LVM on LUKS: Difference between revisions
|  (Erased MBR not supported addition of partition labels) |  (Okay, this should probably use Alpine Linux version numbers instead of alpine-conf's numbers. I didn't realize they were different.) | ||
| (19 intermediate revisions by 11 users not shown) | |||
| Line 1: | Line 1: | ||
| This page describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition that contains the root partition and the swap partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its [[Setting up encrypted volumes with LUKS|LUKS]] subsystem is used. | |||
| '''Note:''' The <code>setup-alpine</code> installation scripts has support for encrypted installations since Alpine v3.15, and automatically encrypts swap using LVM in v3.21. For a simplistic setup it is easy to use. | |||
| Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that. | Note that your {{path|/boot/}} partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support that. | ||
| ==  | == Setting up Alpine Linux Using LVM on Top of a LUKS Partition == | ||
| To  | To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, several manual steps must be carried out in the Alpine Linux Live CD environment. | ||
| Follow the [[Installation#General_course_of_action|Installation guide]] to complete the [[Installation#Base_configuration|base configuration]] as a working [[Configure_Networking#Connectivity_testing|Internet access]] is mandatory to complete this installation. | |||
| The <code>parted</code> partition editor from {{pkg|parted}} package is needed for advanced partitioning and GPT disklabels. Install the following packages required to set up LVM and LUKS:{{Cmd|# apk add lvm2 cryptsetup e2fsprogs parted mkinitfs}} | |||
| <!-- | |||
| === Preparing the Temporary Installation Environment === | |||
| == Preparing the Temporary Installation Environment == | |||
| Before you begin to install Alpine Linux, prepare the temporary environment: | Before you begin to install Alpine Linux, prepare the temporary environment: | ||
| Line 31: | Line 30: | ||
| If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>. | If you are using Wi-Fi you may need to do run <code>rc-update add wpa_supplicant boot</code>. | ||
| {{Note|On versions of OpenRC prior to 0.45 use <code>urandom</code> instead of <code>seedrng</code>}} | |||
| <pre># passwd | <pre># passwd | ||
| # setup-timezone | # setup-timezone | ||
| # rc-update add networking boot | # rc-update add networking boot | ||
| # rc-update add  | # rc-update add seedrng boot | ||
| # rc-update add acpid default | # rc-update add acpid default | ||
| # rc-service acpid start</pre> | # rc-service acpid start</pre> | ||
| Line 50: | Line 51: | ||
| Here's where we deviate from the install script. | Here's where we deviate from the install script. | ||
| --> | |||
| === Creating the Partition Layout === | |||
| Depending on your motherboard, bios features and configuration, we can either use partition table in MBR (legacy BIOS) or GUID Partition Table (GPT). We'll describe both with example layouts. | |||
| {{Note|Instructions on this page uses {{path|'''/dev/sda'''}}  as storage device name. To find your storage device's name, you could either use the <code>lsblk</code> command from the {{pkg|util-linux}} package or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands.}} | |||
| or  | |||
| === BIOS/MBR with DOS disklabel === | ==== BIOS/MBR with DOS disklabel ==== | ||
| We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. <br> | We'll be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. <br> | ||
| Line 84: | Line 73: | ||
| +---------------------------+------------------------+-----------------------+</pre> | +---------------------------+------------------------+-----------------------+</pre> | ||
| {{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and  | {{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to [[Dualbooting|dual boot]], stop here and seek [[Support]].}} | ||
| Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition. | Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition. | ||
| Line 106: | Line 95: | ||
|   2      99.6MB  1000GB  1000GB  primary  ext4</pre> |   2      99.6MB  1000GB  1000GB  primary  ext4</pre> | ||
| === UEFI with GPT disklabel === | ==== UEFI with GPT disklabel ==== | ||
| We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this: | We will be encrypting the whole disk except for the EFI system partition mounted at <code>/boot/efi</code>. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this: | ||
