LVM on LUKS: Difference between revisions

From Alpine Linux
(Clarity in the introduction.)
 
(90 intermediate revisions by 34 users not shown)
Line 1: Line 1:
= Introduction =


== Configuring LVM on top of LUKS ==
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition that contains the root partition and the swap partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.


'''Note:''' The <code>setup-alpine</code> installation scripts has support for encrypted installations since v3.13. The default encryption options will not encrypt the swap partition and will not use LUKS, but is much easier to use.


The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:
Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that.


* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support
== Storage Device Name ==
  mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT


or alternatively rebuild the initramfs with:
To find your storage device's name, you could either install {{pkg|util-linux}} (<code>apk add util-linux</code>) and find your device using the <code>lsblk</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.


  apk fix --root $MNT linux-grsec
The following documentation uses the {{path|/dev/sda}} device as installation destination. If your environment uses a different name for your storage device, use the corresponding device name in the examples.


* '''(2)''' Write MBR (also needed for LVM manual / custom installations)
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =
  dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda


* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM 
To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.
  fdisk /dev/vda


== Preparing the Temporary Installation Environment ==


----
Before you begin to install Alpine Linux, prepare the temporary environment:


'''Additional Notes'''
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.


* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with:  
Run the scripts in this order:
  cryptsetup benchmark
(You may or may not be able to take advantage of AES hardware acceleration)


<pre># setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start</pre>


* [http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)
If you are configuring static networking (i.e. you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.


    rc-update add haveged default
If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>.


* As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:
{{Note|On versions of OpenRC prior to 0.45 use <code>urandom</code> instead of <code>seedrng</code>}}


    tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777  0 0
<pre># passwd
----
# setup-timezone
# rc-update add networking boot
# rc-update add seedrng boot
# rc-update add acpid default
# rc-service acpid start</pre>


'''ALPINE KVM SETUP'''
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
{{Cat|/etc/hosts|127.0.0.1      <hostname> <hostname>.<domain> localhost localhost.localdomain
::1            <hostname> <hostname>.<domain> localhost localhost.localdomain}}


<pre># setup-ntp
# setup-apkrepos
# apk update
# setup-sshd</pre>


<code>setup-interfaces
Here's where we deviate from the install script.


ifup eth0
Install the following packages required to set up LVM and LUKS:


setup-apkrepos
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}


apk update
<pre># apk add lvm2 cryptsetup e2fsprogs parted mkinitfs</pre>


apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux
== Creating the Partition Layout ==


rc-service haveged start
Depending on your motherboard, bios features and configuration
we can either use partition table in MBR (legacy BIOS)
or GUID Partition Table (GPT).
We'll describe both with example layouts.


<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki>
=== BIOS/MBR with DOS disklabel ===


fdisk /dev/vda
We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. <br>
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).


m
<pre>+---------------------------+------------------------+-----------------------+
| Partition name            | Partition purpose      | Filesystem type      |
+---------------------------+------------------------+-----------------------+
| /dev/sda1                | Boot partition        | ext4                  |
| /dev/sda2                | LUKS container        | LUKS                  |
| |-> /dev/mapper/lvmcrypt  | LVM container          | LVM                  |
|  |-> /dev/vg01/root      | Root partition        | ext4                  |
|  |-> /dev/vg01/swap      | Swap partition        | swap                  |
+---------------------------+------------------------+-----------------------+</pre>


n
{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}


etc........ 
Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.


