https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=Govynnus&feedformat=atomAlpine Linux - User contributions [en]2024-03-29T08:01:17ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=26134LVM on LUKS2024-01-06T13:46:02Z<p>Govynnus: /* General Procedure */ Add required <name> argument to cryptsetup command</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.<br />
<br />
'''Note:''' These manual steps might be undesired for trivial installations, as <code>[[Alpine_setup_scripts#setup-disk|setup-disk]]</code> supports selecting crypt for sys since [https://gitlab.alpinelinux.org/alpine/alpine-conf/-/commit/b7b8b76 v3.13] (swap will not be encrypted).<br />
<br />
Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that.<br />
<br />
== Storage Device Name ==<br />
<br />
To find your storage device's name, you could either install {{pkg|util-linux}} (<code>apk add util-linux</code>) and find your device using the <code>lsblk</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.<br />
<br />
The following documentation uses the {{path|/dev/sda}} device as installation destination. If your environment uses a different name for your storage device, use the corresponding device name in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.<br />
<br />
Run the scripts in this order:<br />
<br />
<pre># setup-keymap<br />
# setup-hostname<br />
# setup-interfaces<br />
# rc-service networking start</pre><br />
<br />
If you are configuring static networking (i.e. you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.<br />
<br />
If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.<br />
<br />
{{Note|On versions of OpenRC prior to 0.45 use <code>urandom</code> instead of <code>seedrng</code>}}<br />
<br />
<pre># passwd<br />
# setup-timezone<br />
# rc-update add networking boot<br />
# rc-update add seedrng boot<br />
# rc-update add acpid default<br />
# rc-service acpid start</pre><br />
<br />
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':<br />
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}<br />
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain<br />
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}<br />
<br />
<pre># setup-ntp<br />
# setup-apkrepos<br />
# apk update<br />
# setup-sshd</pre><br />
<br />
Here's where we deviate from the install script.<br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}<br />
<br />
<pre># apk add lvm2 cryptsetup e2fsprogs parted mkinitfs</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
Depending on your motherboard, bios features and configuration<br />
we can either use partition table in MBR (legacy BIOS)<br />
or GUID Partition Table (GPT).<br />
We'll describe both with example layouts.<br />
<br />
=== BIOS/MBR with DOS disklabel ===<br />
<br />
We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. <br><br />
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | Boot partition | ext4 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel msdos<br />
(parted) mkpart primary ext4 0% 100M<br />
(parted) set 1 boot on<br />
(parted) mkpart primary ext4 100M 100%</pre><br />
<br />
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:<br />
<pre>(parted) print<br />
Model: ATA TOSHIBA ******** (scsi)<br />
Disk /dev/sda: 1000GB<br />
Sector size (logical/physical): 512B/4096B<br />
Partition Table: msdos<br />
Disk Flags:<br />
<br />
Number Start End Size Type File system Flags<br />
1 1049kB 99.6MB 98.6MB primary ext4 boot<br />
2 99.6MB 1000GB 1000GB primary ext4</pre><br />
<br />
=== UEFI with GPT disklabel ===<br />
<br />
We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | EFI system partition | fat32 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/boot | Boot partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel gpt<br />
(parted) mkpart primary fat32 0% 200M<br />
(parted) name 1 esp<br />
(parted) set 1 esp on<br />
(parted) mkpart primary ext4 200M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
== Optional: Overwrite LUKS Partition with Random Data ==<br />
<br />
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.<br />
<br />
<pre># dd if=/dev/urandom of=/dev/sda2 bs=1M</pre><br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:<br />
<br />
Default settings:<br />
<br />
<pre># cryptsetup luksFormat /dev/sda2</pre><br />
<br />
Luks1 Optimized for security:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2</pre><br />
<br />
Luks2 Optimized for security:<br />
<br />
<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2</pre><br />
<br />
=== Converting between LUKS2 and LUKS1 ===<br />
<br />
It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong:<br />
<br />
<pre># cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup</pre><br />
<br />
Then make sure all keys use <code>pbkdf2</code> by adding a new key with:<br />
<br />
<pre># cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2</pre><br />
<br />
Remove keys that use <code>argon2i</code> or <code>argon2id</code> with <code>cryptsetup luksRemoveKey /dev/sda2</code>. You can check the key information using <code>cryptsetup luksDump /dev/sda2</code>.<br />
<br />
Now you can try the conversion, although it may not work.<br />
<br />
<pre># cryptsetup convert /dev/sda2 --type luks1</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>lvmcrypt</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
=== LV Creation for BIOS/MBR ===<br />
<br />
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
=== LV Creation for UEFI/GPT ===<br />
<br />
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -L 2G vg0 -n boot<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
== Creating and Mounting the File Systems ==<br />
<br />
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
Next format your boot partition, create a mount point, then mount it:<br />
<br />
* If you're using BIOS and MBR:<br />
<br />
<pre># mkfs.ext4 /dev/sda1<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/sda1 /mnt/boot</pre><br />
<br />
* If you're using UEFI and GPT:<br />
<br />
<pre># apk add dosfstools<br />
# mkfs.fat -F32 /dev/sda1<br />
# mkfs.ext4 /dev/vg0/boot<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/vg0/boot /mnt/boot<br />
# mkdir -v /mnt/boot/efi<br />
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre><br />
<br />
Lastly, activate your swap partition:<br />
<br />
<pre># swapon /dev/vg0/swap</pre><br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}}<br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="... cryptsetup"</pre><br />
<br />
If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.<br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the <code>keymap</code> feature to the list above.}}<br />
<br />
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}}<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
<br />
To get the UUID of your storage device into a file for later use, run this command:<br />
<br />
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre><br />
<br />
{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}<br />
<br />
=== Syslinux with BIOS ===<br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:<br />
<br />
<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre><br />
<br />
The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.<br />
<br />
We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:<br />
<pre><br />
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm<br />
root=UUID=<UUID of /dev/mapper/vg0-root><br />
</pre><br />
<br />
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre># chroot /mnt/<br />
# update-extlinux<br />
# exit</pre><br />
<br />
: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.<br />
<br />
Write the MBR (without partition table) to the <code>/dev/sda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre><br />
<br />
=== Grub with UEFI ===<br />
<br />
To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.<br />
<br />
<pre># touch /mnt/crypto_keyfile.bin<br />
# chmod 600 /mnt/crypto_keyfile.bin<br />
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin<br />
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin<br />
</pre><br />
<br />
This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre># mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
# mount --rbind /sys /mnt/sys</pre><br />
<br />
Then run chroot:<br />
<br />
<pre># chroot /mnt<br />
# source /etc/profile<br />
# export PS1="(chroot) $PS1"</pre><br />
<br />
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:<br />
<br />
<pre># apk add grub grub-efi efibootmgr<br />
# apk del syslinux</pre><br />
<br />
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):<br />
<br />
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre><br />
<br />
The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we configured a few lines above.<br />
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.<br />
<br />
To enable GRUB to decrypt LUKS partitions and read LVM volumes add:<br />
<br />
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre><br />
<br />
If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.<br />
<br />
==== Luks1 ====<br />
<br />
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
==== Luks2 ====<br />
{{Note|The method is still experimental and you may lose your access to you OS at the next OS update}}<br />
<br />
Create a pre-config grub file: <code>/root/grub-pre.cfg</code><br />
<br />
<pre><br />
set crypto_uuid=00001<br />
cryptomount -u $crypto_uuid<br />
set root='lvmid/00002/00003'<br />
set prefix=($root)/boot/grub<br />
insmod normal<br />
normal<br />
</pre><br />
<br />
You can find:<br />
* 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> remove hyphens from the UUID<br />
* 00002 with <code>vgdisplay</code> & VG UUID<br />
* 00003 with <code>lvdisplay</code> & LV UUID of the root partition /<br />
<br />
<pre># (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512<br />
# (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:<br />
<br />
<pre># cd<br />
# umount -l /mnt/dev<br />
# umount -l /mnt/proc<br />
# umount -l /mnt/sys<br />
# umount /mnt/boot/efi<br />
# umount /mnt/boot<br />
# swapoff /dev/vg0/swap<br />
# umount /mnt<br />
# vgchange -a n<br />
# cryptsetup luksClose lvmcrypt<br />
# reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Setup the LUKS partition and activate the LVs:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt<br />
# vgchange -ay</pre><br />
<br />
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.<br />
<br />
== System can't find boot device ==<br />
<br />
* GPT partition table on a motherboard that runs BIOS instead of UEFI<br />
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings<br />
<br />
== I see "can not mount /sysroot" during boot ==<br />
<br />
* incorrect device UUID<br />
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code><br />
<br />
== normal.mod not found ==<br />
<br />
* re-install <code>grub-install --target=x86_64-efi</code><br />
<br />
== Secure boot ==<br />
<br />
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://web.archive.org/web/20200923091814/https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[https://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
= Mounting additional encrypted filesystems at boot =<br />
<br />
If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.<br />
{{Note|This does not apply for volumes<br />
within your main encrypted partition <code>/dev/sda2</code>}}<br />
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.<br />
<br />
Create a keyfile and add it to the LUKS partition:<br />
<br />
<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin<br />
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin<br />
</pre><br />
<br />
Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:<br />
<br />
<pre>target=crypt-home<br />
source='/dev/sdb1'<br />
key='/root/crypt-home-keyfile.bin'<br />
</pre><br />
<br />
Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:<br />
<br />
<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre><br />
<br />
Enable the dmcrypt and lvm services to start on boot:<br />
<br />
<pre># rc-update add dmcrypt boot<br />
# rc-update add lvm boot<br />
</pre><br />
<br />
After a reboot the partition should be decrypted and mounted automatically.<br />
<br />
= See also =<br />
*[[Bootloaders]]<br />
*[[Alpine setup scripts]]<br />
*[[Installing on GPT LVM]]<br />
*[[Setting up LVM on GPT-labeled disks]]<br />
*[[Setting up disks manually]]<br />
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/<br />
*[https://www.msiism.org/files/doc/alpine-linux-fde-custom.html Installing Alpine Linux with full disk encryption on BIOS/MBR systems with a custom partition layout]<br />
*https://wiki.archlinux.org/index.php/GRUB<br />
*https://wiki.archlinux.org/index.php/Syslinux<br />
*https://wiki.gentoo.org/wiki/Dm-crypt<br />
*https://wiki.gentoo.org/wiki/GRUB2<br />
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide<br />
*https://wiki.gentoo.org/wiki/Syslinux<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=20358PipeWire2021-11-19T18:06:06Z<p>Govynnus: Encourage the use of wireplumber as the session manager (pipewire-media-session will be deprecated at some point)</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
When elogind is not available, the user has to be added to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup <user> audio<br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
=== XDG_RUNTIME_DIR ===<br />
<br />
If you are not using a Desktop Manager, ensure that your <code>XDG_RUNTIME_DIR</code> is set to a user-writable location. By default for pulseaudio this is {{Path|/run/user/1000/}} or {{Path|/tmp}}. If this is not set, pipewire will create a directory in your home folder instead, called <code>~/pulse</code>, and on attempting to run Pavucontrol or pactl, you will get the following error:<br />
<br />
<pre><br />
$ pactl list<br />
Connection failure: Connection refused<br />
pa_context_connect() failed: Connection refused<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire wireplumber<br />
</pre><br />
<br />
{{Note|Using [https://gitlab.freedesktop.org/pipewire/wireplumber WirePlumber] rather than the pipewire-media-session (which comes with pipewire) is [https://gitlab.freedesktop.org/pipewire/media-session/-/blob/master/README.md recommended] but not required.}}<br />
<br />
Create a custom configuration file in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
# mkdir /etc/pipewire<br />
# cp /usr/share/pipewire/pipewire.conf /etc/pipewire/<br />
</pre><br />
<br />
Add the following line to the <code>context.exec</code> section at the bottom of {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
{ path = "wireplumber" args = "" }<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== ALSA ===<br />
<br />
If you use neither Jack nor PulseAudio and you don't intend to.<br />
<br />
<pre><br />
# touch /etc/pipewire/media-session.d/with-alsa<br />
</pre><br />
<br />
=== PulseAudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ PulseAudio] daemon which should allow all existing PulseAudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
Uncomment the following line in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
{ path = "/usr/bin/pipewire" args = "-c pipewire-pulse.conf" }<br />
</pre><br />
<br />
It should be automatically enabled.<br />
<br />
=== JACK ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ JACK] applications install the required package and make system wide links to the PipeWire replacement JACK libraries (I have not had success using <code>pw-jack</code>). You will not need to start a JACK server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Bluetooth headset ===<br />
<br />
Requires <code>pipewire-spa-bluez</code> package in addition to <code>pipewire-pulseaudio</code> daemon to be installed.<br />
<br />