| Line 121: | Line 110: | ||
| +---------------------------+------------------------+-----------------------+</pre> | +---------------------------+------------------------+-----------------------+</pre> | ||
| {{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to dual boot, stop here and  | {{Warning|This will delete an existing partition table and make your data very hard to recover. If you want to [[Dualbooting|dual boot]], stop here and seek [[Support]].}} | ||
| Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition. | Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition. | ||
| Line 133: | Line 122: | ||
| (parted) name 2 crypto-luks</pre> | (parted) name 2 crypto-luks</pre> | ||
| = | === Encrypting the LVM Physical Volume Partition === | ||
| == Encrypting the LVM Physical Volume Partition ==   | |||
| To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers: | To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers: | ||
| {{Tip|If your hard drive wasn't encrypted previously, overwrite LUKS Partition with Random Data . It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.{{ic|<nowiki># dd if=/dev/urandom of=/dev/sda2 bs=1M</nowiki>}}}} | |||
| < | |||
| For Default settings:{{Cmd|# cryptsetup luksFormat /dev/sda2}} | |||
| Luks1 Optimized for security: {{Cmd|# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2}} | |||
| Luks2 Optimized for security:{{Cmd|# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2}} | |||
| === Converting between LUKS2 and LUKS1 === | === Converting between LUKS2 and LUKS1 === | ||
| It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong: | It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong: {{Cmd|# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup}} | ||
| Then make sure all keys use <code>pbkdf2</code> by adding a new key with:{{Cmd|# cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2}} | |||
| < | Remove keys that use <code>argon2i</code> or <code>argon2id</code> with {{Cmd|# cryptsetup luksRemoveKey /dev/sda2}}.  | ||
| You can check the key information using the command: {{Cmd|# cryptsetup luksDump /dev/sda2}} | |||
| Now you can try the conversion, although it may not work. {{Cmd|# cryptsetup convert /dev/sda2 --type luks1}} | |||
| === Creating the Logical Volumes and File Systems === | |||
| Open the LUKS partition:{{Cmd|# cryptsetup luksOpen /dev/sda2 lvmcrypt}} | |||
| Create the PV on <code>lvmcrypt</code>: {{Cmd|# pvcreate /dev/mapper/lvmcrypt}} | |||
| < | Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:{{Cmd|# vgcreate vg0 /dev/mapper/lvmcrypt}} | ||
| #  | |||
| ==== LV Creation for BIOS/MBR ==== | |||
| < | This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>). {{Cmd|<nowiki># lvcreate -L 2G vg0 -n swap | ||
| # lvcreate -l 100%FREE vg0 -n root</nowiki>}} | |||
| The LVs created in the previous steps are automatically marked active. To verify, enter:{{Cmd|# lvscan}} | |||
| ==== LV Creation for UEFI/GPT ==== | |||
| < | This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).{{Cmd|<nowiki># lvcreate -L 2G vg0 -n swap | ||
| # lvcreate -L 2G vg0 -n boot | # lvcreate -L 2G vg0 -n boot | ||
| # lvcreate -l 100%FREE vg0 -n root</ | # lvcreate -l 100%FREE vg0 -n root</nowiki>}} | ||
| The LVs created in the previous steps are automatically marked active. To verify, enter:{{Cmd|# lvscan}} | |||
| === Creating and Mounting the File Systems === | |||
| Format the  | Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system: {{Cmd|# mkfs.ext4 /dev/vg0/root}} | ||
| Format the swap LV: {{Cmd|# mkswap /dev/vg0/swap}} | |||
| Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory: | Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:{{Cmd|# mount -t ext4 /dev/vg0/root /mnt/}} | ||
| Next format your boot partition, create a mount point, then mount it: | Next format your boot partition, create a mount point, then mount it: | ||
| * If you're using BIOS and MBR: | * If you're using BIOS and MBR: {{Cmd|<nowiki># mkfs.ext4 /dev/sda1 | ||
| < | |||
| # mkdir -v /mnt/boot | # mkdir -v /mnt/boot | ||
| # mount -t ext4 /dev/sda1 /mnt/boot</ | # mount -t ext4 /dev/sda1 /mnt/boot</nowiki>}} | ||
| < | * If you're using UEFI and GPT:{{Cmd|<nowiki># apk add dosfstools | ||
| # mkfs.fat -F32 /dev/sda1 | # mkfs.fat -F32 /dev/sda1 | ||
| # mkfs.ext4 /dev/vg0/boot | # mkfs.ext4 /dev/vg0/boot | ||
| Line 240: | Line 188: | ||
| # mount -t ext4 /dev/vg0/boot /mnt/boot | # mount -t ext4 /dev/vg0/boot /mnt/boot | ||
