User:Andar1an: Difference between revisions

From Alpine Linux
(Full Disk Encryption - BTRFS Subvolumes + LUKS2 - Single Disk, No RAID, No Secure Boot)
 
(update fstab uuids)
 
Line 78: Line 78:
BOOTLOADER=none setup-disk -m sys /mnt
BOOTLOADER=none setup-disk -m sys /mnt


export UUID=$(blkid -s UUID -o value /dev/nvme0n1p2 | sed -n 's/.*UUID=\"\([^\"]*\)\".*/\1/p' )
export UUID=$(blkid -s UUID -o value /dev/dm-0 | sed -n 's/.*UUID=\"\([^\"]*\)\".*/\1/p' )
export UUID2=$(blkid -s UUID -o value /dev/dm-0 | sed -n 's/.*UUID=\"\([^\"]*\)\".*/\1/p' )
export UUID2=$(blkid -s UUID -o value /dev/nvme0n1p1 | sed -n 's/.*UUID=\"\([^\"]*\)\".*/\1/p' )
export UUID3=$(blkid -s UUID -o value /dev/nvme0n1p1 | sed -n 's/.*UUID=\"\([^\"]*\)\".*/\1/p' )


# Can modify output of setup-disk
# Can modify output of setup-disk
cat <<EOF >/mnt/etc/fstab
cat <<EOF >/mnt/etc/fstab
UUID=$UUID / btrfs rw,noatime,compress-force=zstd:2,ssd,discard=async,space_cache=v2,subvol=/@ 0 0
UUID=$UUID / btrfs rw,noatime,compress-force=zstd:2,ssd,discard=async,space_cache=v2,subvol=/@ 0 0
UUID=$UUID2 /home btrfs rw,relatime,compress-force=zstd:2,ssd,discard=async,space_cache=v2,subvol=/@home 0 0
UUID=$UUID /home btrfs rw,relatime,compress-force=zstd:2,ssd,discard=async,space_cache=v2,subvol=/@home 0 0
UUID=$UUID2 /opt btrfs rw,relatime,compress-force=zstd:2,ssd,discard=async,space_cache=v2,subvol=/@opt 0 0
UUID=$UUID /opt btrfs rw,relatime,compress-force=zstd:2,ssd,discard=async,space_cache=v2,subvol=/@opt 0 0
UUID=$UUID2 /tmp btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@tmp 0 0
UUID=$UUID /tmp btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@tmp 0 0
UUID=$UUID2 /var btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@var 0 0
UUID=$UUID /var btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@var 0 0
UUID=$UUID2 /run btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@run 0 0
UUID=$UUID /run btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@run 0 0
UUID=$UUID2 /srv btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@srv 0 0
UUID=$UUID /srv btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@srv 0 0
UUID=$UUID2 /.snapshots btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@.snapshots 0 0
UUID=$UUID /.snapshots btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@.snapshots 0 0
UUID=$UUID2 /swap btrfs rw,ssd,noatime,nodatacow,compress=none,subvol=/@swap 0 0
UUID=$UUID /swap btrfs rw,ssd,noatime,nodatacow,compress=none,subvol=/@swap 0 0
UUID=$UUID3 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=utf8,shortname=mixed,errors=remount-ro 0 2
UUID=$UUID2 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=utf8,shortname=mixed,errors=remount-ro 0 2
/dev/cdrom /media/cdrom iso9660 noauto,ro 0 0
/dev/cdrom /media/cdrom iso9660 noauto,ro 0 0
/dev/usbdisk /media/usb vfat noauto 0 0
/dev/usbdisk /media/usb vfat noauto 0 0

Latest revision as of 22:46, 3 October 2024

  1. WIP - Lots of references to LVM on LUKS and Secure Boot Alpine wikis - will add links and references later
  1. TODO:

- Poweroff has some errors related to mounts - look into - Validate swapfile compression and cow settings - if remounting while installing didn't work use chattrc - Wiki page formatting

  1. System:

Alpine 3.20 on Lenovo X1 Yoga Gen 4

  1. Steps:

setup-keymap setup-hostname setup-interfaces rc-service networking start passwd setup-timezone setup-ntp setup-sshd

  1. load btrfs module, or will get missing /dev/btrfs-control warning when creating fs.

modprobe btrfs setup-apkrepos apk update apk add btrfs-progs cryptsetup dosfstools mkinitfs parted

  1. use optimal partition alignment for disk

parted -a optimal /dev/nvme0n1 -s \ 

   mklabel gpt \
   mkpart ESP fat32 1MiB 512MiB \
   mkpart luks btrfs 512MiB 100% \
   set 1 esp on
  1. overwrite luks parition with 0's - takes a while, took me 20 min for 476 GiB
  2. dd if=/dev/urandom of=/dev/nvme0n1p2 bs=1M status=progress
  1. Luks2 Optimized for security (see cryptsetup notes below):

cryptsetup luksFormat /dev/nvme0n1p2 -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random

  1. can verify keyslot has a key
  2. cryptsetup luksDump /dev/nvme0n1p2

mkfs.fat -F 32 -n ESP /dev/nvme0n1p1 cryptsetup luksOpen /dev/nvme0n1p2 luks mkfs.btrfs -L ROOT /dev/mapper/luks

  1. create subvolumes

mount /dev/mapper/luks /mnt btrfs sub create /mnt/@ btrfs sub create /mnt/@swap btrfs sub create /mnt/@.snapshots btrfs sub create /mnt/@tmp btrfs sub create /mnt/@run btrfs sub create /mnt/@var btrfs sub create /mnt/@srv btrfs sub create /mnt/@home btrfs sub create /mnt/@opt umount /mnt