<nowiki># Wipe partition with random data</nowiki>
<pre># parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%</pre>


haveged -n 0 | dd of=/dev/vda2
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
<pre>(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:


<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki>
Number  Start  End    Size    Type    File system Flags
1      1049kB  99.6MB  98.6MB  primary  ext4        boot
2      99.6MB  1000GB  1000GB  primary  ext4</pre>


cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2
=== UEFI with GPT disklabel ===


<nowiki># Open LUKS partition</nowiki>
We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:


cryptsetup open --type luks /dev/vda2 lvmcrypt
<pre>+---------------------------+------------------------+-----------------------+
| Partition name            | Partition purpose      | Filesystem type       |
+---------------------------+------------------------+-----------------------+
| /dev/sda1                | EFI system partition  | fat32                |
| /dev/sda2                | LUKS container        | LUKS                  |
| |-> /dev/mapper/lvmcrypt | LVM container          | LVM                  |
|  |-> /dev/vg01/root      | Root partition        | ext4                  |
|  |-> /dev/vg01/boot      | Boot partition        | ext4                  |
|  |-> /dev/vg01/swap      | Swap partition        | swap                  |
+---------------------------+------------------------+-----------------------+</pre>


<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki>
{{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}


<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki>
Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.


pvcreate /dev/mapper/lvmcrypt
<pre># parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks</pre>


<nowiki># Create LVM partitions</nowiki>
== Optional: Overwrite LUKS Partition with Random Data ==


vgcreate vg0 /dev/mapper/lvmcrypt
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.


lvcreate -L 1G vg0 -n root
<pre># dd if=/dev/urandom of=/dev/sda2 bs=1M</pre>


lvcreate -L 256M vg0 -n swap
== Encrypting the LVM Physical Volume Partition ==


lvcreate -L 500M vg0 -n home
To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:


lvcreate -L 50M vg0 -n tmp
Default settings:


<nowiki># NOTE small "l" for 100% FREE allocation</nowiki>
<pre># cryptsetup luksFormat /dev/sda2</pre>


lvcreate -l 100%FREE vg0 -n var
Luks1 Optimized for security:


<nowiki># Create filesystems</nowiki>
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2</pre>


mkfs.ext2 /dev/vda1
Luks2 Optimized for security:


mkfs.ext4 /dev/mapper/vg0-root
<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2</pre>


mkfs.ext4 /dev/mapper/vg0-home
=== Converting between LUKS2 and LUKS1 ===


mkfs.ext4 /dev/mapper/vg0-tmp
It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong:


mkfs.ext4 /dev/mapper/vg0-var
<pre># cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup</pre>


mkswap /dev/mapper/vg0-swap
Then make sure all keys use <code>pbkdf2</code> by adding a new key with:


<nowiki># Make vda1 bootable</nowiki>
<pre># cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2</pre>


fdisk /dev/vda
Remove keys that use <code>argon2i</code> or <code>argon2id</code> with <code>cryptsetup luksRemoveKey /dev/sda2</code>. You can check the key information using <code>cryptsetup luksDump /dev/sda2</code>.


m
Now you can try the conversion, although it may not work.


a
<pre># cryptsetup convert /dev/sda2 --type luks1</pre>


1
== Creating the Logical Volumes and File Systems ==


<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki>
Open the LUKS partition:


fdisk /dev/vda
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>


m
Create the PV on <code>lvmcrypt</code>:


t
<pre># pvcreate /dev/mapper/lvmcrypt</pre>


2
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:


8e
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>


w
=== LV Creation for BIOS/MBR ===


<nowiki># Open LVM volumes</nowiki>
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).


vgchange -a y
<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root</pre>


<nowiki># Mount Partitions</nowiki>
The LVs created in the previous steps are automatically marked active. To verify, enter:


<nowiki># *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.</nowiki>
<pre># lvscan</pre>


<nowiki># mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper </nowiki>
=== LV Creation for UEFI/GPT ===


<nowiki># LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems</nowiki>
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).


mount -t ext4 /dev/vg0/root /mnt
<pre># lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root</pre>


mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var
The LVs created in the previous steps are automatically marked active. To verify, enter:


mount -t ext4 /dev/vg0/home /mnt/home
<pre># lvscan</pre>


mount -t ext4 /dev/vg0/tmp /mnt/tmp
== Creating and Mounting the File Systems ==


mount -t ext4 /dev/vg0/var /mnt/var
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:


mount -t ext2 /dev/vda1 /mnt/boot
<pre># mkfs.ext4 /dev/vg0/root</pre>


swapon /dev/mapper/vg0-swap
Format the swap LV:


<nowiki># Install Alpine</nowiki>
<pre># mkswap /dev/vg0/swap</pre>


setup-disk -m sys /mnt
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:


<nowiki># Setup crypttab</nowiki>
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>


echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab
Next format your boot partition, create a mount point, then mount it:


<nowiki># Setup fstab</nowiki>
* If you're using BIOS and MBR:


<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki>
<pre># mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot</pre>


echo "/dev/mapper/vg0-root  /      ext4      defaults,errors=remount-ro  0  1" >> /mnt/etc/fstab
* If you're using UEFI and GPT:


echo "/dev/mapper/vg0-var  /var  ext4     defaults      0  2" >> /mnt/etc/fstab
<pre># apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>


echo "/dev/mapper/vg0-home  /home  ext4      defaults      0  2" >> /mnt/etc/fstab
Lastly, activate your swap partition:


echo "/dev/mapper/vg0-tmp  /tmp    ext4      defaults,noexec,noatime,nodev,nosuid      0  2" >> /mnt/etc/fstab
<pre># swapon /dev/vg0/swap</pre>


echo "/dev/mapper/vg0-swap  none  swap      sw            0  0" >> /mnt/etc/fstab
== Installing Alpine Linux ==


<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki>  
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:


<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki>  
<pre># setup-disk -m sys /mnt/</pre>


<nowiki># (this field is also space-separated and quoted)</nowiki>  
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.


<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki>
{{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}}
extlinux --install $MNT/boot --update


<nowiki># Rebuild initramfs</nowiki>
The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file:


mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT
<pre>/dev/vg0/swap    swap    swap    defaults    0 0</pre>


<nowiki># alternative method (ignore extlinux errors)</nowiki>
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:


<nowiki># apk fix --root $MNT linux-grsec</nowiki>
<pre>features="... cryptsetup"</pre>


<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki>
If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot.


<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki>
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the <code>keymap</code> feature to the list above.}}


dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}}


<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code>
Rebuild the initial RAM disk:


----
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>


The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.


The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:
== Installing a bootloader ==


To get the UUID of your storage device into a file for later use, run this command:


<code>
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>
<nowiki># CHROOT MOUNTS ###</nowiki>


vgchange -a y
{{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}}


<nowiki># Follow instructions above for mounting LVM partitions</nowiki>
=== Syslinux with BIOS ===


cd /mnt
Install the Syslinux package:


mount --bind /dev dev
<pre># apk add syslinux</pre>


mount -t devpts devpts dev/pts
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:


mount -t tmpfs tmpfs dev/shm
<pre>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</pre>


mount -t proc proc proc
The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above.


mount -t sysfs sysfs sys
We can also double check if <code>modules</code> and <code>root</code> are set correctly, eg:
<pre>
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>
</pre>


chroot /mnt /bin/ash
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:


<pre># chroot /mnt/
# update-extlinux
# exit</pre>


<nowiki># UNMOUNTING ###</nowiki>
: Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these.


umount dev/pts
Write the MBR (without partition table) to the <code>/dev/sda</code> device:


umount dev/shm
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>


umount dev
=== Grub with UEFI ===


umount /mnt/boot
To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.


umount /mnt/var
<pre># touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
</pre>


umount /mnt/home
This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.


umount /mnt/tmp
Mount the required filesystems for the Grub EFI installer to the installation:


swapoff /dev/mapper/vg0-swap
<pre># mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys</pre>


umount /mnt
Then run chroot:


<nowiki># Deactivate LVM volumes</nowiki>
<pre># chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"</pre>


vgchange -a n 
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:


<nowiki># Close LUKS partition</nowiki>
<pre># apk add grub grub-efi efibootmgr
# apk del syslinux</pre>


cryptsetup luksClose lvmcrypt   
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):
</code>


<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey</pre>


--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)
The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we configured a few lines above.
The <code>cryptkey</code> parameter indicates the existence of the file <code>/crypto_keyfile.bin</code> you created previously.
 