=== Automatic bluetooth profile selection ===<br />
<br />
To automatically switch between HSP/HFP and A2DP profiles when an input stream is detected, set the bluez5.autoswitch-profile property to true:<br />
<pre><br />
/etc/pipewire/media-session.d/bluez-monitor.conf<br />
<br />
...<br />
rules = [<br />
{<br />
...<br />
actions = {<br />
update-props = {<br />
...<br />
bluez5.autoswitch-profile = true<br />
...<br />
</pre><br />
<br />
<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on:<br />
* GNOME with <code>xdg-desktop-portal-gtk</code><br />
* KDE Plasma with <code>xdg-desktop-portal-kde</code> and Firefox<br />
* Sway with <code>xdg-desktop-portal-wlr</code> and Firefox<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
# apk add pipewire-tools<br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test audio recording is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test PulseAudio clients using a media player (most use PulseAudio) and if you use JACK test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make PipeWire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== Troubleshooting ==<br />
<br />
=== `pw-cat -p --list-targets` shows no targets ===<br />
<br />
First, check whether ALSA knows about your sound card:<br />
<br />
<pre><br />
aplay -l<br />
</pre><br />
<br />
If sound devices are found, the issue is with your pipewire configuration. Consider double-checking the instructions above.<br />
<br />
Otherwise, your sound card may not be supported in the version of the Linux Kernel you're running. You should search online for fixes relating to your current kernel version and the codec of your sound card. You can find each of these with:<br />
<br />
<pre><br />
uname -r<br />
cat /proc/asound/card0/codec* | grep Codec<br />
</pre><br />
<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=20125PipeWire2021-08-30T15:24:56Z<p>Govynnus: /* Usage */ pw-* commands have been moved to the pipewire-tools package</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
When elogind is not available, the user has to be added to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
=== XDG_RUNTIME_DIR ===<br />
<br />
If you are not using a Desktop Manager, ensure that your <code>XDG_RUNTIME_DIR</code> is set to a user-writable location. By default for pulseaudio this is {{Path|/run/user/1000/}} or {{Path|/tmp}}. If this is not set, pipewire will create a directory in your home folder instead, called <code>~/pulse</code>, and on attempting to run Pavucontrol or pactl, you will get the following error:<br />
<br />
<pre><br />
$ pactl list<br />
Connection failure: Connection refused<br />
pa_context_connect() failed: Connection refused<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
Create custom configuration file in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
# mkdir /etc/pipewire<br />
# cp /usr/share/pipewire/pipewire.conf /etc/pipewire/<br />
</pre><br />
<br />
Uncomment the following line in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
{ path = "/usr/bin/pipewire-media-session" args = "" }<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== ALSA ===<br />
<br />
If you use neither Jack nor PulseAudio and you don't intend to.<br />
<br />
<pre><br />
# touch /etc/pipewire/media-session.d/with-alsa<br />
</pre><br />
<br />
=== PulseAudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ PulseAudio] daemon which should allow all existing PulseAudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
It should be automatically enabled.<br />
<br />
=== JACK ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ JACK] applications install the required package and make system wide links to the PipeWire replacement JACK libraries (I have not had success using <code>pw-jack</code>). You will not need to start a JACK server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on:<br />
* GNOME with <code>xdg-desktop-portal-gtk</code><br />
* KDE Plasma with <code>xdg-desktop-portal-kde</code> and Firefox<br />
* Sway with <code>xdg-desktop-portal-wlr</code> and Firefox<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
# apk add pipewire-tools<br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test audio recording is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test PulseAudio clients using a media player (most use PulseAudio) and if you use JACK test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make PipeWire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=19773LVM on LUKS2021-07-04T14:13:00Z<p>Govynnus: Add section about converting luks2 to luks1</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.<br />
<br />
Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that.<br />
<br />
== Storage Device Name ==<br />
<br />
To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.<br />
<br />
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different name for your storage device, use the corresponding device name in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.<br />
<br />
Run the scripts in this order:<br />
<br />
<pre># setup-keymap<br />
# setup-hostname<br />
# setup-interfaces<br />
# rc-service networking start</pre><br />
<br />
If you are configuring static networking (i.e. you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.<br />
<br />
If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.<br />
<br />
<pre># passwd<br />
# setup-timezone<br />
# rc-update add networking boot<br />
# rc-update add urandom boot<br />
# rc-update add acpid default<br />
# rc-service acpid start</pre><br />
<br />
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':<br />
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}<br />
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain<br />
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}<br />
<br />
<pre># setup-apkrepos<br />
# apk update<br />
# setup-sshd<br />
# setup-ntp</pre><br />
<br />
Here's where we deviate from the install script.<br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}<br />
<br />
<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre><br />
<br />
Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:<br />
<br />
<pre># apk add haveged<br />
# rc-service haveged start</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
Depending on your motherboard, bios features and configuration<br />
we can either use partition table in MBR (legacy BIOS)<br />
or GUID Partition Table (GPT).<br />
We'll describe both with example layouts.<br />
<br />
=== BIOS/MBR with DOS disklabel ===<br />
<br />
We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. <br><br />
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | Boot partition | ext4 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel msdos<br />
(parted) mkpart primary ext4 0% 100M<br />
(parted) name 1 boot<br />
(parted) set 1 boot on<br />
(parted) mkpart primary ext4 100M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:<br />
<pre>(parted) print<br />
Model: ATA TOSHIBA ******** (scsi)<br />
Disk /dev/sda: 1000GB<br />
Sector size (logical/physical): 512B/4096B<br />
Partition Table: msdos<br />
Disk Flags:<br />
<br />
Number Start End Size Type File system Flags<br />
1 1049kB 99.6MB 98.6MB primary ext4 boot<br />
2 99.6MB 1000GB 1000GB primary ext4</pre><br />
<br />
=== UEFI with GPT disklabel ===<br />
<br />
We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | EFI system partition | fat32 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/boot | Boot partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel gpt<br />
(parted) mkpart primary fat32 0% 200M<br />
(parted) name 1 esp<br />
(parted) set 1 esp on<br />
(parted) mkpart primary ext4 200M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
== Optional: Overwrite LUKS Partition with Random Data ==<br />
<br />
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.<br />
<br />
We'll use <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high in throughput as <code>/dev/zero</code>), and is (supposedly) very close to truly random.<br />
<br />
<pre># haveged -n 0 | dd of=/dev/sda2</pre><br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:<br />
<br />
Default settings:<br />
<br />
<pre># cryptsetup luksFormat /dev/sda2</pre><br />
<br />
Optimized for security:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre><br />
<br />
If using Alpine v3.11 or later, and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):<br />
<br />
<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre><br />
<br />
=== Converting between LUKS2 and LUKS1 ===<br />
<br />
It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong:<br />
<br />
<pre># cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup</pre><br />
<br />
Then make sure all keys use <code>pbkdf2</code> by adding a new key with:<br />
<br />
<pre># cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2</pre><br />
<br />
Remove keys that use <code>argon2i</code> or <code>argon2id</code> with <code>cryptsetup luksRemoveKey /dev/sda2</code>. You can check the key information using <code>cryptsetup luksDump /dev/sda2</code>.<br />
<br />
Now you can try the conversion, although it may not work.<br />
<br />
<pre># cryptsetup convert /dev/sda2 --type luks1</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>lvmcrypt</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
=== LV Creation for BIOS/MBR ===<br />
<br />
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
=== LV Creation for UEFI/GPT ===<br />
<br />
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -L 2G vg0 -n boot<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
== Creating and Mounting the File Systems ==<br />
<br />
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
Next format your boot partition, create a mount point, then mount it:<br />
<br />
* If you're using BIOS and MBR:<br />
<br />
<pre># mkfs.ext4 /dev/sda1<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/sda1 /mnt/boot</pre><br />
<br />
* If you're using UEFI and GPT:<br />
<br />
<pre># apk add dosfstools<br />
# mkfs.fat -F32 /dev/sda1<br />
# mkfs.ext4 /dev/vg0/boot<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/vg0/boot /mnt/boot<br />
# mkdir -v /mnt/boot/efi<br />
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre><br />
<br />
Lastly, activate your swap partition:<br />
<br />
<pre># swapon /dev/vg0/swap</pre><br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}}<br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="... cryptsetup"</pre><br />
<br />
If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.<br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the <code>keymap</code> feature to the list above.}}<br />
<br />
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}}<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
<br />
To get the UUID of your storage device into a file for later use, run this command:<br />
<br />
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre><br />
<br />
{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}<br />
<br />
=== Syslinux with BIOS ===<br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:<br />
<br />
<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre><br />
<br />
The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.<br />
<br />
We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:<br />
<pre><br />
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm<br />
root=UUID=<UUID of /dev/mapper/vg0-root><br />
</pre><br />
<br />
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre># chroot /mnt/<br />
# update-extlinux<br />
# exit</pre><br />
<br />
: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.<br />
<br />
Write the MBR (without partition table) to the <code>/dev/sda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre><br />
<br />
=== Grub with UEFI ===<br />
<br />
To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.<br />
<br />
<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin<br />
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin<br />
</pre><br />
<br />
This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre># mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
# mount --rbind /sys /mnt/sys</pre><br />
<br />
Then run chroot and use <code>grub-install</code> to install Grub.<br />
<br />
<pre># chroot /mnt<br />
# source /etc/profile<br />
# export PS1="(chroot) $PS1"</pre><br />
<br />
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:<br />
<br />
<pre># apk add grub grub-efi efibootmgr<br />
# apk del syslinux</pre><br />
<br />
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):<br />
<br />
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre><br />
<br />
The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we configured a few lines above.<br />
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.<br />
<br />
To enable GRUB to decrypt LUKS partitions and read LVM volumes add:<br />
<br />
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre><br />
<br />
If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.<br />
<br />
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:<br />
<br />
<pre># cd<br />
# umount -l /mnt/dev<br />
# umount -l /mnt/proc<br />
# umount -l /mnt/sys<br />
# umount /mnt/boot/efi<br />
# umount /mnt/boot<br />
# swapoff /dev/vg0/swap<br />
# umount /mnt<br />
# vgchange -a n<br />
# cryptsetup luksClose lvmcrypt<br />
# reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Setup the LUKS partition and activate the LVs:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2<br />
# vgchange -ay</pre><br />
<br />
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.<br />
<br />
== System can't find boot device ==<br />
<br />
* GPT partition table on a motherboard that runs BIOS instead of UEFI<br />
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings<br />
<br />
== I see "can not mount /sysroot" during boot ==<br />
<br />
* incorrect device UUID<br />
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code><br />
<br />
== Secure boot ==<br />
<br />
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
= Mounting additional encrypted filesystems at boot =<br />
<br />
If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.<br />
{{Note|This does not apply for volumes<br />
within your main encrypted partition <code>/dev/sda2</code>}}<br />
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.<br />
<br />
Create a keyfile and add it to the LUKS partition:<br />
<br />
<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin<br />
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin<br />
</pre><br />
<br />
Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:<br />
<br />
<pre>target=crypt-home<br />
source='/dev/sdb1'<br />
key='/root/crypt-home-keyfile.bin'<br />
</pre><br />
<br />
Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:<br />
<br />
<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre><br />
<br />
Enable the dmcrypt and lvm services to start on boot:<br />
<br />
<pre># rc-update add dmcrypt boot<br />
# rc-update add lvm boot<br />
</pre><br />
<br />
After a reboot the partition should be decrypted and mounted automatically.<br />
<br />
= See also =<br />
*[[Bootloaders]]<br />
*[[Alpine setup scripts]]<br />
*[[Installing on GPT LVM]]<br />
*[[Setting up LVM on GPT-labeled disks]]<br />
*[[Setting up disks manually]]<br />
*https://wiki.gentoo.org/wiki/Syslinux<br />
*https://wiki.gentoo.org/wiki/GRUB2<br />
*https://wiki.archlinux.org/index.php/Syslinux<br />
*https://wiki.archlinux.org/index.php/GRUB<br />
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide<br />
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/<br />
*https://wiki.gentoo.org/wiki/Dm-crypt<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=19587PipeWire2021-06-11T17:32:34Z<p>Govynnus: </p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
=== XDG_RUNTIME_DIR ===<br />
<br />