  1. following mounts will inherit primary mount options until remounted

mount -o ssd,noatime,space_cache=v2,compress-force=zstd:2,discard=async,subvol=@ /dev/mapper/luks /mnt

  1. Mount the sub volumes:

mkdir -p /mnt/swap /mnt/.snapshots /mnt/tmp /mnt/run /mnt/var /mnt/srv /mnt/home /mnt/opt mount -o subvol=@home /dev/mapper/luks /mnt/home mount -o subvol=@opt /dev/mapper/luks /mnt/opt mount -o subvol=@tmp /dev/mapper/luks /mnt/tmp mount -o subvol=@var /dev/mapper/luks /mnt/var mount -o subvol=@run /dev/mapper/luks /mnt/run mount -o subvol=@srv /dev/mapper/luks /mnt/srv mount -o subvol=@.snapshots /dev/mapper/luks /mnt/.snapshots mount -o subvol=@swap /dev/mapper/luks /mnt/swap

mkdir -p /mnt/boot/efi

  1. Mount the EFI partition

mount /dev/nvme0n1p1 /mnt/boot/efi

  1. easier to not install bootlader with setup-disk

BOOTLOADER=none setup-disk -m sys /mnt

export UUID=$(blkid -s UUID -o value /dev/dm-0 | sed -n 's/.*UUID=\"\([^\"]*\)\".*/\1/p' ) export UUID2=$(blkid -s UUID -o value /dev/nvme0n1p1 | sed -n 's/.*UUID=\"\([^\"]*\)\".*/\1/p' )

  1. Can modify output of setup-disk

cat <<EOF >/mnt/etc/fstab UUID=$UUID / btrfs rw,noatime,compress-force=zstd:2,ssd,discard=async,space_cache=v2,subvol=/@ 0 0 UUID=$UUID /home btrfs rw,relatime,compress-force=zstd:2,ssd,discard=async,space_cache=v2,subvol=/@home 0 0 UUID=$UUID /opt btrfs rw,relatime,compress-force=zstd:2,ssd,discard=async,space_cache=v2,subvol=/@opt 0 0 UUID=$UUID /tmp btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@tmp 0 0 UUID=$UUID /var btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@var 0 0 UUID=$UUID /run btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@run 0 0 UUID=$UUID /srv btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@srv 0 0 UUID=$UUID /.snapshots btrfs rw,ssd,noatime,nodatacow,space_cache=v2,compress-force=zstd:2,discard=async,subvol=/@.snapshots 0 0 UUID=$UUID /swap btrfs rw,ssd,noatime,nodatacow,compress=none,subvol=/@swap 0 0 UUID=$UUID2 /boot/efi vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=utf8,shortname=mixed,errors=remount-ro 0 2 /dev/cdrom /media/cdrom iso9660 noauto,ro 0 0 /dev/usbdisk /media/usb vfat noauto 0 0 tmpfs /tmp tmpfs nosuid,nodev 0 0 EOF

  1. remount subvolumes for different mount options to be used

umount /mnt/swap mount -o rw,ssd,noatime,nodatacow,compress=none,subvol=@swap /dev/mapper/luks /mnt/swap

  1. Now create swapfile with correct subvolume options
  2. https://btrfs.readthedocs.io/en/latest/Swapfile.html

btrfs filesystem mkswapfile --size 20G /mnt/swap/swapfile swapon /mnt/swap/swapfile


  1. Look into updating to current key options - https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Keyfiles
  2. To avoid having to type your decryption password twice every boot (once for GRUB and once for Alpine), add a keyfile to your LUKS partition. The filename is important.

touch /mnt/crypto_keyfile.bin chmod 600 /mnt/crypto_keyfile.bin dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin

  1. This keyfile is stored encrypted (it is in your LUKS partition), so its presence does not affect system security.
  2. Mount the required filesystems for the Grub EFI installer to do the installation:
  3. rbind is recurrsive, rslave is a mirror mount, the proc file system acts as an interface to internal data structures in the kernel.
  1. see https://wiki.archlinux.org/title/Chroot section 4.3

mount -t proc /proc /mnt/proc mount --rbind /dev /mnt/dev mount --make-rslave /mnt/dev mount --rbind /sys /mnt/sys

  1. Then run chroot:

chroot /mnt

  1. Install GRUB2 for EFI

apk add grub grub-efi efibootmgr

  1. To get the UUID of your storage device into a file for later use, run this command:

export UUID=$(blkid -s UUID -o value /dev/nvme0n1p2 | sed -n 's/.*UUID=\"\([^\"]*\)\".*/\1/p' )

  1. cryptdm = device name set in cryptsetup

cat <<EOF >/etc/default/grub GRUB_TIMEOUT=2 GRUB_DISABLE_SUBMENU=y GRUB_DISABLE_RECOVERY=false GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,btrfs,nvme cryptroot=UUID=$UUID cryptdm=luks cryptkey quiet rootfstype=btrfs" GRUB_PRELOAD_MODULES="luks2 cryptodisk part_gpt gcry_sha512 pbkdf2" GRUB_ENABLE_CRYPTODISK=y EOF

  1. # Update mkinitfs conf modules

cat <<EOF >/etc/mkinitfs/mkinitfs.conf features="ata base ide scsi usb virtio btrfs nvme cryptsetup cryptkey" EOF

  1. if more than 1 kernel, explicitly state value

mkinitfs $(ls /lib/modules/)

grub-install --target=x86_64-efi --efi-directory=/boot/efi --boot-directory=/boot --bootloader-id=ALPINE --modules="luks2 part_gpt cryptodisk btrfs gcry_rijndael pbkdf2 gcry_sha512"

grub-mkconfig -o /boot/grub/grub.cfg

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=User:Andar1an&oldid=27458"