Full disk encryption secure boot: Difference between revisions

From Alpine Linux
(Packages & Partitions)
(Adding LUKS, Mounting points and File System and Installing Alpine)
Line 1: Line 1:
{{Draft}}
{{Draft}}


This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition on a nvme drive, with UEFI & Secure Boot.
This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot.
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.


= Sequence of Events =
= Sequence of Events =
Line 8: Line 9:
* Partitioning the disk
* Partitioning the disk
* Configuring LUKS
* Configuring LUKS
* Mounting points and File System
* Installing Alpine
* Installing Alpine
* Grub settings
* mkinitfs settings & modules
* Configuring Secure Boot
* Configuring Secure Boot


Line 23: Line 27:


= Partitioning the disk =
= Partitioning the disk =
Let's assume the disk is /dev/nvme0n1 and no partitions are present, we will create two partitions only : one for UEFI, one for /
 
Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :
* one for UEFI
* one for /
* one for swap (hibernation)


<pre># gdisk /dev/nvme0n1
<pre># gdisk /dev/nvme0n1
Line 50: Line 59:
The operation has completed successfully.
The operation has completed successfully.
</pre>
</pre>
= Configuring LUKS =
<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2
WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2:
Verify passphrase:
Key slot 0 created.
Command successful.
cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3
WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3:
Verify passphrase:
Key slot 0 created.
Command successful.
</pre>
= Mounting points and File System =
Open the LUKS partitiond we just created:
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
</pre>
Create vfat file system for UEFI partition:
<pre># mkfs.vfat /dev/nvme0n1p1</pre>
Create ext4 file system for / partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre>
Create ext4 file system for swap partition:
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre>
Create mounting points and mount partitions :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p2-crypt /mnt</pre>
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
Mount UEFI partition to /mnt/boot/efi :
<pre># mount -t ext4 /dev/mapper/nvme0n1p1 /mnt/boot/efi</pre>
= Installing Alpine =
<pre># setup-disk -m sys /mnt/</pre>
= Grub settings =
= mkinitfs settings & modules =
= Configuring Secure Boot =

Revision as of 21:33, 26 July 2022

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Blt on 26 Jul 2022.)

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot. The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

Sequence of Events

  • Installing packages
  • Partitioning the disk
  • Configuring LUKS
  • Mounting points and File System
  • Installing Alpine
  • Grub settings
  • mkinitfs settings & modules
  • Configuring Secure Boot

Installing packages

To facilitate the partitioning we will use gdisk :

# apk add gptfdisk

For encryption, we will use cryptsetup :

# apk add cryptsetup

For using and managing UEFI, multiple packages are needed :

# apk add e2fsprogs grub grub-efi

Partitioning the disk

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

  • one for UEFI
  • one for /
  • one for swap (hibernation)
# gdisk /dev/nvme0n1
Command (? for help): n
Partition number (1-128, default 1): 
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}: 
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2): 
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}: 
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.

Configuring LUKS

# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2: 
Verify passphrase: 
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3: 
Verify passphrase: 
Key slot 0 created.
Command successful.

Mounting points and File System

Open the LUKS partitiond we just created:

# cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt

Create vfat file system for UEFI partition:

# mkfs.vfat /dev/nvme0n1p1

Create ext4 file system for / partition:

# mkfs.ext4 /dev/mapper/nvme0n1p2-crypt

Create ext4 file system for swap partition:

# mkfs.ext4 /dev/mapper/nvme0n1p3-crypt

Create mounting points and mount partitions : Mount / partition to /mnt :

# mount -t ext4 /dev/mapper/nvme0n1p2-crypt /mnt

Create /boot/efi:

# mkdir /mnt/boot/efi -p

Mount UEFI partition to /mnt/boot/efi :

# mount -t ext4 /dev/mapper/nvme0n1p1 /mnt/boot/efi

Installing Alpine

# setup-disk -m sys /mnt/

Grub settings

mkinitfs settings & modules

Configuring Secure Boot