If you are not using a Desktop Manager, ensure that your <code>XDG_RUNTIME_DIR</code> is set to a user-writable location. By default for pulseaudio this is <code>/run/user/1000/</code> or <code>/tmp</code>. If this is not set, pipewire will create a directory in your home folder instead, called <code>~/pulse</code>, and on attempting to run Pavucontrol or pactl, you will get the following error:<br />
<br />
<pre><br />
$ pactl list<br />
Connection failure: Connection refused<br />
pa_context_connect() failed: Connection refused<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
Create custom configuration file in <code>/etc/pipewire/pipewire.conf</code>:<br />
<br />
<pre><br />
# mkdir /etc/pipewire<br />
# cp /usr/share/pipewire/pipewire.conf /etc/pipewire/<br />
</pre><br />
<br />
Uncomment the following line in <code>/etc/pipewire/pipewire.conf</code>:<br />
<br />
<pre><br />
{ path = "/usr/bin/pipewire-media-session" args = "" }<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== ALSA ===<br />
<br />
If you used neither Jack or PulseAudio nor intend to.<br />
<br />
<pre><br />
# touch /etc/pipewire/media-session.d/with-alsa<br />
</pre><br />
<br />
=== PulseAudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ PulseAudio] daemon which should allow all existing PulseAudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the PulseAudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
{ path = "/usr/bin/pipewire" args = "-c pipewire-pulse.conf" }<br />
</pre><br />
<br />
=== JACK ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ JACK] applications install the required package and make system wide links to the PipeWire replacement JACK libraries (I have not had success using <code>pw-jack</code>). You will not need to start a JACK server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on:<br />
* GNOME with <code>xdg-desktop-portal-gtk</code><br />
* KDE Plasma with <code>xdg-desktop-portal-kde</code> and Firefox<br />
* Sway with <code>xdg-desktop-portal-wlr</code> and Firefox<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test PulseAudio clients using a media player (most use PulseAudio) and if you use JACK test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make PipeWire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18739PipeWire2021-03-23T18:32:38Z<p>Govynnus: Update for new pipewire configuration format</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
Uncomment the following line in <code>/etc/pipewire/pipewire.conf</code>:<br />
<br />
<pre><br />
{ path = "/usr/bin/pipewire-media-session" args = "" }<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== PulseAudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ PulseAudio] daemon which should allow all existing PulseAudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the PulseAudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
{ path = "/usr/bin/pipewire" args = "-c pipewire-pulse.conf" }<br />
</pre><br />
<br />
=== JACK ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ JACK] applications install the required package and make system wide links to the PipeWire replacement JACK libraries (I have not had success using <code>pw-jack</code>). You will not need to start a JACK server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on GNOME with <code>xdg-desktop-portal-gtk</code> and on KDE Plasma with <code>xdg-desktop-portal-kde</code> and Firefox.<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test PulseAudio clients using a media player (most use PulseAudio) and if you use JACK test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make PipeWire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18672PipeWire2021-02-23T11:58:02Z<p>Govynnus: Capitalise names of software</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== PulseAudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ PulseAudio] daemon which should allow all existing PulseAudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the PulseAudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
"/usr/bin/pipewire" = { args = "-c pipewire-pulse.conf" }<br />
</pre><br />
<br />
=== JACK ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ JACK] applications install the required package and make system wide links to the PipeWire replacement JACK libraries (I have not had success using <code>pw-jack</code>). You will not need to start a JACK server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on GNOME with <code>xdg-desktop-portal-gtk</code> and on KDE Plasma with <code>xdg-desktop-portal-kde</code> and Firefox.<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test PulseAudio clients using a media player (most use PulseAudio) and if you use JACK test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make PipeWire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18671PipeWire2021-02-23T11:53:10Z<p>Govynnus: Update pulseaudio instructions</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== Pulseaudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ Pulseaudio] daemon which should allow all existing Pulseaudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the Pulseaudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
"/usr/bin/pipewire" = { args = "-c pipewire-pulse.conf" }<br />
</pre><br />
<br />
=== Jack ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ Jack] applications install the required package and make system wide links to the PipeWire replacement Jack libraries (I have not had success using <code>pw-jack</code>). You will not need to start a Jack server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on GNOME with <code>xdg-desktop-portal-gtk</code> and on KDE Plasma with <code>xdg-desktop-portal-kde</code> and Firefox.<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test Pulseaudio clients using a media player (most use Pulseaudio) and if you use Jack test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make pipewire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18592PipeWire2021-01-21T16:28:24Z<p>Govynnus: Add instructions for enabling snd_seq module</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== Pulseaudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ Pulseaudio] daemon which should allow all existing Pulseaudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the Pulseaudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
"/usr/bin/pipewire-pulse" = { "#args" = "-a tcp:4713" }<br />
</pre><br />
<br />
If your PipeWire version is less than or equal to 0.3.18 you instead need to uncomment:<br />
<br />
<pre><br />
exec /usr/bin/pipewire-pulse<br />
</pre><br />
<br />
=== Jack ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ Jack] applications install the required package and make system wide links to the PipeWire replacement Jack libraries (I have not had success using <code>pw-jack</code>). You will not need to start a Jack server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on GNOME with <code>xdg-desktop-portal-gtk</code> and Firefox.<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test Pulseaudio clients using a media player (most use Pulseaudio) and if you use Jack test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make pipewire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18518PipeWire2021-01-07T14:00:10Z<p>Govynnus: Update pulseaudio instructions for new config format in 0.3.19</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
=== Pulseaudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ Pulseaudio] daemon which should allow all existing Pulseaudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the Pulseaudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
"/usr/bin/pipewire-pulse" = { "#args" = "-a tcp:4713" }<br />
</pre><br />
<br />
If your PipeWire version is less than or equal to 0.3.18 you instead need to uncomment:<br />
<br />
<pre><br />
exec /usr/bin/pipewire-pulse<br />
</pre><br />
<br />
=== Jack ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ Jack] applications install the required package and make system wide links to the PipeWire replacement Jack libraries (I have not had success using <code>pw-jack</code>). You will not need to start a Jack server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on GNOME with <code>xdg-desktop-portal-gtk</code> and Firefox.<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test Pulseaudio clients using a media player (most use Pulseaudio) and if you use Jack test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make pipewire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=How_to_get_regular_stuff_working&diff=18487How to get regular stuff working2021-01-05T17:08:55Z<p>Govynnus: Update mdocml-apropos to mandoc-apropos</p>
<hr />
<div>== Man pages ==<br />
<br />
Not all man-pages are in Alpine, but this will get you most of the way there:<br />
<br />
'''apk add mandoc man-pages mandoc-apropos less less-doc'''<br />
'''export PAGER=less'''<br />
<br />
The above only provides ''core'' man pages. Other packages typically don't include their own man pages (nor other documentation). Rather, they provide an associated package that carries such stuff. For example:<br />
<br />
$ '''apk add curl'''<br />
$ '''man curl'''<br />
man: No entry for curl in the manual.<br />
$ '''apropos curl | wc -l'''<br />
0 <span style="color: green;">''After adding curl, there are no man pages''</span><br />
$ '''apk add curl-doc'''<br />
(1/1) Installing curl-doc (7.52.1-r2)<br />
Executing mandoc-apropos-1.13.3-r6.trigger<br />
OK: 60 MiB in 31 packages<br />
$ '''apropos curl | wc -l'''<br />
366 <span style="color: green;">''Now, with curl-doc installed, there's a boatload of pages!''</span><br />
<br />
'''NOTE:''' Not all packages separate out their documentation, but it is the ''Alpine Way'' (e.g. small footprint). Some packages don't provide any installable documentation at all, neither within themselves nor an associated doc packages. Further, appending "-doc" is merely a convention. In fact, the core man documentations are in man-pages (as in the ''apk add ...'' command, above). To find the right documentation package, try something like:<br />
<br />
$ '''apk search gcc | grep ^gcc'''<br />
gcc-objc-5.3.0-r0<br />
gcc-gnat-5.3.0-r0<br />
gcc-5.3.0-r0<br />
gcc-java-5.3.0-r0<br />
gcc-doc-5.3.0-r0 <span style="color: green;">''Here it is!''</span><br />
<br />
'''FINALLY:''' If you're wondering why I've added ''less'' (and ''less-doc''), it's because ''man'' doesn't work correctly with ''more'' (the default pager). Don't fret too much about bloating up Alpine, though - adding man pages has a bigger footprint than less (''"less is more than man"???'')<br />
<br />
If you would like documentation packages to be pulled in automatically you can add the <code>docs</code> meta package.<br />
<br />
== Operational hints ==<br />
<br />
==== Shell @ commandline ====<br />
<br />
Alpine comes with busybox by default. Busybox is an endpoint for numerous symlinks for various utilities. Though busybox is not that bad, the commands are impaired in functionality.<br />
<br />
* Funny characters at the console<br />
Edit the file at {{Path|/etc/rc.conf}} and change line 92 to:<br />
unicode="YES"<br />
<br />
* Bash<br />
It is easy enough to have bash installed, but this does not mean the symlinks to busybox are gone.<br />
<br />
Install bash with: <br />
apk add bash bash-doc bash-completion<br />
<br />
* Shell utilities (things like grep, [[awk]], ls are all busybox symlinks)<br />
apk add util-linux pciutils usbutils coreutils binutils findutils grep<br />
<br />
* /etc/{shadow,group} manipulation requires<br />
apk add shadow<br />
<br />
==== Disk Management ==== <br />
<br />
Disk management is so much easier with udisks or udisks2<br />
<br />
Installation <br />
<br />
apk add udisks2 udisks2-doc<br />
<br />
See the mounted disks<br />
<br />
udisksctl status<br />
<br />
== Compiling : a few notes and a reminder ==<br />
<br />
Compiling in Alpine may be more challenging because it uses [http://www.musl-libc.org/ musl-libc] instead of glibc. Please review [http://wiki.musl-libc.org/wiki/Functional_differences_from_glibc 'The functional differences with glibc' ] if you think of porting packages or just for the sake of knowing, of course.<br />
<br />
Alpine offers the regular compiler stuff like gcc and cmake ... possible others<br />
<br />
==== (unvalidated) apk packages to install so one can start building software ====<br />
apk add build-base gcc abuild binutils binutils-doc gcc-doc<br />
<br />
==== a complete install for cmake looks like ====<br />
<br />
apk add cmake cmake-doc extra-cmake-modules extra-cmake-modules-doc<br />
<br />
==== ccache is also available ====<br />
<br />
apk add ccache ccache-doc<br />
<br />
[[Category:Installation]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18484PipeWire2021-01-04T17:51:53Z<p>Govynnus: Add multimedia category</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
=== Pulseaudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ Pulseaudio] daemon which should allow all existing Pulseaudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the Pulseaudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
exec /usr/bin/pipewire-pulse<br />
</pre><br />
<br />
=== Jack ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ Jack] applications install the required package and make system wide links to the PipeWire replacement Jack libraries (I have not had success using <code>pw-jack</code>). You will not need to start a Jack server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on GNOME with <code>xdg-desktop-portal-gtk</code> and Firefox.<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test Pulseaudio clients using a media player (most use Pulseaudio) and if you use Jack test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make pipewire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=Tutorials_and_Howtos&diff=18483Tutorials and Howtos2021-01-04T17:50:50Z<p>Govynnus: /* Desktop Environment */ Add PipeWire page</p>
<hr />
<div>{{Todo|This material needs to be re-organized .. as '''Howtos are smaller articles''' and '''tutorials are more detailed document''' both need to be reordered as independent sections }}<br />
<br />
[[Image:package_edutainment.svg|right|link=]]<br />
{{TOC left}}<br />
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''<br />
<br />
'''The tutorials are hands-on''' and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.<br />
<br />
'''Howtos are smaller articles''' explaining how to perform a particular task with Alpine Linux, that expects a minimal knowledge from reader to perform actions.<br />
<br />
'''IMPORTANT:''' contributions on those pages must be complete articles as well as requesting topics to be covered, don't override already made contributions. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].<br />
<br />
-----------------------------------------------------------------<br />
<br />
All of '''those linked pages here will help you make many things''' over the Alpine '''O'''perating '''S'''ystem or Alpine '''OS'''.<br />
<br />
Alpine are the main program named '''OS''' (means Operating System), that's runs on top of the '''machine/PC/laptop''', and subsequently over this '''OS''' run the programs such like the internet web browser ({{Pkg|firefox}}, {{Pkg|chromium}}), and the web pages like "facebook" runs over that internet web browser.<br />
<br />
{{Clear}}<br />
<br />
== New users and Newbies ==<br />
<br />
* [[Newbie Alpine Ecosystem]] (for overall information in funny sections)<br />
<br />
==== Installation: Use cases ====<br />
<br />
* [[Alpine newbie install manual]]<br />
** [[Alpine Install: from a disc to a new computer single only boot]]<br />
** [[Alpine Install: from a disc to a old computer single only boot]]<br />
** [[Alpine Install: from a disc to a virtualbox machine single only]]<br />
** [[Alpine Install: from a iso to a virtualbox machine with external disc]]<br />
* [[Alpine_newbie_install_manual#Ways_to_install_Alpine_listed_by_architectures|Ways to install listed by architectures]]<br />