To enable GRUB to decrypt LUKS partitions and read LVM volumes add:
 
<pre>GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"</pre>
 
If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}.
 
==== Luks1 ====
 
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>
 
==== Luks2 ====
{{Note|The method is still experimental and you may lose your access to you OS at the next OS update}}
 
Create a pre-config grub file: <code>/root/grub-pre.cfg</code>
 
<pre>
set crypto_uuid=00001
cryptomount -u $crypto_uuid
set root='lvmid/00002/00003'
set prefix=($root)/boot/grub
insmod normal
normal
</pre>
 
You can find:
* 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> remove hyphens from the UUID
* 00002 with <code>vgdisplay</code> & VG UUID
* 00003 with <code>lvdisplay</code> & LV UUID of the root partition /
 
<pre># (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit</pre>
 
== Unmounting the Volumes and Partitions ==
 
Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot:
 
<pre># cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot</pre>
 
= Troubleshooting =
 
== General Procedure ==
 
In case your system fails to boot, you can verify the settings and fix incorrect configurations.
 
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.
 
Setup the LUKS partition and activate the LVs:
 
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt
# vgchange -ay</pre>
 
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]
 
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.
 
== System can't find boot device ==
 
* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings
 
== I see "can not mount /sysroot" during boot ==
 
* incorrect device UUID
* missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code>
 
== normal.mod not found ==
 
* re-install <code>grub-install --target=x86_64-efi</code>
 
== Secure boot ==
 
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.
 
= Hardening =
 
* To harden, you should disable DMA[https://web.archive.org/web/20200923091814/https://old.iseclab.org/papers/acsac2012dma.pdf]  and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[https://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.
 
= Mounting additional encrypted filesystems at boot =
 
If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required.
{{Note|This does not apply for volumes
within your main encrypted partition <code>/dev/sda2</code>}}
For the purposes of these instructions we will say <code>/dev/sdb1</code> contains an LVM volume that should be mounted at <code>/home</code>.
 
Create a keyfile and add it to the LUKS partition:
 
<pre># dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
</pre>
 
Alpine, like Gentoo, uses the <code>dmcrypt</code> service rather than <code>/etc/crypttab</code>. Add the following lines to <code>/etc/conf.d/dmcrypt</code>:
 
<pre>target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'
</pre>
 
Add an entry to <code>/etc/fstab</code>, changing <code>vg1</code> to the name of your LVM volume group:
 
<pre>/dev/vg1/home /home ext4 rw,relatime 0 2</pre>
 
Enable the dmcrypt and lvm services to start on boot:
 
<pre># rc-update add dmcrypt boot
# rc-update add lvm boot
</pre>
 
After a reboot the partition should be decrypted and mounted automatically.
 
= See also =
*[[Bootloaders]]
*[[Alpine setup scripts]]
*[[Installing on GPT LVM]]
*[[Setting up LVM on GPT-labeled disks]]
*[[Setting up disks manually]]
*https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
*[https://www.msiism.org/files/doc/alpine-linux-fde-custom.html Installing Alpine Linux with full disk encryption on BIOS/MBR systems with a custom partition layout]
*https://wiki.archlinux.org/index.php/GRUB
*https://wiki.archlinux.org/index.php/Syslinux
*https://wiki.gentoo.org/wiki/Dm-crypt
*https://wiki.gentoo.org/wiki/GRUB2
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
*https://wiki.gentoo.org/wiki/Syslinux


[[Category:Storage]]
[[Category:Storage]]
[[Category:Security]]
[[Category:Security]]

Latest revision as of 15:45, 4 May 2024

Introduction

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition that contains the root partition and the swap partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the cryptsetup command) and its LUKS subsystem is used.

Note: The setup-alpine installation scripts has support for encrypted installations since v3.13. The default encryption options will not encrypt the swap partition and will not use LUKS, but is much easier to use.

Note that your /boot/ partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from Evil Maid attacks, but Syslinux doesn't support that.