| # mkdir -v /mnt/boot/efi | # mkdir -v /mnt/boot/efi | ||
| # mount -t vfat /dev/sda1 /mnt/boot/efi</ | # mount -t vfat /dev/sda1 /mnt/boot/efi</nowiki>}} | ||
| Lastly, activate your swap partition:{{Cmd|# swapon /dev/vg0/swap}} | |||
| === Installing Alpine Linux === | |||
| < | In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure: {{Cmd|# setup-disk -m sys /mnt/}} | ||
| The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory. | The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory. | ||
| Line 256: | Line 200: | ||
| {{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}} | {{Note|The automatic writing of the master boot record (MBR) fails in this step. Later, you'll manually write the MBR to the disk.}} | ||
| The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file: | The swap LV is not automatically added to the <code>fstab</code> file. so we need to add the following line to the {{Path|/mnt/etc/fstab}} file as follows: {{Cat|/mnt/etc/fstab|/dev/vg0/swap    swap    swap    defaults    0 0}}  | ||
| Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter: | Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:{{Path|/mnt/etc/mkinitfs/mkinitfs.conf|features="... cryptsetup"}} | ||
| If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot. | If you are using GRUB with an encrypted <code>/boot</code> you must add the <code>cryptkey</code> feature so that Alpine can use a keyfile for decryption on boot. | ||
| Line 270: | Line 210: | ||
| {{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}} | {{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot. You may also need: <code>usb</code>, <code>lvm</code>, <code>ext4</code>, <code>nvme</code>...}} | ||
| Rebuild the initial RAM disk: | Rebuild the initial RAM disk:{{Cmd|# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)}} | ||
| The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility. | The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility. | ||
| == Installing a bootloader == | === Installing a bootloader === | ||
| To get the UUID of your storage device into a file for later use, run this command:{{Cmd|# blkid -s UUID -o value /dev/sda2 > ~/uuid}} | |||
| {{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}} | {{Tip|To easily read the UUID into a file so you don't have to type it manually, open the file in <code>vi</code>, then type <code>:r /root/uuid</code> to load the UUID onto a new line.}} | ||
| === Syslinux with BIOS === | ==== Syslinux with BIOS ==== | ||
| Install the Syslinux package: {{Cmd|# apk add syslinux}} | |||
| < | Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code> as follows:{{Cat|/mnt/etc/update-extlinux.conf|<nowiki>default_kernel_opts="... cryptroot=UUID=<UUID of sda2> cryptdm=lvmcrypt"</nowiki>}} | ||
| The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above. | The <code>cryptroot</code> parameter sets the ID of the device/partition that contains encrypted volumes, and the <code>cryptdm</code> parameter uses the name of the mapping we have already configured a few lines above. | ||
| Line 302: | Line 234: | ||
| </pre> | </pre> | ||
| Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration: | Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:{{Cmd|<nowiki># chroot /mnt/ | ||
| < | |||
| # update-extlinux | # update-extlinux | ||
| # exit</ | # exit</nowiki>}} | ||
| : Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these. | : Because we didn't mount <code>/dev</code> nor <code>/proc</code> inside our <code>/mnt/</code> chroot, some errors may occur when we run <code>update-extlinux</code> command. But you can most likely ignore these. | ||
| Write the MBR (without partition table) to the <code>/dev/sda</code> device: | Write the MBR (without partition table) to the <code>/dev/sda</code> device:{{Cmd|<nowiki># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</nowiki>}} | ||
| < | |||
| ==== Grub with UEFI ==== | |||
| < | To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.{{Cmd|<nowiki># touch /mnt/crypto_keyfile.bin | ||
| # chmod 600 /mnt/crypto_keyfile.bin | # chmod 600 /mnt/crypto_keyfile.bin | ||
| # dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin | # dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin | ||
| # cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin | # cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin</nowiki>}} | ||
| </ | |||
| This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security. | This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security. | ||