** [[Alpine_newbie_install_manual#x86_64_x86_32_x86|x86_64 x86_32 x86 s390]]<br />
** [[Alpine_newbie_install_manual#armhf_armv7|armhf armv7 aarch64]]<br />
** [[Alpine_newbie_install_manual#ppc64le|ppc64le others PPC]]<br />
<br />
==== Postinstall: desktops and applications ====<br />
<br />
* [[Alpine newbie apk packages|Overall info and minimal packages common to any working desktop]]<br />
** [[Alpine newbie desktops|Alpine newbie desktops, (overall information only)]]<br />
** [[Alpine Newbies XFCE Desktop Environment]]<br />
** [[Alpine Newbies LXDE Desktop Environment]]<br />
** [[Alpine Newbies Openbox Window Manager|Alpine Newbies Xorg and Openbox Window Manager]]<br />
** [[MATE|Alpine Newbies MATE Desktop Environment]]<br />
* [[Alpine and UEFI|Alpine and UEFI Support Status and related topics]]<br />
<br />
==== Developers: compilers, IDE's and tools ====<br />
<br />
* [[Alpine newbie developer]]<br />
** [[Alpine_newbie_developer: gitea|Alpine_newbie_developer: Git management web frontend gitea]]<br />
** [[Alpine newbie developer: full stack web]]<br />
<br />
==== Servers: deploy in production ====<br />
<br />
* [[Alpine production deploy]]<br />
** [[Production Web server: Lighttpd‎‎]]<br />
** [[Production DataBases : mysql]]<br />
** [[Production LAMP system: Lighttpd + PHP + MySQL‎‎]]<br />
* Alpine production monitoring<br />
** [[Cacti: traffic analysis and monitoring network]]<br />
<br />
== Storage ==<br />
<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' <!-- Installation and Storage --><br />
** [[Back Up a Flash Memory Installation]] <!-- Installation and Storage --><br />
** [[Manually editing a existing apkovl]]<br />
<br />
* [[Setting up disks manually]] <!-- Installation and Storage --><br />
* [[Setting up a software RAID array]]<br />
<!-- ** [[Setting up a /var partition on software IDE raid1]] Obsolete, Installation and Storage --> <br />
* [[Raid Administration]]<br />
* [[Setting up encrypted volumes with LUKS]]<br />
* [[Setting up LVM on LUKS]]<br />
* [[Setting up Logical Volumes with LVM]]<br />
** [[Setting up LVM on GPT-labeled disks]]<br />
** [[Installing on GPT LVM]]<br />
* [[Filesystems|Formatting HD/Floppy/Other]] <!-- just a stub --><br />
<br />
* [[Setting up iSCSI]]<br />
** [[iSCSI Raid and Clustered File Systems]]<br />
* [[Setting up NBD]]<br />
* [[Setting up ZFS on LUKS]]<br />
* [[Setting up ZFS with native encryption]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' <!-- solution --><br />
* [[Linux iSCSI Target (TCM)]]<br />
* [[Disk Replication with DRBD]] <!-- draft --><br />
<br />
* [[Burning ISOs]] <!-- just some links now --><br />
* [[Partitioning and Bootmanagers]]<br />
* [[Migrating data]]<br />
* [[Create a bootable SDHC from a Mac]]<br />
* [[Alpine on ARM]]<br />
<br />
== Networking ==<br />
<br />
* [[Configure Networking]]<br />
* [[Connecting to a wireless access point]]<br />
* [[Bonding]]<br />
* [[Vlan]]<br />
* [[Bridge]]<br />
* [[Bridge wlan0 to eth0]]<br />
* [[OpenVSwitch]]<br />
* [[How to configure static routes]]<br />
* [[Configure a Wireguard interface (wg)]]<br />
<br />
* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''<br />
<br />
* [[PXE boot]]<br />
<br />
* [[Using serial modem]]<br />
* [[Using HSDPA modem]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' <!-- Server and Networking --><br />
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''<br />
* [[How to set up Alpine as a wireless router]] ''(Setting up a firewalled, Wireless AP with wired network on a Pi Zero W)''<br />
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''<br />
<!-- [[Using Racoon for Remote Sites]] is a different VPN tunnelling method, but that article is just a stub --><br />
* [[Experiences with OpenVPN-client on ALIX.2D3]] <!-- solution --><br />
<br />
* [[Generating SSL certs with ACF]] <!-- Generating SSL certs with ACF 1.9 --><br />
* [[Setting up unbound DNS server]]<br />
* [[Setting up nsd DNS server]]<br />
* [[TinyDNS Format]]<br />
* [[Fault Tolerant Routing with Alpine Linux]] <!-- solution --><br />
* [[Freeradius Active Directory Integration]]<br />
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''<br />
* [[OwnCloud]] ''(Installing OwnCloud)''<br />
<br />
* [[Seafile: setting up your own private cloud]]<br />
<br />
* [[GNUnet]]<br />
<br />
== Post-Install ==<br />
<!-- If you edit this, please coordinate with Installation and Developer_Documentation#Package_management. Note that these three sections are not exact duplicates. --><br />
<br />
* [[Alpine_newbie_apk_packages|Alpine newbie users post install and easy setups]]<br />
** [[Alpine_newbie_apk_packages#New_users:_hostname_and_network_wired_connection|First steps at post install]]<br />
** [[Alpine_newbie_apk_packages#New_users:_common_needed_package_to_install|Enable repositories]]<br />
** [[Alpine_newbie_apk_packages#New_users:_management_of_users_and_logins|Added the first user to use the system]]<br />
** [[Alpine_newbie_apk_packages#install_basic_tools|First packages to install]] (need the previous [[Alpine_newbie_apk_packages#New_users:_common_needed_package_to_install|Enable repositories]]) already done!<br />
<br />
* [[Setting up a new user]]<br />
* [[Enable Community Repository]] ''(Providing additional packages)''<br />
* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''<br />
<!-- [[Alpine Linux package management#Local_Cache|How to enable APK caching]] --><br />
** [[Comparison with other distros]]<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''<br />
** [[Back Up a Flash Memory Installation]] <!-- new --><br />
** [[Manually editing a existing apkovl]]<br />
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''<br />
** [[Multiple Instances of Services]]<br />
<!-- [[Writing Init Scripts]] --><br />
* [[Alpine setup scripts#setup-xorg-base|Setting up Xorg]]<br />
* [[Upgrading Alpine]]<br />
<!-- Obsolete<br />
[[Upgrading Alpine - v1.9.x]]<br />
[[Upgrading Alpine - CD v1.8.x]]<br />
[[Upgrading Alpine - HD v1.8.x]]<br />
[[Upgrade to repository main|Upgrading to signed repositories]]<br />
--><br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''<br />
* [[Changing passwords for ACF|Changing passwords]]<br />
* [[Ansible]] ''(Configuration management)''<br />
<br />
* [[Enable Serial Console on Boot]]<br />
<!-- Obsolete?<br />
* [[Error message on boot: Address space collision: host bridge window conflicts with Adaptor ROM]]<br />
--><br />
* [[How to get regular stuff working]] ''some notes on need-to-know topics''<br />
* [[Installing Oracle Java]]<br />
* [[Rsnapshot|Setting up periodic backups with <samp>rsnapshot</samp>]]<br />
<br />
== Virtualization==<br />
<br />
* [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''<br />
* [[Xen Dom0 on USB or SD]]<br />
* [[Create Alpine Linux PV DomU]]<br />
* [[Xen PCI Passthrough]]<br />
* [[Xen LiveCD]]<br />
* [[qemu]]<br />
* [[KVM]] ''(Setting up Alpine as a KVM hypervisor)''<br />
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''<br />
* [[Docker]]<br />
* [[Install_Alpine_on_VirtualBox]]<br />
* [[Install Alpine on VMWare]]<br />
<br />
== Desktop Environment ==<br />
<br />
* [[Awesome(wm) Setup]]<br />
* [[dwm]] ''(dynamic window manager for X)''<br />
* [[EyeOS]] ''(Cloud Computing Desktop)''<br />
* [[Gnome Setup]]<br />
* [[MATE|MATE Setup]]<br />
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')<br />
* [[Remote Desktop Server]]<br />
* [[Suspend on LID close]]<br />
* [[Sway]]<br />
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]<br />
* [[Installing Adobe flash player for Firefox]]<br />
* [[Sound Setup]]<br />
* [[PipeWire]]<br />
* [[Printer Setup]]<br />
* [[Default applications]]<br />
<br />
== Raspberry Pi ==<br />
<br />
* [[Raspberry Pi|Raspberry Pi (Installation)]]<br />
* [[Classic install or sys mode on Raspberry Pi]]<br />
* [[RPI Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''<br />
* [[Linux Router with VPN on a Raspberry Pi]]<br />
* [[Linux Router with VPN on a Raspberry Pi (IPv6)]]<br />
* [[Raspberry Pi 4 - Persistent system acting as a NAS and Time Machine]]<br />
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]<br />
* [[Raspberry Pi 3 - Setting Up Bluetooth]]<br />
* [[Raspberry Pi 3 - Browser Client]]<br />
* [[Raspberry Pi Zero W - Installation]]<br />
* [[Raspberry Pi - Headless Installation]]<br />
<br />
== PowerPC ==<br />
<br />
* [[Ppc64le|Powepc64le (Installation)]]<br />
<br />
== IBM Z (IBM z Systems) ==<br />
<br />
* [[s390x|s390x (Installation)]]<br />
<br />
== Applications ==<br />
<br />
=== Telephony ===<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
** [[Setting up Streaming an Asterisk Channel]]<br />
* [[Freepbx on Alpine Linux]]<br />
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''<br />
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''<br />
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''<br />
<br />
=== Mail ===<br />
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''<br />
** [[Hosting Web/Email services on Alpine]]<br />
* [[ISP Mail Server HowTo]] <!-- solution, Mail --><br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
** [[ISP Mail Server 3.x HowTo]]<br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Setting up postfix with virtual domains]]<br />
* [[Protecting your email server with Alpine]]<br />
* [[Setting up clamsmtp]]<br />
* [[Setting up dovecot with imap and ssl]]<br />
* [[relay email to gmail (msmtp, mailx, sendmail]]<br />
<br />
=== HTTP ===<br />
* [[Lighttpd]]<br />
** [[Lighttpd Https access]]<br />
** [[Setting Up Lighttpd with PHP]]<br />
** [[Setting Up Lighttpd With FastCGI]]<br />
* [[Cherokee]]<br />
* [[Nginx]]<br />
** [[Nginx_with_PHP#Nginx_with_PHP|Nginx with PHP]]<br />
** [[Nginx as reverse proxy with acme (letsencrypt)]]<br />
* [[Apache]]<br />
** [[Apache with php-fpm]]<br />
** [[Setting Up Apache with PHP]]<br />
** [[Apache authentication: NTLM Single Signon]]<br />
<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' <!-- solution, Server --><br />
<br />
* [[Setting up Transparent Squid Proxy]] <!-- draft --><br />
** [[SqStat]] ''(Script to look at active squid users connections)''<br />
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[Setting up Explicit Squid Proxy]]<br />
<br />
* [[Drupal]] ''(Content Management System (CMS) written in PHP)''<br />
* [[WordPress]] ''(Web software to create website or blog)''<br />
* [[MediaWiki]] ''(Free web-based wiki software application)''<br />
* [[DokuWiki]]<br />
* [[Darkhttpd]]<br />
* [[Tomcat]]<br />
<br />
=== Other Servers ===<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
<br />
* [[Setting up a nfs-server]]<br />
* [[Setting up a samba-server]] ''(standard file sharing)''<br />
* [[Setting up a samba-ad-dc]] ''(Active Directory compatible domain controller)''<br />
* [[Phpizabi]] ''(Social Networking Platform)''<br />
* [[Statusnet]] ''(Microblogging Platform)''<br />
* [[Pastebin]] ''(Pastebin software application)''<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
<br />
* [[Patchwork]] ''(Patch review management system)''<br />
* [[Redmine]] ''(Project management system)''<br />
* [[Request-Tracker]] ''(Ticket system)''<br />
* [[OsTicket]] ''(Ticket system)''<br />
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''<br />
<br />
* [[Alpine_newbie_developer: gitea|Setting up Git management web frontend gitea]]<br />
* [[Cgit]]<br />
** [[Setting up a git repository server with gitolite and cgit]] <!-- doesn't exist yet --><br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Glpi]] ''(Manage inventory of technical resources)''<br />
<br />
* [[How to setup a Alpine Linux mirror]]<br />
* [[Cups]]<br />
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''<br />
* [[How To Setup Your Own IRC Network]] ''(Using {{Pkg|charybdis}} and {{Pkg|atheme-iris}})''<br />
* [[OpenVCP]] ''(VServer Control Panel)''<br />
* [[Mahara]] ''(E-portfolio and social networking system)''<br />
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]<br />
* [[Sending SMS using gnokii]]<br />
* [[IPTV How To|Internet Protocol television (IPTV)]]<br />
* [[UniFi_Controller]]<br />
* [[DNSCrypt-Proxy]] ''Encrypt and authenticate DNS calls from your system''<br />
* [[Odoo]]<br />
<br />
=== Monitoring ===<br />
* Setting up [[collectd]]<br />
* [[Traffic monitoring]] <!-- Networking and Monitoring --><br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]] <!-- Monitoring --><br />
* [[Setting up monitoring using rrdtool (and rrdcollect)]]<br />
* [[Cacti: traffic analysis and monitoring network]] ''(Front-end for rrdtool networking monitor)''<br />
* [[LTTng]] ''(Kernel and userspace tracing)''<br />
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft, solution, Networking and Monitoring and Server --><br />
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' <!-- Networking and Monitoring --><br />
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' <!-- Networking and Monitoring --><br />
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]<br />
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' <!-- Networking and Monitoring --><br />
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' <!-- Monitoring and Security --><br />
<br />
* [[IP Accounting]] <!-- Networking and Monitoring --><br />
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[SqStat]] ''(Script to look at active squid users connections)''<br />
<br />
* [[Piwik]] ''(A real time web analytics software program)''<br />
* [[Awstats]] ''(Free log file analyzer)''<br />
* [[Intrusion Detection using Snort]]<br />
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]<br />
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''<br />
<br />
* [[Webmin]] ''(A web-based interface for Linux system)''<br />
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''<br />
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''<br />
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''<br />
* [[Linfo]]<br />
<br />
* [[Setting up lm_sensors]]<br />
<br />
* [[ZoneMinder video camera security and surveillance]]<br />
<br />
== Misc ==<br />
<br />
* [[:Category:Shell]]<br />
* [[:Category:Programming]]<br />
* [[Running glibc programs]]<br />
* [[:Category:Drivers]]<br />
* [[:Category:Multimedia]]<br />
* [[Kernel Modesetting]]<br />
* [[CPU frequency scaling]]<br />
<br />
== Complete Solutions ==<br />
* [[DIY Fully working Alpine Linux for Allwinner and Other ARM SOCs]]<br />
* [[Replacing non-Alpine Linux with Alpine remotely]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]]<br />
* [[Fault Tolerant Routing with Alpine Linux]]<br />
* [[Experiences with OpenVPN-client on ALIX.2D3]]<br />
* [[Building a cloud with Alpine Linux]]<br />
<br />
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''<br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft --><br />
* [[Streaming Security Camera Video with VLC]]<br />
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]<br />
<br />
<br />
<!--<br />
This does not attempt to be complete. Is it useful to have these listed here? I find them more accessible if grouped with their topics; also, an up-to-date list of all Draft or Obsolete pages can be found at [[Project:Wiki maintenance]].<br />
<br />
== Drafts ==<br />
Currently unfinished/works-in-progress.<br />
* [[Using Racoon for Remote Sites]]<br />
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''<br />
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)'' [!-- no longer a draft --]<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)''<br />
* [[Intrusion Detection using Snort]] ''(Installing and configuring Snort and related applications on Alpine 2.0.x)''<br />
* [[IP Accounting]] ''(Installing and configuring pmacct for IP Accounting, Netflow/sFlow collector)''<br />