Storage Device Name

To find your storage device's name, you could either install util-linux (apk add util-linux) and find your device using the lsblk command, or you could make an educated guess by using BusyBox's blkid and df commands, and running ls /dev/sd* if you are installing to a USB, SATA or SCSI device, ls /dev/fd* for floppy disks and ls /dev/hd* for IDE (PATA) devices.

The following documentation uses the /dev/sda device as installation destination. If your environment uses a different name for your storage device, use the corresponding device name in the examples.

Setting up Alpine Linux Using LVM on Top of a LUKS Partition

To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, you cannot use the official installation procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

Preparing the Temporary Installation Environment

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the root user without a password to log in. Now we will follow the Setup-alpine script and make our changes along the way.

Run the scripts in this order:

# setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start

If you are configuring static networking (i.e. you didn't configure any interfaces to use DHCP), run setup-dns.

If you are using Wi-Fi you may need to do run rc-update add wpa_supplicant boot.

Note: On versions of OpenRC prior to 0.45 use urandom instead of seedrng
# passwd
# setup-timezone
# rc-update add networking boot
# rc-update add seedrng boot
# rc-update add acpid default
# rc-service acpid start

Edit your /etc/hosts to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':

Tip: The default text editor in BusyBox is vi (pronounced vee-eye).

Contents of /etc/hosts

127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain ::1 <hostname> <hostname>.<domain> localhost localhost.localdomain
# setup-ntp
# setup-apkrepos
# apk update
# setup-sshd

Here's where we deviate from the install script.

Install the following packages required to set up LVM and LUKS:

Note: The parted partition editor is needed for advanced partitioning and GPT disklabels. BusyBox fdisk is a very stripped-down version with minimal functionality
# apk add lvm2 cryptsetup e2fsprogs parted mkinitfs

Creating the Partition Layout

Depending on your motherboard, bios features and configuration we can either use partition table in MBR (legacy BIOS) or GUID Partition Table (GPT). We'll describe both with example layouts.

BIOS/MBR with DOS disklabel

We'll be partitioning the storage device with a non-encrypted /boot partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table.
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).

+---------------------------+------------------------+-----------------------+
| Partition name            | Partition purpose      | Filesystem type       |
+---------------------------+------------------------+-----------------------+
| /dev/sda1                 | Boot partition         | ext4                  |
| /dev/sda2                 | LUKS container         | LUKS                  |
| |-> /dev/mapper/lvmcrypt  | LVM container          | LVM                   |
|  |-> /dev/vg01/root       | Root partition         | ext4                  |
|  |-> /dev/vg01/swap       | Swap partition         | swap                  |
+---------------------------+------------------------+-----------------------+
Warning: This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.


Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.

# parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%

To view your partition table, type print while still in parted. Your results should look something like this:

(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  99.6MB  98.6MB  primary  ext4         boot
 2      99.6MB  1000GB  1000GB  primary  ext4

UEFI with GPT disklabel

We will be encrypting the whole disk except for the EFI system partition mounted at /boot/efi. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:

+---------------------------+------------------------+-----------------------+
| Partition name            | Partition purpose      | Filesystem type       |
+---------------------------+------------------------+-----------------------+
| /dev/sda1                 | EFI system partition   | fat32                 |
| /dev/sda2                 | LUKS container         | LUKS                  |
| |-> /dev/mapper/lvmcrypt  | LVM container          | LVM                   |
|  |-> /dev/vg01/root       | Root partition         | ext4                  |
|  |-> /dev/vg01/boot       | Boot partition         | ext4                  |
|  |-> /dev/vg01/swap       | Swap partition         | swap                  |
+---------------------------+------------------------+-----------------------+
Warning: This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.


Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.

# parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks

Optional: Overwrite LUKS Partition with Random Data

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

# dd if=/dev/urandom of=/dev/sda2 bs=1M

Encrypting the LVM Physical Volume Partition

To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:

Default settings:

# cryptsetup luksFormat /dev/sda2

Luks1 Optimized for security:

# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2

Luks2 Optimized for security:

# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2

Converting between LUKS2 and LUKS1

It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong:

# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup

Then make sure all keys use pbkdf2 by adding a new key with:

# cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2

Remove keys that use argon2i or argon2id with cryptsetup luksRemoveKey /dev/sda2. You can check the key information using cryptsetup luksDump /dev/sda2.

Now you can try the conversion, although it may not work.

# cryptsetup convert /dev/sda2 --type luks1

Creating the Logical Volumes and File Systems

Open the LUKS partition:

# cryptsetup luksOpen /dev/sda2 lvmcrypt

Create the PV on lvmcrypt:

# pvcreate /dev/mapper/lvmcrypt

Create the vg0 LVM VG in the /dev/mapper/lvmcrypt PV:

# vgcreate vg0 /dev/mapper/lvmcrypt

LV Creation for BIOS/MBR

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after # lvcreate -L).

# lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root

The LVs created in the previous steps are automatically marked active. To verify, enter:

# lvscan

LV Creation for UEFI/GPT

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after # lvcreate -L).

# lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root

The LVs created in the previous steps are automatically marked active. To verify, enter:

# lvscan

Creating and Mounting the File Systems

Format the root and boot LVs using the ext4 file system:

# mkfs.ext4 /dev/vg0/root

Format the swap LV:

# mkswap /dev/vg0/swap

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the /mnt/ directory:

# mount -t ext4 /dev/vg0/root /mnt/

Next format your boot partition, create a mount point, then mount it:

  • If you're using BIOS and MBR:
# mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot
  • If you're using UEFI and GPT:
# apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi

Lastly, activate your swap partition:

# swapon /dev/vg0/swap

Installing Alpine Linux

In this step you will install Alpine Linux in the /mnt/ directory, which contains the mounted file system structure:

# setup-disk -m sys /mnt/

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in /etc/fstab file, which is currently mounted in the /mnt/ directory.

Note: The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.

The swap LV is not automatically added to the fstab file. so we need to add the following line to the /mnt/etc/fstab file:

/dev/vg0/swap    swap    swap    defaults    0 0

Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter:

features="... cryptsetup"

If you are using GRUB with an encrypted /boot you must add the cryptkey feature so that Alpine can use a keyfile for decryption on boot.

Note: Alpine Linux uses the en-us keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the keymap feature to the list above.
Note: Check the output of mkinitfs -L and add the features necessary for your system to boot. You may need to add kms in order to see a password prompt at boot. You may also need: usb, lvm, ext4, nvme...

Rebuild the initial RAM disk:

# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)

The command uses the settings from the mkinitfs.conf file set in the -c parameter to generate the RAM disk. The command is executed in the /mnt/ directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the $(ls /mnt/lib/modules/) option, mkinitfs tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the setup-disk utility.

Installing a bootloader

To get the UUID of your storage device into a file for later use, run this command:

# blkid -s UUID -o value /dev/sda2 > ~/uuid
Tip: To easily read the UUID into a file so you don't have to type it manually, open the file in vi, then type :r /root/uuid to load the UUID onto a new line.

Syslinux with BIOS

Install the Syslinux package:

# apk add syslinux

Edit /mnt/etc/update-extlinux.conf and append the following kernel options to the default_kernel_opts parameter, replacing <UUID> with the UUID of /dev/sda2:

default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"

The cryptroot parameter sets the ID of the device/partition that contains encrypted volumes, and the cryptdm parameter uses the name of the mapping we have already configured a few lines above.

We can also double check if modules and root are set correctly, eg:

modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm
root=UUID=<UUID of /dev/mapper/vg0-root>

Because the update-extlinux utility operates only on the /boot/ directory, temporarily change the root to the /mnt/ directory and update the boot loader configuration:

# chroot /mnt/
# update-extlinux
# exit
Because we didn't mount /dev nor /proc inside our /mnt/ chroot, some errors may occur when we run update-extlinux command. But you can most likely ignore these.