| Mount the required filesystems for the Grub EFI installer to the installation: | Mount the required filesystems for the Grub EFI installer to the installation:{{Cmd|<nowiki># mount -t proc /proc /mnt/proc | ||
| < | |||
| # mount --rbind /dev /mnt/dev | # mount --rbind /dev /mnt/dev | ||
| # mount --make-rslave /mnt/dev | # mount --make-rslave /mnt/dev | ||
| # mount --rbind /sys /mnt/sys</ | # mount --rbind /sys /mnt/sys</nowiki>}} | ||
| < | Then run chroot:{{Cmd|<nowiki># chroot /mnt | ||
| # source /etc/profile | # source /etc/profile | ||
| # export PS1="(chroot) $PS1"</ | # export PS1="(chroot) $PS1"</nowiki>}} | ||
| < | Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:{{Cmd|<nowiki># apk add grub grub-efi efibootmgr | ||
| # apk del syslinux</ | # apk del syslinux</nowiki>}} | ||
| Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>): | Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>): | ||
| Line 357: | Line 276: | ||
| If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}. | If using Alpine v3.11 or later, <code>GRUB_ENABLE_CRYPTODISK=y</code> should also be added to {{Path|/etc/default/grub}}. | ||
| ==== Luks1 ==== | ===== Luks1 ===== | ||
| <pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi | <pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi | ||
| # (chroot) grub-mkconfig -o /boot/grub/grub.cfg | # (chroot) grub-mkconfig -o /boot/grub/grub.cfg | ||
| # (chroot) exit</pre> | # (chroot) exit</pre> | ||
| ==== Luks2 ==== | ===== Luks2 ===== | ||
| {{Note|The method is still experimental and you may lose your access to you OS at the next OS update}} | {{Note|The method is still experimental and you may lose your access to you OS at the next OS update}} | ||
| Line 378: | Line 296: | ||
| You can find: | You can find: | ||
| * 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> | * 00001 with <code>blkid</code> and find the uuid of your encrypted disk, i.e <code>/dev/nvme0n1p2</code> remove hyphens from the UUID | ||
| * 00002 with <code>vgdisplay</code> & VG UUID | * 00002 with <code>vgdisplay</code> & VG UUID | ||
| * 00003 with <code>lvdisplay</code> & LV UUID of the root partition / | * 00003 with <code>lvdisplay</code> & LV UUID of the root partition / | ||
| Line 387: | Line 305: | ||
| # (chroot) exit</pre> | # (chroot) exit</pre> | ||
| == Unmounting the Volumes and Partitions == | === Unmounting the Volumes and Partitions === | ||
| Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot: | Unmount the <code>/mnt/</code> partitions, deactivate the LVM volumes, close the LUKS partition and reboot: | ||
| Line 403: | Line 321: | ||
| # reboot</pre> | # reboot</pre> | ||
| =  | == Hardening == | ||
| ==  | |||
| * To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] | * To harden, you should disable DMA[https://web.archive.org/web/20200923091814/https://old.iseclab.org/papers/acsac2012dma.pdf]  and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[https://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default. | ||
| * Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack] | * Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack] | ||
| * Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA. | * Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA. | ||
| = Mounting additional encrypted filesystems at boot = | == Mounting additional encrypted filesystems at boot == | ||
| If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. | If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have <code>/home</code> on a separate physical drive, some extra steps are required. | ||
| Line 476: | Line 359: | ||
| After a reboot the partition should be decrypted and mounted automatically. | After a reboot the partition should be decrypted and mounted automatically. | ||
| = See also = | == Troubleshooting == | ||
| In case your system fails to boot, you can verify the settings and fix incorrect configurations. Reboot and follow the [[Installation#General_course_of_action|Installation guide]] to complete the [[Installation#Base_configuration|base configuration]] again. | |||
| Setup the LUKS partition and activate the LVs: {{Cmd|<nowiki># cryptsetup luksOpen /dev/sda2 lvmcrypt | |||
| # vgchange -ay</nowiki>}} | |||
| Follow the steps in [[#Creating_and_Mounting_the_File Systems| Creating and Mounting the File Systems]]. | |||
| Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot. | |||
| === System can't find boot device === | |||