* [[Disk Replication with DRBD]]<br />
--><br />
<br />
<br />
[[Category:Newbie]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18482PipeWire2021-01-04T17:45:21Z<p>Govynnus: Screen sharing just works on GNOME according to Rasmus Thomsen</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
=== Pulseaudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ Pulseaudio] daemon which should allow all existing Pulseaudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the Pulseaudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
exec /usr/bin/pipewire-pulse<br />
</pre><br />
<br />
=== Jack ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ Jack] applications install the required package and make system wide links to the PipeWire replacement Jack libraries (I have not had success using <code>pw-jack</code>). You will not need to start a Jack server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on GNOME with <code>xdg-desktop-portal-gtk</code> and Firefox.<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test Pulseaudio clients using a media player (most use Pulseaudio) and if you use Jack test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make pipewire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18481PipeWire2021-01-04T17:38:47Z<p>Govynnus: Remove suggestions to use edge versions of packages</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
=== Pulseaudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ Pulseaudio] daemon which should allow all existing Pulseaudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the Pulseaudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
exec /usr/bin/pipewire-pulse<br />
</pre><br />
<br />
=== Jack ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ Jack] applications install the required package and make system wide links to the PipeWire replacement Jack libraries (I have not had success using <code>pw-jack</code>). You will not need to start a Jack server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
Not got this working yet. Take a look at [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal].<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test Pulseaudio clients using a media player (most use Pulseaudio) and if you use Jack test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make pipewire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18480PipeWire2021-01-04T17:19:53Z<p>Govynnus: Remove note about ardour not working</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
{{Note|You may need to install dbus from the edge repository, but I'm not entirely sure.}}<br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
Install <code>pipewire</code>. It might be a good idea to use the edge version because it's more up-to-date and PipeWire is still under development.<br />
<br />
<pre><br />
# apk add pipewire pipewire-doc<br />
</pre><br />
<br />
=== Pulseaudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ Pulseaudio] daemon which should allow all existing Pulseaudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the Pulseaudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
exec /usr/bin/pipewire-pulse<br />
</pre><br />
<br />
=== Jack ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ Jack] applications install the required package and make system wide links to the PipeWire replacement Jack libraries (I have not had success using <code>pw-jack</code>). You will not need to start a Jack server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
Not got this working yet. Take a look at [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal].<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test Pulseaudio clients using a media player (most use Pulseaudio) and if you use Jack test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make pipewire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18479PipeWire2021-01-04T16:56:51Z<p>Govynnus: make->may</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
{{Note|You may need to install dbus from the edge repository, but I'm not entirely sure.}}<br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
Install <code>pipewire</code>. It might be a good idea to use the edge version because it's more up-to-date and PipeWire is still under development.<br />
<br />
<pre><br />
# apk add pipewire pipewire-doc<br />
</pre><br />
<br />
=== Pulseaudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ Pulseaudio] daemon which should allow all existing Pulseaudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the Pulseaudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
exec /usr/bin/pipewire-pulse<br />
</pre><br />
<br />
=== Jack ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ Jack] applications install the required package and make system wide links to the PipeWire replacement Jack libraries (I have not had success using <code>pw-jack</code>). You will not need to start a Jack server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
Not got this working yet. Take a look at [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal].<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test Pulseaudio clients using a media player (most use Pulseaudio) and if you use Jack test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
{{Note|The fact that jack_simple_client works doesn't mean all Jack clients will. For example, I can't hear anything from ardour6.}}<br />
<br />
If you are happy everything is working, make pipewire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=18478PipeWire2021-01-04T16:53:52Z<p>Govynnus: Add initial instructions for setting up PipeWire</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and make break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
Add your normal user to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
{{Note|You may need to install dbus from the edge repository, but I'm not entirely sure.}}<br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
Install <code>pipewire</code>. It might be a good idea to use the edge version because it's more up-to-date and PipeWire is still under development.<br />
<br />
<pre><br />
# apk add pipewire pipewire-doc<br />
</pre><br />
<br />
=== Pulseaudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ Pulseaudio] daemon which should allow all existing Pulseaudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
To enable the Pulseaudio daemon edit <code>/etc/pipewire/pipewire.conf</code> and uncomment the following line:<br />
<br />
<pre><br />
exec /usr/bin/pipewire-pulse<br />
</pre><br />
<br />
=== Jack ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ Jack] applications install the required package and make system wide links to the PipeWire replacement Jack libraries (I have not had success using <code>pw-jack</code>). You will not need to start a Jack server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
Not got this working yet. Take a look at [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal].<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test Pulseaudio clients using a media player (most use Pulseaudio) and if you use Jack test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
{{Note|The fact that jack_simple_client works doesn't mean all Jack clients will. For example, I can't hear anything from ardour6.}}<br />
<br />
If you are happy everything is working, make pipewire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=How_to_get_regular_stuff_working&diff=18477How to get regular stuff working2021-01-04T15:22:04Z<p>Govynnus: Add note about docs meta package</p>
<hr />
<div>== Man pages ==<br />
<br />
Not all man-pages are in Alpine, but this will get you most of the way there:<br />
<br />
'''apk add mandoc man-pages mdocml-apropos less less-doc'''<br />
'''export PAGER=less'''<br />
<br />
The above only provides ''core'' man pages. Other packages typically don't include their own man pages (nor other documentation). Rather, they provide an associated package that carries such stuff. For example:<br />
<br />
$ '''apk add curl'''<br />
$ '''man curl'''<br />
man: No entry for curl in the manual.<br />
$ '''apropos curl | wc -l'''<br />
0 <span style="color: green;">''After adding curl, there are no man pages''</span><br />
$ '''apk add curl-doc'''<br />
(1/1) Installing curl-doc (7.52.1-r2)<br />
Executing mdocml-apropos-1.13.3-r6.trigger<br />
OK: 60 MiB in 31 packages<br />
$ '''apropos curl | wc -l'''<br />
366 <span style="color: green;">''Now, with curl-doc installed, there's a boatload of pages!''</span><br />
<br />
'''NOTE:''' Not all packages separate out their documentation, but it is the ''Alpine Way'' (e.g. small footprint). Some packages don't provide any installable documentation at all, neither within themselves nor an associated doc packages. Further, appending "-doc" is merely a convention. In fact, the core man documentations are in man-pages (as in the ''apk add ...'' command, above). To find the right documentation package, try something like:<br />
<br />
$ '''apk search gcc | grep ^gcc'''<br />
gcc-objc-5.3.0-r0<br />
gcc-gnat-5.3.0-r0<br />
gcc-5.3.0-r0<br />
gcc-java-5.3.0-r0<br />
gcc-doc-5.3.0-r0 <span style="color: green;">''Here it is!''</span><br />
<br />
'''FINALLY:''' If you're wondering why I've added ''less'' (and ''less-doc''), it's because ''man'' doesn't work correctly with ''more'' (the default pager). Don't fret too much about bloating up Alpine, though - adding man pages has a bigger footprint than less (''"less is more than man"???'')<br />
<br />
If you would like documentation packages to be pulled in automatically you can add the <code>docs</code> meta package.<br />
<br />
== Operational hints ==<br />
<br />
==== Shell @ commandline ====<br />
<br />
Alpine comes with busybox by default. Busybox is an endpoint for numerous symlinks for various utilities. Though busybox is not that bad, the commands are impaired in functionality.<br />
<br />
* Funny characters at the console<br />
Edit the file at {{Path|/etc/rc.conf}} and change line 92 to:<br />
unicode="YES"<br />
<br />
* Bash<br />
It is easy enough to have bash installed, but this does not mean the symlinks to busybox are gone.<br />
<br />
Install bash with: <br />
apk add bash bash-doc bash-completion<br />
<br />
* Shell utilities (things like grep, [[awk]], ls are all busybox symlinks)<br />
apk add util-linux pciutils usbutils coreutils binutils findutils grep<br />
<br />
* /etc/{shadow,group} manipulation requires<br />
apk add shadow<br />
<br />
==== Disk Management ==== <br />
<br />
Disk management is so much easier with udisks or udisks2<br />
<br />
Installation <br />
<br />
apk add udisks2 udisks2-doc<br />
<br />
See the mounted disks<br />
<br />
udisksctl status<br />
<br />
== Compiling : a few notes and a reminder ==<br />
<br />
Compiling in Alpine may be more challenging because it uses [http://www.musl-libc.org/ musl-libc] instead of glibc. Please review [http://wiki.musl-libc.org/wiki/Functional_differences_from_glibc 'The functional differences with glibc' ] if you think of porting packages or just for the sake of knowing, of course.<br />
<br />
Alpine offers the regular compiler stuff like gcc and cmake ... possible others<br />
<br />
==== (unvalidated) apk packages to install so one can start building software ====<br />
apk add build-base gcc abuild binutils binutils-doc gcc-doc<br />
<br />
==== a complete install for cmake looks like ====<br />
<br />
apk add cmake cmake-doc extra-cmake-modules extra-cmake-modules-doc<br />
<br />
==== ccache is also available ====<br />
<br />
apk add ccache ccache-doc<br />
<br />
[[Category:Installation]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=Sway&diff=18432Sway2021-01-02T17:51:37Z<p>Govynnus: Make links to intel and radeon pages actual links</p>
<hr />
<div>[http://swaywm.org Sway] is a tiling Wayland compositor. It's a drop-in replacement for the i3 window manager.<br />
<br />
== Prerequisites ==<br />
<br />
First, install & configure eudev:<br />
<br />
<pre><br />
# apk add eudev<br />
# setup-udev<br />
</pre><br />
<br />
Then install graphics drivers appropriate to your system:<br />
<br />
<pre><br />
# apk search mesa-dri<br />
# apk add mesa-dri-intel # example<br />
</pre><br />
<br />
The following contains guides per-graphics for setting the video stack up.<br />
<br />
* [https://wiki.alpinelinux.org/wiki/Intel_Video Intel Video]<br />
* [https://wiki.alpinelinux.org/wiki/Radeon_Video Radeon Video]<br />
<br />
Add yourself to the input and video groups:<br />
<br />
<pre><br />
# adduser $USER input<br />
# adduser $USER video<br />
</pre><br />
<br />
You have to log out and back in for this to take effect. <br />
<br />
== Installation ==<br />
<br />
We can now install sway:<br />
<br />
<pre><br />
# apk add sway sway-doc<br />
# apk add \ # Install optional dependencies:<br />
xorg-server-xwayland \ # strongly reccommended for compatibility reasons<br />
alacritty \ # default terminal emulator<br />
dmenu \ # default application launcher<br />
swaylock \ # lockscreen tool<br />
swayidle # idle management (DPMS) daemon<br />
</pre><br />
<br />
== Running Sway ==<br />
<br />
To run sway, first set XDG_RUNTIME_DIR to a suitable location (e.g. /tmp). Install & configure elogind to skip this step. Then run sway from the Linux console:<br />
<br />
<pre><br />
$ XDG_RUNTIME_DIR=/tmp sway<br />
</pre><br />
<br />
Add this to a script if it becomes tedious.<br />
<br />
== Configuration and Usage ==<br />
<br />
An example config is provided at <code>/etc/sway/config</code>. Copy it to <code>~/.config/sway/config</code> and read through it to learn the default keybindings.<br />
<br />
For additional information, start at <code>man 5 sway</code> and read the [https://github.com/swaywm/sway/wiki upstream FAQ].<br />
<br />
[[Category:Desktop]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=18371LVM on LUKS2020-12-30T15:54:58Z<p>Govynnus: Add swapoff command to unmounting procedure</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.<br />
<br />
Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.<br />
<br />
== Storage Device Name ==<br />
<br />
To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.<br />
<br />
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.<br />
<br />
Run the scripts in this order:<br />
<br />
<pre># setup-keymap<br />
# setup-hostname<br />
# setup-interfaces<br />
# rc-service networking start</pre><br />
<br />
If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.<br />
<br />
If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.<br />
<br />
<pre># passwd<br />
# setup-timezone<br />
# rc-update add networking boot<br />
# rc-update add urandom boot<br />
# rc-update add acpid default<br />
# rc-service acpid start</pre><br />
<br />
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':<br />
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}<br />
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain<br />
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}<br />
<br />
<br />
{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}<br />
<br />
<pre># setup-apkrepos<br />
# apk update<br />
# setup-sshd<br />
# setup-ntp</pre><br />
<br />
Now we will deviate from the install script.<br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}<br />
<br />
<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre><br />
<br />
Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:<br />
<br />
<pre># apk add haveged<br />
# rc-service haveged start</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
=== BIOS/MBR with DOS disklabel ===<br />
<br />
We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | Boot partition | ext4 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel msdos<br />
(parted) mkpart primary ext4 0% 100M<br />
(parted) name 1 boot<br />
(parted) set 1 boot on<br />
