Full disk encryption secure boot: Difference between revisions
(Packages & Partitions) |
(Adding LUKS, Mounting points and File System and Installing Alpine) |
||
Line 1: | Line 1: | ||
{{Draft}} | {{Draft}} | ||
This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition on a nvme drive, with UEFI & Secure Boot. | This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot. | ||
The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements. | |||
= Sequence of Events = | = Sequence of Events = | ||
Line 8: | Line 9: | ||
* Partitioning the disk | * Partitioning the disk | ||
* Configuring LUKS | * Configuring LUKS | ||
* Mounting points and File System | |||
* Installing Alpine | * Installing Alpine | ||
* Grub settings | |||
* mkinitfs settings & modules | |||
* Configuring Secure Boot | * Configuring Secure Boot | ||
Line 23: | Line 27: | ||
= Partitioning the disk = | = Partitioning the disk = | ||
Let's assume the disk is /dev/nvme0n1 and no | |||
Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions : | |||
* one for UEFI | |||
* one for / | |||
* one for swap (hibernation) | |||
<pre># gdisk /dev/nvme0n1 | <pre># gdisk /dev/nvme0n1 | ||
Line 50: | Line 59: | ||
The operation has completed successfully. | The operation has completed successfully. | ||
</pre> | </pre> | ||
= Configuring LUKS = | |||
<pre># cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2 | |||
WARNING! | |||
======== | |||
This will overwrite data on /dev/nvme0n1p2 irrevocably. | |||
Are you sure? (Type 'yes' in capital letters): YES | |||
Enter passphrase for /dev/nvme0n1p2: | |||
Verify passphrase: | |||
Key slot 0 created. | |||
Command successful. | |||
cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3 | |||
WARNING! | |||
======== | |||
This will overwrite data on /dev/nvme0n1p3 irrevocably. | |||
Are you sure? (Type 'yes' in capital letters): YES | |||
Enter passphrase for /dev/nvme0n1p3: | |||
Verify passphrase: | |||
Key slot 0 created. | |||
Command successful. | |||
</pre> | |||
= Mounting points and File System = | |||
Open the LUKS partitiond we just created: | |||
<pre># cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt | |||
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt | |||
</pre> | |||
Create vfat file system for UEFI partition: | |||
<pre># mkfs.vfat /dev/nvme0n1p1</pre> | |||
Create ext4 file system for / partition: | |||
<pre># mkfs.ext4 /dev/mapper/nvme0n1p2-crypt</pre> | |||
Create ext4 file system for swap partition: | |||
<pre># mkfs.ext4 /dev/mapper/nvme0n1p3-crypt</pre> | |||
Create mounting points and mount partitions : | |||
Mount / partition to /mnt : | |||
<pre># mount -t ext4 /dev/mapper/nvme0n1p2-crypt /mnt</pre> | |||
Create /boot/efi: | |||
<pre># mkdir /mnt/boot/efi -p</pre> | |||
Mount UEFI partition to /mnt/boot/efi : | |||
<pre># mount -t ext4 /dev/mapper/nvme0n1p1 /mnt/boot/efi</pre> | |||
= Installing Alpine = | |||
<pre># setup-disk -m sys /mnt/</pre> | |||
= Grub settings = | |||
= mkinitfs settings & modules = | |||
= Configuring Secure Boot = |
Revision as of 21:33, 26 July 2022
This material is work-in-progress ... Do not follow instructions here until this notice is removed. |
This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot. The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.
Sequence of Events
- Installing packages
- Partitioning the disk
- Configuring LUKS
- Mounting points and File System
- Installing Alpine
- Grub settings
- mkinitfs settings & modules
- Configuring Secure Boot
Installing packages
To facilitate the partitioning we will use gdisk :
# apk add gptfdisk
For encryption, we will use cryptsetup :
# apk add cryptsetup
For using and managing UEFI, multiple packages are needed :
# apk add e2fsprogs grub grub-efi
Partitioning the disk
Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :
- one for UEFI
- one for /
- one for swap (hibernation)
# gdisk /dev/nvme0n1 Command (? for help): n Partition number (1-128, default 1): First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}: Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M Hex code or GUID (L to show codes, Enter = 8300): ef00 Changed type of partition to 'EFI system partition' Command (? for help): n Partition number (2-128, default 2): First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}: Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: Current type is 8300 (Linux filesystem) Hex code or GUID (L to show codes, Enter = 8300): 8309 Changed type of partition to 'Linux LUKS' Command (? for help): w Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING PARTITIONS!! Do you want to proceed? (Y/N): Y OK; writing new GUID partition table (GPT) to /dev/nvme0n1. The operation has completed successfully.
Configuring LUKS
# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2 WARNING! ======== This will overwrite data on /dev/nvme0n1p2 irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/nvme0n1p2: Verify passphrase: Key slot 0 created. Command successful. cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3 WARNING! ======== This will overwrite data on /dev/nvme0n1p3 irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/nvme0n1p3: Verify passphrase: Key slot 0 created. Command successful.
Mounting points and File System
Open the LUKS partitiond we just created:
# cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt # cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt
Create vfat file system for UEFI partition:
# mkfs.vfat /dev/nvme0n1p1
Create ext4 file system for / partition:
# mkfs.ext4 /dev/mapper/nvme0n1p2-crypt
Create ext4 file system for swap partition:
# mkfs.ext4 /dev/mapper/nvme0n1p3-crypt
Create mounting points and mount partitions : Mount / partition to /mnt :
# mount -t ext4 /dev/mapper/nvme0n1p2-crypt /mnt
Create /boot/efi:
# mkdir /mnt/boot/efi -p
Mount UEFI partition to /mnt/boot/efi :
# mount -t ext4 /dev/mapper/nvme0n1p1 /mnt/boot/efi
Installing Alpine
# setup-disk -m sys /mnt/