|  * GPT partition table on a motherboard that runs BIOS instead of UEFI | |||
|  * running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings | |||
| === I see "can not mount /sysroot" during boot === | |||
|  * incorrect device UUID | |||
|  * missing module in <code>/mnt/etc/update-extlinux.conf</code> or <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> | |||
| === normal.mod not found === | |||
|  * re-install <code>grub-install --target=x86_64-efi</code> | |||
| === Secure boot === | |||
| If secure boot complains of an unsigned bootloader, you can either disable it or follow [[UEFI Secure Boot]] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode. | |||
| == See also == | |||
| *[[Setting up encrypted volumes with LUKS]] | |||
| *[[Bootloaders]] | *[[Bootloaders]] | ||
| *[[ | *[[UEFI Secure Boot]] | ||
| *[[Installing on GPT LVM]] | *[[Installing on GPT LVM]] | ||
| *[[Setting up LVM on GPT-labeled disks]] | *[[Setting up LVM on GPT-labeled disks]] | ||
| *[[Setting up disks manually]] | *[[Setting up disks manually]] | ||
| *https://wiki.gentoo.org/wiki/ | *https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/ | ||
| *[https://www.msiism.org/files/doc/alpine-linux-fde-custom.html Installing Alpine Linux with full disk encryption on BIOS/MBR systems with a custom partition layout] | |||
| *[https://rifux.dev/docs/alpine-linux/install-luks2/ Guide to Install Alpine Linux with LUKS2, BTRFS and GRUB] | |||
| *https://wiki.archlinux.org/index.php/GRUB | |||
| *https://wiki.archlinux.org/index.php/Syslinux | |||
| *https://wiki.gentoo.org/wiki/Dm-crypt | |||
| *https://wiki.gentoo.org/wiki/GRUB2 | *https://wiki.gentoo.org/wiki/GRUB2 | ||
| *https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide | *https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide | ||
| *https://wiki.gentoo.org/wiki/Syslinux | |||
| *https://wiki.gentoo.org/wiki/ | |||
| [[Category:Storage]] | [[Category:Storage]] | ||
| [[Category:Security]] | [[Category:Security]] | ||
Latest revision as of 22:04, 26 August 2025
This page describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader partition). We will have an LVM container installed inside an encrypted partition that contains the root partition and the swap partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the cryptsetup command) and its LUKS subsystem is used.
Note: The setup-alpine installation scripts has support for encrypted installations since Alpine v3.15, and automatically encrypts swap using LVM in v3.21. For a simplistic setup it is easy to use.
Note that your /boot/ partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from Evil Maid attacks, but Syslinux doesn't support that.
Setting up Alpine Linux Using LVM on Top of a LUKS Partition
To install Alpine Linux on logical volumes running on top of a LUKS encrypted partition, several manual steps must be carried out in the Alpine Linux Live CD environment.
Follow the Installation guide to complete the base configuration as a working Internet access is mandatory to complete this installation.
The parted partition editor from parted package is needed for advanced partitioning and GPT disklabels. Install the following packages required to set up LVM and LUKS:
# apk add lvm2 cryptsetup e2fsprogs parted mkinitfs
Creating the Partition Layout
Depending on your motherboard, bios features and configuration, we can either use partition table in MBR (legacy BIOS) or GUID Partition Table (GPT). We'll describe both with example layouts.
lsblk command from the util-linux package or you could make an educated guess by using BusyBox's blkid and df commands.BIOS/MBR with DOS disklabel
We'll be partitioning the storage device with a non-encrypted /boot partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and an MSDOS MBR partition table. 
Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI (UEFI is possible only with GPT).
+---------------------------+------------------------+-----------------------+ | Partition name | Partition purpose | Filesystem type | +---------------------------+------------------------+-----------------------+ | /dev/sda1 | Boot partition | ext4 | | /dev/sda2 | LUKS container | LUKS | | |-> /dev/mapper/lvmcrypt | LVM container | LVM | | |-> /dev/vg01/root | Root partition | ext4 | | |-> /dev/vg01/swap | Swap partition | swap | +---------------------------+------------------------+-----------------------+

Create a partition of approximately 100MB to boot from, then assign the rest of the space to your LUKS partition.