(parted) mkpart primary ext4 100M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:<br />
<pre>(parted) print<br />
Model: ATA TOSHIBA ******** (scsi)<br />
Disk /dev/sda: 1000GB<br />
Sector size (logical/physical): 512B/4096B<br />
Partition Table: msdos<br />
Disk Flags:<br />
<br />
Number Start End Size Type File system Flags<br />
1 1049kB 99.6MB 98.6MB primary ext4 boot<br />
2 99.6MB 1000GB 1000GB primary ext4</pre><br />
<br />
=== UEFI with GPT disklabel ===<br />
<br />
We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | EFI system partition | fat32 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/boot | Boot partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel gpt<br />
(parted) mkpart primary fat32 0% 200M<br />
(parted) name 1 esp<br />
(parted) set 1 esp on<br />
(parted) mkpart primary ext4 200M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
== Optional: Overwrite LUKS Partition with Random Data ==<br />
<br />
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.<br />
<br />
We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.<br />
<br />
<pre># haveged -n 0 | dd of=/dev/sda2</pre><br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:<br />
<br />
Default settings:<br />
<br />
<pre># cryptsetup luksFormat /dev/sda2</pre><br />
<br />
Optimized for security:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre><br />
<br />
If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):<br />
<br />
<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>lvmcrypt</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
=== LV Creation fro BIOS/MBR ===<br />
<br />
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
=== LV Creation for UEFI/GPT ===<br />
<br />
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -L 2G vg0 -n boot<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
== Creating and Mounting the File Systems ==<br />
<br />
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
Next format your boot partition, create a mount point and mount it:<br />
<br />
* If you're using BIOS and MBR:<br />
<br />
<pre># mkfs.ext4 /dev/sda1<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/sda1 /mnt/boot</pre><br />
<br />
* If you're using UEFI and GPT:<br />
<br />
<pre># apk add dosfstools<br />
# mkfs.fat -F32 /dev/sda1<br />
# mkfs.ext4 /dev/vg0/boot<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/vg0/boot /mnt/boot<br />
# mkdir -v /mnt/boot/efi<br />
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre><br />
<br />
Lastly, activate your swap partition:<br />
<br />
<pre># swapon /dev/vg0/swap</pre><br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="... cryptsetup"</pre><br />
<br />
If you are using GRUB with an encrypted <code>/boot</code> you should also add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.<br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}<br />
<br />
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
<br />
To get the UUID of your storage device into a file for later use, use this command:<br />
<br />
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre><br />
<br />
{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}<br />
<br />
=== Syslinux with BIOS ===<br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:<br />
<br />
<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.<br />
<br />
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre># chroot /mnt/<br />
# update-extlinux<br />
# exit</pre><br />
<br />
: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.<br />
<br />
Write the MBR to the <code>/dev/sda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre><br />
<br />
=== Grub with UEFI ===<br />
<br />
To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.<br />
<br />
<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin<br />
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin<br />
</pre><br />
<br />
This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre># mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
# mount --rbind /sys /mnt/sys</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre># chroot /mnt<br />
# source /etc/profile<br />
# export PS1="(chroot) $PS1"</pre><br />
<br />
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:<br />
<br />
<pre># apk add grub grub-efi efibootmgr<br />
# apk del syslinux</pre><br />
<br />
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):<br />
<br />
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.<br />
<br />
To enable GRUB to decrypt LUKS partitions and read LVM volumes add:<br />
<br />
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre><br />
<br />
If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.<br />
<br />
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:<br />
<br />
<pre># cd<br />
# umount -l /mnt/dev<br />
# umount -l /mnt/proc<br />
# umount -l /mnt/sys<br />
# umount /mnt/boot/efi<br />
# umount /mnt/boot<br />
# swapoff /dev/vg0/swap<br />
# umount /mnt<br />
# vgchange -a n<br />
# cryptsetup luksClose lvmcrypt<br />
# reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Setup the LUKS partition and activate the LVs:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2<br />
# vgchange -ay</pre><br />
<br />
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.<br />
<br />
== System can't find boot device ==<br />
<br />
This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.<br />
<br />
== Secure boot ==<br />
<br />
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
= Mounting additional encrypted filesystems at boot =<br />
<br />
If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.<br />
<br />
Create a keyfile and add it to the LUKS partition:<br />
<br />
<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin<br />
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin<br />
</pre><br />
<br />
Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:<br />
<br />
<pre>target=crypt-home<br />
source='/dev/sdb1'<br />
key='/root/crypt-home-keyfile.bin'<br />
</pre><br />
<br />
Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:<br />
<br />
<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre><br />
<br />
Enable the dmcrypt and lvm services to start on boot:<br />
<br />
<pre># rc-update add dmcrypt boot<br />
# rc-update add lvm boot<br />
</pre><br />
<br />
After a reboot the partition should be decrypted and mounted automatically.<br />
<br />
= See also =<br />
*[[Bootloaders]]<br />
*[[Alpine setup scripts]]<br />
*[[Installing on GPT LVM]]<br />
*[[Setting up LVM on GPT-labeled disks]]<br />
*[[Setting up disks manually]]<br />
*https://wiki.gentoo.org/wiki/Syslinux<br />
*https://wiki.gentoo.org/wiki/GRUB2<br />
*https://wiki.archlinux.org/index.php/Syslinux<br />
*https://wiki.archlinux.org/index.php/GRUB<br />
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide<br />
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/<br />
*https://wiki.gentoo.org/wiki/Dm-crypt<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=18356LVM on LUKS2020-12-29T13:11:50Z<p>Govynnus: Add section about mounting additional encrypted filesystems at boot.</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.<br />
<br />
Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.<br />
<br />
== Storage Device Name ==<br />
<br />
To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.<br />
<br />
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.<br />
<br />
Run the scripts in this order:<br />
<br />
<pre># setup-keymap<br />
# setup-hostname<br />
# setup-interfaces<br />
# rc-service networking start</pre><br />
<br />
If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.<br />
<br />
If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.<br />
<br />
<pre># passwd<br />
# setup-timezone<br />
# rc-update add networking boot<br />
# rc-update add urandom boot<br />
# rc-update add acpid default<br />
# rc-service acpid start</pre><br />
<br />
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':<br />
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}<br />
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain<br />
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}<br />
<br />
<br />
{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}<br />
<br />
<pre># setup-apkrepos<br />
# apk update<br />
# setup-sshd<br />
# setup-ntp</pre><br />
<br />
Now we will deviate from the install script.<br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}<br />
<br />
<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre><br />
<br />
Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:<br />
<br />
<pre># apk add haveged<br />
# rc-service haveged start</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
=== BIOS/MBR with DOS disklabel ===<br />
<br />
We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | Boot partition | ext4 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel msdos<br />
(parted) mkpart primary ext4 0% 100M<br />
(parted) name 1 boot<br />
(parted) set 1 boot on<br />
(parted) mkpart primary ext4 100M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:<br />
<pre>(parted) print<br />
Model: ATA TOSHIBA ******** (scsi)<br />
Disk /dev/sda: 1000GB<br />
Sector size (logical/physical): 512B/4096B<br />
Partition Table: msdos<br />
Disk Flags:<br />
<br />
Number Start End Size Type File system Flags<br />
1 1049kB 99.6MB 98.6MB primary ext4 boot<br />
2 99.6MB 1000GB 1000GB primary ext4</pre><br />
<br />
=== UEFI with GPT disklabel ===<br />
<br />
We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | EFI system partition | fat32 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/boot | Boot partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel gpt<br />
(parted) mkpart primary fat32 0% 200M<br />
(parted) name 1 esp<br />
(parted) set 1 esp on<br />
(parted) mkpart primary ext4 200M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
== Optional: Overwrite LUKS Partition with Random Data ==<br />
<br />
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.<br />
<br />
We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.<br />
<br />
<pre># haveged -n 0 | dd of=/dev/sda2</pre><br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:<br />
<br />
Default settings:<br />
<br />
<pre># cryptsetup luksFormat /dev/sda2</pre><br />
<br />
Optimized for security:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre><br />
<br />
If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):<br />
<br />
<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>lvmcrypt</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
=== LV Creation fro BIOS/MBR ===<br />
<br />
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
=== LV Creation for UEFI/GPT ===<br />
<br />
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -L 2G vg0 -n boot<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
== Creating and Mounting the File Systems ==<br />
<br />
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
Next format your boot partition, create a mount point and mount it:<br />
<br />
* If you're using BIOS and MBR:<br />
<br />
<pre># mkfs.ext4 /dev/sda1<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/sda1 /mnt/boot</pre><br />
<br />
* If you're using UEFI and GPT:<br />
<br />
<pre># apk add dosfstools<br />
# mkfs.fat -F32 /dev/sda1<br />
# mkfs.ext4 /dev/vg0/boot<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/vg0/boot /mnt/boot<br />
# mkdir -v /mnt/boot/efi<br />
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre><br />
<br />
Lastly, activate your swap partition:<br />
<br />
<pre># swapon /dev/vg0/swap</pre><br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="... cryptsetup"</pre><br />
<br />
If you are using GRUB with an encrypted <code>/boot</code> you should also add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.<br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}<br />
<br />
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
<br />
To get the UUID of your storage device into a file for later use, use this command:<br />
<br />
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre><br />
<br />
{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}<br />
<br />
=== Syslinux with BIOS ===<br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:<br />
<br />
<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.<br />
<br />
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre># chroot /mnt/<br />
# update-extlinux<br />
# exit</pre><br />
<br />
: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.<br />
<br />
Write the MBR to the <code>/dev/sda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre><br />
<br />
=== Grub with UEFI ===<br />
<br />
To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.<br />
<br />
<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin<br />
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin<br />
</pre><br />
<br />
This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre># mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
# mount --rbind /sys /mnt/sys</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre># chroot /mnt<br />
# source /etc/profile<br />
# export PS1="(chroot) $PS1"</pre><br />
<br />
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:<br />
<br />
<pre># apk add grub grub-efi efibootmgr<br />
# apk del syslinux</pre><br />
<br />
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):<br />
<br />
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.<br />
<br />
To enable GRUB to decrypt LUKS partitions and read LVM volumes add:<br />
<br />
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre><br />
<br />
If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.<br />
<br />
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:<br />
<br />
<pre># cd<br />
# umount -l /mnt/dev<br />
# umount -l /mnt/proc<br />
# umount -l /mnt/sys<br />
# umount /mnt/boot/efi<br />
# umount /mnt/boot<br />
# umount /mnt<br />
# vgchange -a n<br />
# cryptsetup luksClose lvmcrypt<br />
# reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Setup the LUKS partition and activate the LVs:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2<br />
# vgchange -ay</pre><br />
<br />
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.<br />
<br />
== System can't find boot device ==<br />
<br />
This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.<br />
<br />
== Secure boot ==<br />
<br />
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
= Mounting additional encrypted filesystems at boot =<br />
<br />
If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.<br />
<br />
Create a keyfile and add it to the LUKS partition:<br />
<br />
<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin<br />
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin<br />
</pre><br />
<br />
Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:<br />
<br />
<pre>target=crypt-home<br />
source='/dev/sdb1'<br />
key='/root/crypt-home-keyfile.bin'<br />
</pre><br />
<br />
Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:<br />
<br />
<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre><br />
<br />
Enable the dmcrypt and lvm services to start on boot:<br />
<br />
<pre># rc-update add dmcrypt boot<br />
# rc-update add lvm boot<br />
</pre><br />
<br />
After a reboot the partition should be decrypted and mounted automatically.<br />
<br />
= See also =<br />
*[[Bootloaders]]<br />
*[[Alpine setup scripts]]<br />
*[[Installing on GPT LVM]]<br />
*[[Setting up LVM on GPT-labeled disks]]<br />
*[[Setting up disks manually]]<br />
*https://wiki.gentoo.org/wiki/Syslinux<br />
*https://wiki.gentoo.org/wiki/GRUB2<br />
*https://wiki.archlinux.org/index.php/Syslinux<br />
*https://wiki.archlinux.org/index.php/GRUB<br />
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide<br />
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/<br />
