://wiki.archlinux.org/title/Btrfs ArchWiki]
* [https://wiki.gentoo.org/wiki/Btrfs Gentoo Wiki]
* [[Install Alpine on a btrfs filesystem with refind as boot manager]]
* [[Immutable root with atomic upgrades|Immutable root with atomic upgrades using btrfs snapshots]]
[[Category:Filesystems]]