# parted -a optimal (parted) mklabel msdos (parted) mkpart primary ext4 0% 100M (parted) set 1 boot on (parted) mkpart primary ext4 100M 100%
To view your partition table, type print while still in parted. Your results should look something like this:
(parted) print Model: ATA TOSHIBA ******** (scsi) Disk /dev/sda: 1000GB Sector size (logical/physical): 512B/4096B Partition Table: msdos Disk Flags: Number Start End Size Type File system Flags 1 1049kB 99.6MB 98.6MB primary ext4 boot 2 99.6MB 1000GB 1000GB primary ext4
UEFI with GPT disklabel
We will be encrypting the whole disk except for the EFI system partition mounted at /boot/efi. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:
+---------------------------+------------------------+-----------------------+ | Partition name | Partition purpose | Filesystem type | +---------------------------+------------------------+-----------------------+ | /dev/sda1 | EFI system partition | fat32 | | /dev/sda2 | LUKS container | LUKS | | |-> /dev/mapper/lvmcrypt | LVM container | LVM | | |-> /dev/vg01/root | Root partition | ext4 | | |-> /dev/vg01/boot | Boot partition | ext4 | | |-> /dev/vg01/swap | Swap partition | swap | +---------------------------+------------------------+-----------------------+

Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.
# parted -a optimal (parted) mklabel gpt (parted) mkpart primary fat32 0% 200M (parted) name 1 esp (parted) set 1 esp on (parted) mkpart primary ext4 200M 100% (parted) name 2 crypto-luks
Encrypting the LVM Physical Volume Partition
To encrypt the partition that will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance on modern computers:
# dd if=/dev/urandom of=/dev/sda2 bs=1MFor Default settings:
# cryptsetup luksFormat /dev/sda2
Luks1 Optimized for security:
# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks1 /dev/sda2
Luks2 Optimized for security:
# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/sda2
Converting between LUKS2 and LUKS1
It is sometimes possible to convert a LUKS2 volume to a LUKS1 volume. First take a backup of the LUKS header that you can restore if anything goes wrong:
# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup
Then make sure all keys use pbkdf2 by adding a new key with:
# cryptsetup luksAddKey --pbkdf pbkdf2 /dev/sda2
Remove keys that use argon2i or argon2id with 
# cryptsetup luksRemoveKey /dev/sda2
. You can check the key information using the command:
# cryptsetup luksDump /dev/sda2
Now you can try the conversion, although it may not work.
# cryptsetup convert /dev/sda2 --type luks1
Creating the Logical Volumes and File Systems
Open the LUKS partition:
# cryptsetup luksOpen /dev/sda2 lvmcrypt
Create the PV on lvmcrypt: 
# pvcreate /dev/mapper/lvmcrypt
Create the vg0 LVM VG in the /dev/mapper/lvmcrypt PV:
# vgcreate vg0 /dev/mapper/lvmcrypt
LV Creation for BIOS/MBR
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after # lvcreate -L). 
# lvcreate -L 2G vg0 -n swap # lvcreate -l 100%FREE vg0 -n root
The LVs created in the previous steps are automatically marked active. To verify, enter:
# lvscan
LV Creation for UEFI/GPT
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after # lvcreate -L).
# lvcreate -L 2G vg0 -n swap # lvcreate -L 2G vg0 -n boot # lvcreate -l 100%FREE vg0 -n root
The LVs created in the previous steps are automatically marked active. To verify, enter:
# lvscan
Creating and Mounting the File Systems
Format the root and boot LVs using the ext4 file system: 
# mkfs.ext4 /dev/vg0/root
Format the swap LV:
# mkswap /dev/vg0/swap
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the /mnt/ directory:
# mount -t ext4 /dev/vg0/root /mnt/
Next format your boot partition, create a mount point, then mount it:
- If you're using BIOS and MBR: # mkfs.ext4 /dev/sda1 # mkdir -v /mnt/boot # mount -t ext4 /dev/sda1 /mnt/boot 
- If you're using UEFI and GPT:# apk add dosfstools # mkfs.fat -F32 /dev/sda1 # mkfs.ext4 /dev/vg0/boot # mkdir -v /mnt/boot # mount -t ext4 /dev/vg0/boot /mnt/boot # mkdir -v /mnt/boot/efi # mount -t vfat /dev/sda1 /mnt/boot/efi 
Lastly, activate your swap partition:
# swapon /dev/vg0/swap
Installing Alpine Linux
In this step you will install Alpine Linux in the /mnt/ directory, which contains the mounted file system structure: 
# setup-disk -m sys /mnt/
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in /etc/fstab file, which is currently mounted in the /mnt/ directory.