*https://wiki.gentoo.org/wiki/Dm-crypt<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=18355LVM on LUKS2020-12-29T12:29:57Z<p>Govynnus: Change umount commands to use only options present without installing util-linux.</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.<br />
<br />
Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.<br />
<br />
== Storage Device Name ==<br />
<br />
To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.<br />
<br />
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.<br />
<br />
Run the scripts in this order:<br />
<br />
<pre># setup-keymap<br />
# setup-hostname<br />
# setup-interfaces<br />
# rc-service networking start</pre><br />
<br />
If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.<br />
<br />
If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.<br />
<br />
<pre># passwd<br />
# setup-timezone<br />
# rc-update add networking boot<br />
# rc-update add urandom boot<br />
# rc-update add acpid default<br />
# rc-service acpid start</pre><br />
<br />
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':<br />
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}<br />
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain<br />
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}<br />
<br />
<br />
{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}<br />
<br />
<pre># setup-apkrepos<br />
# apk update<br />
# setup-sshd<br />
# setup-ntp</pre><br />
<br />
Now we will deviate from the install script.<br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}<br />
<br />
<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre><br />
<br />
Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:<br />
<br />
<pre># apk add haveged<br />
# rc-service haveged start</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
=== BIOS/MBR with DOS disklabel ===<br />
<br />
We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | Boot partition | ext4 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel msdos<br />
(parted) mkpart primary ext4 0% 100M<br />
(parted) name 1 boot<br />
(parted) set 1 boot on<br />
(parted) mkpart primary ext4 100M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:<br />
<pre>(parted) print<br />
Model: ATA TOSHIBA ******** (scsi)<br />
Disk /dev/sda: 1000GB<br />
Sector size (logical/physical): 512B/4096B<br />
Partition Table: msdos<br />
Disk Flags:<br />
<br />
Number Start End Size Type File system Flags<br />
1 1049kB 99.6MB 98.6MB primary ext4 boot<br />
2 99.6MB 1000GB 1000GB primary ext4</pre><br />
<br />
=== UEFI with GPT disklabel ===<br />
<br />
We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | EFI system partition | fat32 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/boot | Boot partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel gpt<br />
(parted) mkpart primary fat32 0% 200M<br />
(parted) name 1 esp<br />
(parted) set 1 esp on<br />
(parted) mkpart primary ext4 200M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
== Optional: Overwrite LUKS Partition with Random Data ==<br />
<br />
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.<br />
<br />
We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.<br />
<br />
<pre># haveged -n 0 | dd of=/dev/sda2</pre><br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:<br />
<br />
Default settings:<br />
<br />
<pre># cryptsetup luksFormat /dev/sda2</pre><br />
<br />
Optimized for security:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre><br />
<br />
If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):<br />
<br />
<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>lvmcrypt</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
=== LV Creation fro BIOS/MBR ===<br />
<br />
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
=== LV Creation for UEFI/GPT ===<br />
<br />
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -L 2G vg0 -n boot<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
== Creating and Mounting the File Systems ==<br />
<br />
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
Next format your boot partition, create a mount point and mount it:<br />
<br />
* If you're using BIOS and MBR:<br />
<br />
<pre># mkfs.ext4 /dev/sda1<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/sda1 /mnt/boot</pre><br />
<br />
* If you're using UEFI and GPT:<br />
<br />
<pre># apk add dosfstools<br />
# mkfs.fat -F32 /dev/sda1<br />
# mkfs.ext4 /dev/vg0/boot<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/vg0/boot /mnt/boot<br />
# mkdir -v /mnt/boot/efi<br />
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre><br />
<br />
Lastly, activate your swap partition:<br />
<br />
<pre># swapon /dev/vg0/swap</pre><br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="... cryptsetup"</pre><br />
<br />
If you are using GRUB with an encrypted <code>/boot</code> you should also add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.<br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}<br />
<br />
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
<br />
To get the UUID of your storage device into a file for later use, use this command:<br />
<br />
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre><br />
<br />
{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}<br />
<br />
=== Syslinux with BIOS ===<br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:<br />
<br />
<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.<br />
<br />
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre># chroot /mnt/<br />
# update-extlinux<br />
# exit</pre><br />
<br />
: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.<br />
<br />
Write the MBR to the <code>/dev/sda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre><br />
<br />
=== Grub with UEFI ===<br />
<br />
To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.<br />
<br />
<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin<br />
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin<br />
</pre><br />
<br />
This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre># mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
# mount --rbind /sys /mnt/sys</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre># chroot /mnt<br />
# source /etc/profile<br />
# export PS1="(chroot) $PS1"</pre><br />
<br />
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:<br />
<br />
<pre># apk add grub grub-efi efibootmgr<br />
# apk del syslinux</pre><br />
<br />
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):<br />
<br />
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.<br />
<br />
To enable GRUB to decrypt LUKS partitions and read LVM volumes add:<br />
<br />
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre><br />
<br />
If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.<br />
<br />
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:<br />
<br />
<pre># cd<br />
# umount -l /mnt/dev<br />
# umount -l /mnt/proc<br />
# umount -l /mnt/sys<br />
# umount /mnt/boot/efi<br />
# umount /mnt/boot<br />
# umount /mnt<br />
# vgchange -a n<br />
# cryptsetup luksClose lvmcrypt<br />
# reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Setup the LUKS partition and activate the LVs:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2<br />
# vgchange -ay</pre><br />
<br />
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.<br />
<br />
== System can't find boot device ==<br />
<br />
This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.<br />
<br />
== Secure boot ==<br />
<br />
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
= See also =<br />
*[[Bootloaders]]<br />
*[[Alpine setup scripts]]<br />
*[[Installing on GPT LVM]]<br />
*[[Setting up LVM on GPT-labeled disks]]<br />
*[[Setting up disks manually]]<br />
*https://wiki.gentoo.org/wiki/Syslinux<br />
*https://wiki.gentoo.org/wiki/GRUB2<br />
*https://wiki.archlinux.org/index.php/Syslinux<br />
*https://wiki.archlinux.org/index.php/GRUB<br />
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide<br />
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=18354LVM on LUKS2020-12-29T12:23:40Z<p>Govynnus: Add instructions to avoid typing decryption password twice with an encrypted /boot</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.<br />
<br />
Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.<br />
<br />
== Storage Device Name ==<br />
<br />
To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.<br />
<br />
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.<br />
<br />
Run the scripts in this order:<br />
<br />
<pre># setup-keymap<br />
# setup-hostname<br />
# setup-interfaces<br />
# rc-service networking start</pre><br />
<br />
If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.<br />
<br />
If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.<br />
<br />
<pre># passwd<br />
# setup-timezone<br />
# rc-update add networking boot<br />
# rc-update add urandom boot<br />
# rc-update add acpid default<br />
# rc-service acpid start</pre><br />
<br />
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':<br />
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}<br />
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain<br />
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}<br />
<br />
<br />
{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}<br />
<br />
<pre># setup-apkrepos<br />
# apk update<br />
# setup-sshd<br />
# setup-ntp</pre><br />
<br />
Now we will deviate from the install script.<br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}<br />
<br />
<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre><br />
<br />
Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:<br />
<br />
<pre># apk add haveged<br />
# rc-service haveged start</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
=== BIOS/MBR with DOS disklabel ===<br />
<br />
We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | Boot partition | ext4 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel msdos<br />
(parted) mkpart primary ext4 0% 100M<br />
(parted) name 1 boot<br />
(parted) set 1 boot on<br />
(parted) mkpart primary ext4 100M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:<br />
<pre>(parted) print<br />
Model: ATA TOSHIBA ******** (scsi)<br />
Disk /dev/sda: 1000GB<br />
Sector size (logical/physical): 512B/4096B<br />
Partition Table: msdos<br />
Disk Flags:<br />
<br />
Number Start End Size Type File system Flags<br />
1 1049kB 99.6MB 98.6MB primary ext4 boot<br />
2 99.6MB 1000GB 1000GB primary ext4</pre><br />
<br />
=== UEFI with GPT disklabel ===<br />
<br />
We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | EFI system partition | fat32 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/boot | Boot partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel gpt<br />
(parted) mkpart primary fat32 0% 200M<br />
(parted) name 1 esp<br />
(parted) set 1 esp on<br />
(parted) mkpart primary ext4 200M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
== Optional: Overwrite LUKS Partition with Random Data ==<br />
<br />
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.<br />
<br />
We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.<br />
<br />
<pre># haveged -n 0 | dd of=/dev/sda2</pre><br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:<br />
<br />
Default settings:<br />
<br />
<pre># cryptsetup luksFormat /dev/sda2</pre><br />
<br />
Optimized for security:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre><br />
<br />
If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):<br />
<br />
<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>lvmcrypt</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
=== LV Creation fro BIOS/MBR ===<br />
<br />
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
=== LV Creation for UEFI/GPT ===<br />
<br />
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -L 2G vg0 -n boot<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
== Creating and Mounting the File Systems ==<br />
<br />
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
Next format your boot partition, create a mount point and mount it:<br />
<br />
* If you're using BIOS and MBR:<br />
<br />
<pre># mkfs.ext4 /dev/sda1<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/sda1 /mnt/boot</pre><br />
<br />
* If you're using UEFI and GPT:<br />
<br />
<pre># apk add dosfstools<br />
# mkfs.fat -F32 /dev/sda1<br />
# mkfs.ext4 /dev/vg0/boot<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/vg0/boot /mnt/boot<br />
# mkdir -v /mnt/boot/efi<br />
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre><br />
<br />
Lastly, activate your swap partition:<br />
<br />
<pre># swapon /dev/vg0/swap</pre><br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="... cryptsetup"</pre><br />
<br />
If you are using GRUB with an encrypted <code>/boot</code> you should also add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.<br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}<br />
<br />
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
<br />
To get the UUID of your storage device into a file for later use, use this command:<br />
<br />
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre><br />
<br />
{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}<br />
<br />
=== Syslinux with BIOS ===<br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:<br />
<br />
<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.<br />
<br />
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre># chroot /mnt/<br />
# update-extlinux<br />
# exit</pre><br />
<br />
: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.<br />
<br />
Write the MBR to the <code>/dev/sda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre><br />
<br />
=== Grub with UEFI ===<br />
<br />
To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.<br />
<br />
<pre># dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin<br />
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin<br />
</pre><br />
<br />
This keyfile is stored encrypted at rest (it is in your LUKS partition), so it's existence does not reduce the security of the system.<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre># mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
# mount --rbind /sys /mnt/sys</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre># chroot /mnt<br />
# source /etc/profile<br />
# export PS1="(chroot) $PS1"</pre><br />
<br />
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:<br />
<br />
<pre># apk add grub grub-efi efibootmgr<br />
# apk del syslinux</pre><br />
<br />
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):<br />
<br />
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.<br />
<br />
To enable GRUB to decrypt LUKS partitions and read LVM volumes add:<br />
<br />
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre><br />
<br />
If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.<br />
<br />
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Unmount the <code>/mnt/</code> partitions and reboot:<br />
<br />
<pre># cd<br />
# umount -ql /mnt/dev<br />
# umount -R /mnt<br />
# reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Setup the LUKS partition and activate the LVs:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2<br />
# vgchange -ay</pre><br />
<br />
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.<br />
<br />
== System can't find boot device ==<br />
<br />
This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.<br />
<br />
== Secure boot ==<br />
<br />
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
= See also =<br />
*[[Bootloaders]]<br />
*[[Alpine setup scripts]]<br />
*[[Installing on GPT LVM]]<br />
*[[Setting up LVM on GPT-labeled disks]]<br />
*[[Setting up disks manually]]<br />
*https://wiki.gentoo.org/wiki/Syslinux<br />
*https://wiki.gentoo.org/wiki/GRUB2<br />
*https://wiki.archlinux.org/index.php/Syslinux<br />
*https://wiki.archlinux.org/index.php/GRUB<br />
