Full disk encryption secure boot: Difference between revisions

From Alpine Linux
(updating Grub)
m (typos)
Line 127: Line 127:
Create mounting points and mount partitions :
Create mounting points and mount partitions :
Mount / partition to /mnt :
Mount / partition to /mnt :
<pre># mount -t ext4 /dev/mapper/nvme0n1p2-crypt /mnt</pre>
<pre># mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt</pre>
Create /boot/efi:
Create /boot/efi:
<pre># mkdir /mnt/boot/efi -p</pre>
<pre># mkdir /mnt/boot/efi -p</pre>
Line 133: Line 133:
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
<pre># mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi</pre>
Activate SWAP:
Activate SWAP:
<pre># mkswap /dev/mapper/nvme0n1p3-crypt
<pre># mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p3-crypt</pre>
# swapon /dev/mapper/nvme0n1p2-crypt</pre>
Check partition scheme:
Check partition scheme:
<pre># lsblk
<pre># lsblk
NAME                MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
NAME                MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
loop0                7:0    0 105.2M  1 loop  /.modloop
 
sda                  8:0    1  7.6G  0 disk  /media/sda
├─sda1                8:1    1  148M  0 part 
└─sda2                8:2    1  1.4M  0 part 
nvme0n1            259:0    0 476.9G  0 disk 
├─nvme0n1p1        259:1    0  511M  0 part  /mnt/boot/efi
├─nvme0n1p2        259:2    0  15.5G  0 part 
│ └─nvme0n1p2-crypt 253:0    0  15.5G  0 crypt /mnt
└─nvme0n1p3        259:3    0 460.9G  0 part 
  └─nvme0n1p3-crypt 253:1    0 460.9G  0 crypt [SWAP]
</pre>
</pre>


Line 181: Line 172:
Let's show the UUID of our partition scheme:
Let's show the UUID of our partition scheme:
<pre># lsblk -f
<pre># lsblk -f
nvme0n1                                                                                                           
 
├─nvme0n1p1 vfat 62E0-E4C0 509.7M 0% /boot/efi
├─nvme0n1p2 crypto_LUKS 275836d9-05af-4e1a-bce5-335ef3bcd6e8               
│ └─nvme0n1p2-crypt ext4 9bed7992-81cc-4126-8bbd-4e724dbb7bdd 13.9G    3% /
└─nvme0n1p3 crypto_LUKS 67eae09f-f533-4bfa-b874-e17016929138               
  └─nvme0n1p3-crypt swap fcb8594e-2409-4365-bf0b-0199c3acf1c6               
</pre>
</pre>


Line 193: Line 179:
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=UUID=275836d9-05af-4e1a-bce5-335ef3bcd6e8 cryptdm=nvme0n1p2-crypt cryptkey modules=sd-mod,usb-storage,ext4,nvme quiet rootfstype=ext4"
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=UUID=XXXX cryptdm=nvme0n1p2-crypt cryptkey modules=sd-mod,usb-storage,ext4,nvme quiet rootfstype=ext4"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt ext4"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt ext4"
GRUB_ENABLE_CRYPTODISK=y
GRUB_ENABLE_CRYPTODISK=y

Revision as of 14:25, 27 July 2022

This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Blt on 27 Jul 2022.)

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition, encrypted swap for hibernation on a nvme drive, with UEFI & Secure Boot. The goal of this guide is to follow the KISS principle, lvm can be added, another file system can be used, multiple partitions for /home; /var/log etc.. can also be added, if running everything in one partition is not meeting your requirements.

Sequence of Events

  • Installing packages
  • Partitioning the disk
  • Configuring LUKS
  • Mounting points and File System
  • Installing Alpine
  • mkinitfs settings & modules
  • Grub settings
  • Configuring Secure Boot

Installing packages

To facilitate the partitioning we will use gdisk :

# apk add lsblk gptfdisk

For encryption, we will use cryptsetup :

# apk add cryptsetup

For using and managing UEFI, multiple packages are needed :

# apk add efibootmgr e2fsprogs grub grub-efi

Partitioning the disk

Let's assume the disk is /dev/nvme0n1 and no partition is present, we will create three partitions :

  • one for UEFI
  • one for /
  • one for swap (hibernation)
# gdisk /dev/nvme0n1
GPT fdisk (gdisk) version 1.0.9.1

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): d
No partitions

Command (? for help): n
Partition number (1-128, default 1): 
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}: 
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2): 
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}: 
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 16G
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8200
Changed type of partition to 'Linux swap'

Command (? for help): n
Partition number (3-128, default 3): 
First sector (1048577-1000215182, default = 33556480) or {+-}size{KMGTP}: 
Last sector (33556480-1000215182, default = 1000214527) or {+-}size{KMGTP}: 
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.

Configuring LUKS

# cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p2: 
Verify passphrase: 
Key slot 0 created.
Command successful.

cryptsetup -v -c aes-xts-plain64 -s 512 --hash sha512 --pbkdf pbkdf2 --iter-time 5000 --use-random luksFormat /dev/nvme0n1p3

WARNING!
========
This will overwrite data on /dev/nvme0n1p3 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/nvme0n1p3: 
Verify passphrase: 
Key slot 0 created.
Command successful.

Mounting points and File System

Open the LUKS partitiond we just created:

# cryptsetup luksOpen /dev/nvme0n1p2 nvme0n1p2-crypt
# cryptsetup luksOpen /dev/nvme0n1p3 nvme0n1p3-crypt

Create vfat file system for UEFI partition:

# mkfs.vfat /dev/nvme0n1p1

Create ext4 file system for / partition:

# mkfs.ext4 /dev/mapper/nvme0n1p2-crypt

Create ext4 file system for swap partition:

# mkfs.ext4 /dev/mapper/nvme0n1p3-crypt

Create mounting points and mount partitions : Mount / partition to /mnt :

# mount -t ext4 /dev/mapper/nvme0n1p3-crypt /mnt

Create /boot/efi:

# mkdir /mnt/boot/efi -p

Mount UEFI partition to /mnt/boot/efi :

# mount -t vfat /dev/nvme0n1p1 /mnt/boot/efi

Activate SWAP:

# mkswap /dev/mapper/nvme0n1p2-crypt
# swapon /dev/mapper/nvme0n1p2-crypt

Check partition scheme:

# lsblk
NAME                MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS

Installing Alpine

# setup-disk -m sys /mnt/
MOUNTPOINT=/mnt setup-alpine

mkinitfs settings & modules

Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter (keymap only needed if QWERTY is not used):

features="... ext4 keymap cryptsetup"

Regenerate the initram:

# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)

Grub settings

Create a crypto_keyfile.bin to avoid typing the passphrase twice during the boot process (one for Grub partition, one for Alpine partition):

# touch /mnt/crypto_keyfile.bin
# chmod 600 /mnt/crypto_keyfile.bin
# dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /mnt/crypto_keyfile.bin

Then, let's mount and chroot to our fresh installation:

# mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt

Let's show the UUID of our partition scheme:

# lsblk -f
   

Edit /etc/default/grub and add a new line starting with GRUB_CMDLINE_LINUX parameter, replacing <UUID> with the UUID of the encrypted partition (in this case /dev/nvme0n1p2):

GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=UUID=XXXX cryptdm=nvme0n1p2-crypt cryptkey modules=sd-mod,usb-storage,ext4,nvme quiet rootfstype=ext4"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt ext4"
GRUB_ENABLE_CRYPTODISK=y
GRUB_DISABLE_OS_PROBER=y

Re-install Grub:

# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=AlpineLinux
# grub-mkconfig -o /boot/grub/grub.cfg

Configuring Secure Boot