The swap LV is not automatically added to the fstab file. so we need to add the following line to the /mnt/etc/fstab file as follows: 
Contents of /mnt/etc/fstab
Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter:/mnt/etc/mkinitfs/mkinitfs.conf
If you are using GRUB with an encrypted /boot you must add the cryptkey feature so that Alpine can use a keyfile for decryption on boot.
en-us keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to add the keymap feature to the list above.mkinitfs -L and add the features necessary for your system to boot. You may need to add kms in order to see a password prompt at boot. You may also need: usb, lvm, ext4, nvme...Rebuild the initial RAM disk:
# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)
The command uses the settings from the mkinitfs.conf file set in the -c parameter to generate the RAM disk. The command is executed in the /mnt/ directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the $(ls /mnt/lib/modules/) option, mkinitfs tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the setup-disk utility.
Installing a bootloader
To get the UUID of your storage device into a file for later use, run this command:
# blkid -s UUID -o value /dev/sda2 > ~/uuid
vi, then type :r /root/uuid to load the UUID onto a new line.Syslinux with BIOS
Install the Syslinux package:
# apk add syslinux
Edit /mnt/etc/update-extlinux.conf and append the following kernel options to the default_kernel_opts parameter, replacing <UUID> with the UUID of /dev/sda2 as follows:
Contents of /mnt/etc/update-extlinux.conf
The cryptroot parameter sets the ID of the device/partition that contains encrypted volumes, and the cryptdm parameter uses the name of the mapping we have already configured a few lines above.
We can also double check if modules and root are set correctly, eg:
modules=sd-mod,usb-storage,ext4,cryptsetup,keymap,cryptkey,kms,lvm root=UUID=<UUID of /dev/mapper/vg0-root>
Because the update-extlinux utility operates only on the /boot/ directory, temporarily change the root to the /mnt/ directory and update the boot loader configuration:
# chroot /mnt/ # update-extlinux # exit
- Because we didn't mount /devnor/procinside our/mnt/chroot, some errors may occur when we runupdate-extlinuxcommand. But you can most likely ignore these.
Write the MBR (without partition table) to the /dev/sda device:
# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda
Grub with UEFI
To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.
# touch /mnt/crypto_keyfile.bin # chmod 600 /mnt/crypto_keyfile.bin # dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin # cryptsetup luksAddKey /dev/sda2 /mnt/crypto_keyfile.bin
This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.
Mount the required filesystems for the Grub EFI installer to the installation:
# mount -t proc /proc /mnt/proc # mount --rbind /dev /mnt/dev # mount --make-rslave /mnt/dev # mount --rbind /sys /mnt/sys
Then run chroot:
# chroot /mnt # source /etc/profile # export PS1="(chroot) $PS1"
Install GRUB2 for EFI and (optionally) remove syslinux:
# apk add grub grub-efi efibootmgr # apk del syslinux
Edit /etc/default/grub and add the following kernel options to the GRUB_CMDLINE_LINUX_DEFAULT parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, /dev/sda2):
cryptroot=UUID=<UUID> cryptdm=lvmcrypt cryptkey
The cryptroot parameter sets the ID of the device/partition that contains encrypted volumes, and the cryptdm parameter uses the name of the mapping we configured a few lines above.
The cryptkey parameter indicates the existence of the file /crypto_keyfile.bin you created previously.
To enable GRUB to decrypt LUKS partitions and read LVM volumes add:
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt lvm"
If using Alpine v3.11 or later, GRUB_ENABLE_CRYPTODISK=y should also be added to /etc/default/grub.