Write the MBR (without partition table) to the /dev/sda device:

# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda

Grub with UEFI

To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

# touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin

This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.

Mount the required filesystems for the Grub EFI installer to the installation:

# mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys

Then run chroot:

# chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"

Install GRUB2 for EFI and (optionally) remove syslinux:

# apk add grub grub-efi efibootmgr
# apk del syslinux

Edit /etc/default/grub and add the following kernel options to the GRUB_CMDLINE_LINUX_DEFAULT parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, /dev/sda2):

cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey

The cryptroot parameter sets the ID of the device/partition that contains encrypted volumes, and the cryptdm parameter uses the name of the mapping we configured a few lines above. The cryptkey parameter indicates the existence of the file /crypto_keyfile.bin you created previously.

To enable GRUB to decrypt LUKS partitions and read LVM volumes add:

GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"

If using Alpine v3.11 or later, GRUB_ENABLE_CRYPTODISK=y should also be added to /etc/default/grub.

Luks1

# (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit

Luks2

Note: The method is still experimental and you may lose your access to you OS at the next OS update

Create a pre-config grub file: /root/grub-pre.cfg

set crypto_uuid=00001
cryptomount -u $crypto_uuid
set root='lvmid/00002/00003'
set prefix=($root)/boot/grub
insmod normal
normal

You can find:

  • 00001 with blkid and find the uuid of your encrypted disk, i.e /dev/nvme0n1p2 remove hyphens from the UUID
  • 00002 with vgdisplay & VG UUID
  • 00003 with lvdisplay & LV UUID of the root partition /
# (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512
# (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit

Unmounting the Volumes and Partitions

Unmount the /mnt/ partitions, deactivate the LVM volumes, close the LUKS partition and reboot:

# cd
# umount -l /mnt/dev
# umount -l /mnt/proc
# umount -l /mnt/sys
# umount /mnt/boot/efi
# umount /mnt/boot
# swapoff /dev/vg0/swap
# umount /mnt
# vgchange -a n
# cryptsetup luksClose lvmcrypt
# reboot

Troubleshooting

General Procedure

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in Prepare the temporary installation environment again.

Setup the LUKS partition and activate the LVs:

# cryptsetup luksOpen /dev/sda2 lvmcrypt
# vgchange -ay

Mount the file systems

Verify that you run the steps described in the Installing Alpine Linux section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

System can't find boot device

* GPT partition table on a motherboard that runs BIOS instead of UEFI
* running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings

I see "can not mount /sysroot" during boot

* incorrect device UUID
* missing module in /mnt/etc/update-extlinux.conf or /mnt/etc/mkinitfs/mkinitfs.conf

normal.mod not found

* re-install grub-install --target=x86_64-efi

Secure boot

If secure boot complains of an unsigned bootloader, you can either disable it or adapt this guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

Hardening

  • To harden, you should disable DMA[1] and install a hardened version of AES (TRESOR[2] or Loop-Amnesia[3]) since by default cryptsetup with luks uses AES by default.
  • Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[4]
  • Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

Mounting additional encrypted filesystems at boot

If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have /home on a separate physical drive, some extra steps are required.

Note: This does not apply for volumes within your main encrypted partition /dev/sda2

For the purposes of these instructions we will say /dev/sdb1 contains an LVM volume that should be mounted at /home.

Create a keyfile and add it to the LUKS partition:

# dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin
# cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin

Alpine, like Gentoo, uses the dmcrypt service rather than /etc/crypttab. Add the following lines to /etc/conf.d/dmcrypt:

target=crypt-home
source='/dev/sdb1'
key='/root/crypt-home-keyfile.bin'

Add an entry to /etc/fstab, changing vg1 to the name of your LVM volume group:

/dev/vg1/home /home ext4 rw,relatime 0 2

Enable the dmcrypt and lvm services to start on boot:

# rc-update add dmcrypt boot
# rc-update add lvm boot

After a reboot the partition should be decrypted and mounted automatically.

See also