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide<br />
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=18353LVM on LUKS2020-12-29T11:51:48Z<p>Govynnus: Remove reference to /etc/crypttab (alpine does not use it), and move UUID section to where it is needed.</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.<br />
<br />
Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.<br />
<br />
== Storage Device Name ==<br />
<br />
To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.<br />
<br />
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.<br />
<br />
Run the scripts in this order:<br />
<br />
<pre># setup-keymap<br />
# setup-hostname<br />
# setup-interfaces<br />
# rc-service networking start</pre><br />
<br />
If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.<br />
<br />
If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.<br />
<br />
<pre># passwd<br />
# setup-timezone<br />
# rc-update add networking boot<br />
# rc-update add urandom boot<br />
# rc-update add acpid default<br />
# rc-service acpid start</pre><br />
<br />
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':<br />
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}<br />
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain<br />
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}<br />
<br />
<br />
{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}<br />
<br />
<pre># setup-apkrepos<br />
# apk update<br />
# setup-sshd<br />
# setup-ntp</pre><br />
<br />
Now we will deviate from the install script.<br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}<br />
<br />
<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre><br />
<br />
Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:<br />
<br />
<pre># apk add haveged<br />
# rc-service haveged start</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
=== BIOS/MBR with DOS disklabel ===<br />
<br />
We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | Boot partition | ext4 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel msdos<br />
(parted) mkpart primary ext4 0% 100M<br />
(parted) name 1 boot<br />
(parted) set 1 boot on<br />
(parted) mkpart primary ext4 100M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:<br />
<pre>(parted) print<br />
Model: ATA TOSHIBA ******** (scsi)<br />
Disk /dev/sda: 1000GB<br />
Sector size (logical/physical): 512B/4096B<br />
Partition Table: msdos<br />
Disk Flags:<br />
<br />
Number Start End Size Type File system Flags<br />
1 1049kB 99.6MB 98.6MB primary ext4 boot<br />
2 99.6MB 1000GB 1000GB primary ext4</pre><br />
<br />
=== UEFI with GPT disklabel ===<br />
<br />
We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | EFI system partition | fat32 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/boot | Boot partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel gpt<br />
(parted) mkpart primary fat32 0% 200M<br />
(parted) name 1 esp<br />
(parted) set 1 esp on<br />
(parted) mkpart primary ext4 200M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
== Optional: Overwrite LUKS Partition with Random Data ==<br />
<br />
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.<br />
<br />
We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.<br />
<br />
<pre># haveged -n 0 | dd of=/dev/sda2</pre><br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:<br />
<br />
Default settings:<br />
<br />
<pre># cryptsetup luksFormat /dev/sda2</pre><br />
<br />
Optimized for security:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre><br />
<br />
If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):<br />
<br />
<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>lvmcrypt</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
=== LV Creation fro BIOS/MBR ===<br />
<br />
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
=== LV Creation for UEFI/GPT ===<br />
<br />
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -L 2G vg0 -n boot<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
== Creating and Mounting the File Systems ==<br />
<br />
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
Next format your boot partition, create a mount point and mount it:<br />
<br />
* If you're using BIOS and MBR:<br />
<br />
<pre># mkfs.ext4 /dev/sda1<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/sda1 /mnt/boot</pre><br />
<br />
* If you're using UEFI and GPT:<br />
<br />
<pre># apk add dosfstools<br />
# mkfs.fat -F32 /dev/sda1<br />
# mkfs.ext4 /dev/vg0/boot<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/vg0/boot /mnt/boot<br />
# mkdir -v /mnt/boot/efi<br />
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre><br />
<br />
Lastly, activate your swap partition:<br />
<br />
<pre># swapon /dev/vg0/swap</pre><br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="... cryptsetup"</pre><br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}<br />
<br />
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}<br />
<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
<br />
To get the UUID of your storage device into a file for later use, use this command:<br />
<br />
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre><br />
<br />
{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}<br />
<br />
=== Syslinux with BIOS ===<br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:<br />
<br />
<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.<br />
<br />
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre># chroot /mnt/<br />
# update-extlinux<br />
# exit</pre><br />
<br />
: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.<br />
<br />
Write the MBR to the <code>/dev/sda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre><br />
<br />
=== Grub with UEFI ===<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre># mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
# mount --rbind /sys /mnt/sys</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre># chroot /mnt<br />
# source /etc/profile<br />
# export PS1="(chroot) $PS1"</pre><br />
<br />
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:<br />
<br />
<pre># apk add grub grub-efi efibootmgr<br />
# apk del syslinux</pre><br />
<br />
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):<br />
<br />
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.<br />
<br />
If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.<br />
<br />
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Unmount the <code>/mnt/</code> partitions and reboot:<br />
<br />
<pre># cd<br />
# umount -ql /mnt/dev<br />
# umount -R /mnt<br />
# reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Setup the LUKS partition and activate the LVs:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2<br />
# vgchange -ay</pre><br />
<br />
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.<br />
<br />
== System can't find boot device ==<br />
<br />
This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.<br />
<br />
== Secure boot ==<br />
<br />
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
= See also =<br />
*[[Bootloaders]]<br />
*[[Alpine setup scripts]]<br />
*[[Installing on GPT LVM]]<br />
*[[Setting up LVM on GPT-labeled disks]]<br />
*[[Setting up disks manually]]<br />
*https://wiki.gentoo.org/wiki/Syslinux<br />
*https://wiki.gentoo.org/wiki/GRUB2<br />
*https://wiki.archlinux.org/index.php/Syslinux<br />
*https://wiki.archlinux.org/index.php/GRUB<br />
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Govynnushttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=18352LVM on LUKS2020-12-29T11:21:44Z<p>Govynnus: Add note about starting wpa_supplicant on boot for Wi-Fi users.</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.<br />
<br />
Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.<br />
<br />
== Storage Device Name ==<br />
<br />
To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.<br />
<br />
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.<br />
<br />
Run the scripts in this order:<br />
<br />
<pre># setup-keymap<br />
# setup-hostname<br />
# setup-interfaces<br />
# rc-service networking start</pre><br />
<br />
If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.<br />
<br />
If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.<br />
<br />
<pre># passwd<br />
# setup-timezone<br />
# rc-update add networking boot<br />
# rc-update add urandom boot<br />
# rc-update add acpid default<br />
# rc-service acpid start</pre><br />
<br />
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':<br />
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}<br />
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain<br />
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}<br />
<br />
<br />
{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}<br />
<br />
<pre># setup-apkrepos<br />
# apk update<br />
# setup-sshd<br />
# setup-ntp</pre><br />
<br />
Now we will deviate from the install script.<br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}<br />
<br />
<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre><br />
<br />
Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:<br />
<br />
<pre># apk add haveged<br />
# rc-service haveged start</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
=== BIOS/MBR with DOS disklabel ===<br />
<br />
We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | Boot partition | ext4 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel msdos<br />
(parted) mkpart primary ext4 0% 100M<br />
(parted) name 1 boot<br />
(parted) set 1 boot on<br />
(parted) mkpart primary ext4 100M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:<br />
<pre>(parted) print<br />
Model: ATA TOSHIBA ******** (scsi)<br />
Disk /dev/sda: 1000GB<br />
Sector size (logical/physical): 512B/4096B<br />
Partition Table: msdos<br />
Disk Flags:<br />
<br />
Number Start End Size Type File system Flags<br />
1 1049kB 99.6MB 98.6MB primary ext4 boot<br />
2 99.6MB 1000GB 1000GB primary ext4</pre><br />
<br />
=== UEFI with GPT disklabel ===<br />
<br />
We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | EFI system partition | fat32 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/boot | Boot partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel gpt<br />
(parted) mkpart primary fat32 0% 200M<br />
(parted) name 1 esp<br />
(parted) set 1 esp on<br />
(parted) mkpart primary ext4 200M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
== Optional: Overwrite LUKS Partition with Random Data ==<br />
<br />
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.<br />
<br />
We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.<br />
<br />
<pre># haveged -n 0 | dd of=/dev/sda2</pre><br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:<br />
<br />
Default settings:<br />
<br />
<pre># cryptsetup luksFormat /dev/sda2</pre><br />
<br />
Optimized for security:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre><br />
<br />
If using at least Alpine v3.11 and GRUB2 with encrypted /boot, the following should be used instead (because GRUB2 does not yet support LUKS2 containers):<br />
<br />
<pre># cryptsetup luksFormat --type luks1 /dev/sda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>lvmcrypt</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
=== LV Creation fro BIOS/MBR ===<br />
<br />
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
=== LV Creation for UEFI/GPT ===<br />
<br />
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -L 2G vg0 -n boot<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
== Creating and Mounting the File Systems ==<br />
<br />
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
Next format your boot partition, create a mount point and mount it:<br />
<br />
* If you're using BIOS and MBR:<br />
<br />
<pre># mkfs.ext4 /dev/sda1<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/sda1 /mnt/boot</pre><br />
<br />
* If you're using UEFI and GPT:<br />
<br />
<pre># apk add dosfstools<br />
# mkfs.fat -F32 /dev/sda1<br />
# mkfs.ext4 /dev/vg0/boot<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/vg0/boot /mnt/boot<br />
# mkdir -v /mnt/boot/efi<br />
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre><br />
<br />
Lastly, activate your swap partition:<br />
<br />
<pre># swapon /dev/vg0/swap</pre><br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
To get the UUID of your storage device into a file for later use, use this command:<br />
<br />
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre><br />
<br />
To enable the operating system to decrypt the PV at boot time, create the {{Path|/mnt/etc/crypttab}} file. Enter the following line into the file to decrypt the <code>/dev/sda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:<br />
<br />
<pre>lvmcrypt UUID=<UUID> none luks</pre><br />
<br />
{{Tip|To easily read the UUID into this file so you don't have to type it manually, open it in <code>vi</code>, then type <code>:r ~/uuid</code> to load the UUID onto a new line.}}<br />
<br />
{{Note|To enable TRIM append <code>discard</code> after <code>luks</code> in <code>/mnt/etc/crypttab</code> (coma separated). If LVM is being used you'll also need to change <code>issue_discards</code> to equal 1 in <code>/mnt/etc/lvm.conf</code>. You will then want to add a cron job for <code>/sbin/fstrim</code> to run periodically. Be aware that there are security risks involved when enabling TRIM with LUKS.}}<br />
<br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="... cryptsetup"</pre><br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}<br />
<br />
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}<br />
<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
=== Syslinux with BIOS ===<br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:<br />
<br />
<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.<br />
<br />
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre># chroot /mnt/<br />
# update-extlinux<br />
# exit</pre><br />
<br />
: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.<br />
<br />
Write the MBR to the <code>/dev/sda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre><br />
<br />
=== Grub with UEFI ===<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre># mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
# mount --rbind /sys /mnt/sys</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre># chroot /mnt<br />
# source /etc/profile<br />
# export PS1="(chroot) $PS1"</pre><br />
<br />
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:<br />
<br />
<pre># apk add grub grub-efi efibootmgr<br />
# apk del syslinux</pre><br />
<br />
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):<br />
<br />
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.<br />
<br />
If using at least Alpine v3.11, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.<br />
<br />
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Unmount the <code>/mnt/</code> partitions and reboot:<br />
<br />
<pre># cd<br />
# umount -ql /mnt/dev<br />
# umount -R /mnt<br />
# reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Setup the LUKS partition and activate the LVs:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2<br />
# vgchange -ay</pre><br />
<br />
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.<br />
<br />
== System can't find boot device ==<br />
<br />
This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.<br />
<br />
== Secure boot ==<br />
<br />
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
= See also =<br />
*[[Bootloaders]]<br />
*[[Alpine setup scripts]]<br />
*[[Installing on GPT LVM]]<br />
*[[Setting up LVM on GPT-labeled disks]]<br />
*[[Setting up disks manually]]<br />
*https://wiki.gentoo.org/wiki/Syslinux<br />
*https://wiki.gentoo.org/wiki/GRUB2<br />
*https://wiki.archlinux.org/index.php/Syslinux<br />
*https://wiki.archlinux.org/index.php/GRUB<br />
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Govynnus