Luks1
# (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi # (chroot) grub-mkconfig -o /boot/grub/grub.cfg # (chroot) exit
Luks2
Create a pre-config grub file: /root/grub-pre.cfg
set crypto_uuid=00001 cryptomount -u $crypto_uuid set root='lvmid/00002/00003' set prefix=($root)/boot/grub insmod normal normal
You can find:
- 00001 with blkidand find the uuid of your encrypted disk, i.e/dev/nvme0n1p2remove hyphens from the UUID
- 00002 with vgdisplay& VG UUID
- 00003 with lvdisplay& LV UUID of the root partition /
# (chroot) grub-mkimage -p /boot/grub -O x86_64-efi -c /root/grub-pre.cfg -o /tmp/grubx64.efi luks2 part_gpt cryptodisk lvm ext2 gcry_rijndael pbkdf2 gcry_sha512 # (chroot) install -v /tmp/grubx64.efi /boot/efi/EFI/grub/ # (chroot) grub-mkconfig -o /boot/grub/grub.cfg # (chroot) exit
Unmounting the Volumes and Partitions
Unmount the /mnt/ partitions, deactivate the LVM volumes, close the LUKS partition and reboot:
# cd # umount -l /mnt/dev # umount -l /mnt/proc # umount -l /mnt/sys # umount /mnt/boot/efi # umount /mnt/boot # swapoff /dev/vg0/swap # umount /mnt # vgchange -a n # cryptsetup luksClose lvmcrypt # reboot
Hardening
- To harden, you should disable DMA[1] and install a hardened version of AES (TRESOR[2] or Loop-Amnesia[3]) since by default cryptsetup with luks uses AES by default.
- Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[4]
- Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.
Mounting additional encrypted filesystems at boot
If you would like other encrypted LUKS partitions to be decrypted and mounted automatically during boot, for example if you have /home on a separate physical drive, some extra steps are required.
/dev/sda2For the purposes of these instructions we will say /dev/sdb1 contains an LVM volume that should be mounted at /home.
Create a keyfile and add it to the LUKS partition:
# dd bs=512 count=4 if=/dev/urandom of=/root/crypt-home-keyfile.bin # cryptsetup luksAddKey /dev/sdb1 /root/crypt-home-keyfile.bin
Alpine, like Gentoo, uses the dmcrypt service rather than /etc/crypttab. Add the following lines to /etc/conf.d/dmcrypt:
target=crypt-home source='/dev/sdb1' key='/root/crypt-home-keyfile.bin'
Add an entry to /etc/fstab, changing vg1 to the name of your LVM volume group:
/dev/vg1/home /home ext4 rw,relatime 0 2
Enable the dmcrypt and lvm services to start on boot:
# rc-update add dmcrypt boot # rc-update add lvm boot
After a reboot the partition should be decrypted and mounted automatically.
Troubleshooting
In case your system fails to boot, you can verify the settings and fix incorrect configurations. Reboot and follow the Installation guide to complete the base configuration again.
Setup the LUKS partition and activate the LVs:
# cryptsetup luksOpen /dev/sda2 lvmcrypt # vgchange -ay
Follow the steps in Creating and Mounting the File Systems.
Verify that you run the steps described in the Installing Alpine Linux section correctly. Update the configuration if necessary, unmount the partitions, then reboot.
System can't find boot device
* GPT partition table on a motherboard that runs BIOS instead of UEFI * running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings
I see "can not mount /sysroot" during boot
* incorrect device UUID * missing module in/mnt/etc/update-extlinux.confor/mnt/etc/mkinitfs/mkinitfs.conf
normal.mod not found
* re-install grub-install --target=x86_64-efi
Secure boot
If secure boot complains of an unsigned bootloader, you can either disable it or follow UEFI Secure Boot guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.
See also
- Setting up encrypted volumes with LUKS
- Bootloaders
- UEFI Secure Boot
- Installing on GPT LVM
- Setting up LVM on GPT-labeled disks
- Setting up disks manually
- https://battlepenguin.com/tech/alpine-linux-with-full-disk-encryption/
- Installing Alpine Linux with full disk encryption on BIOS/MBR systems with a custom partition layout
- Guide to Install Alpine Linux with LUKS2, BTRFS and GRUB
- https://wiki.archlinux.org/index.php/GRUB
- https://wiki.archlinux.org/index.php/Syslinux
- https://wiki.gentoo.org/wiki/Dm-crypt
- https://wiki.gentoo.org/wiki/GRUB2
- https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
- https://wiki.gentoo.org/wiki/Syslinux