Setting up encrypted volumes with LUKS: Difference between revisions

From Alpine Linux
(Add note about how to decrypt a volume before mounting via fstab)
(added links to existing information LVM on LUKS and organized headings, restored some old content)
Line 1: Line 1:
[https://en.wikipedia.org/wiki/Linux%20Unified%20Key%20Setup LUKS] allows encrypting a partition and mapping it as a virtual block device, which can then be used as a normal partition. Guides for other Linux distributions should serve as a general references for installing Alpine onto a LUKS encrypted disk.
[https://en.wikipedia.org/wiki/Linux%20Unified%20Key%20Setup LUKS] allows encrypting a partition and mapping it as a virtual block device, which can then be used as a normal partition. Guides for other Linux distributions should serve as a general references for installing Alpine onto a LUKS encrypted disk.


The installer has built-in support for encryption. The default installer will not encrypt the swap partition and the boot partition. To setup Alpine Linux with an encrypted swap partition, refer to [[LVM on LUKS]]. The GRUB bootloader supports BIOS and EFI boot with an encrypted boot partition.
The following approaches are known to work:


== Decrypting non-root volumes during boot ==
* Plain LUKS
* [[LVM on LUKS]]


Differently to other Linux distributions, Alpine does not use the file <code>/etc/crypttab</code>. Instead, to have an encrypted volume be decrypted prior to automatically mounting it somewhere via <code>/etc/fstab</code>, you must configure <code>dmcrypt</code> in <code>/etc/conf.d/dmcrypt</code>. The comments inside that file should guide you, but as a simple example, here's what you should include in that file to decrypt and map a partition to some volume named, say, “<code>myvolume</code>”, given its UUID (here represented using a series of <code>X</code>s), using a passphrase:
The installer has built-in support for encryption. The default installer will not encrypt the swap partition and the boot partition. To setup Alpine Linux with an encrypted swap partition, refer to [[LVM on LUKS]]. The [[Bootloaders#Grub|GRUB]] bootloader supports BIOS and EFI boot with an encrypted boot partition.
 
<pre>
target=myvolume
source=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
</pre>
 
In <code>/etc/fstab</code>, then, you would include the following line:
 
<pre>
/dev/mapper/myvolume <path> <fstype> <options>
</pre>
 
substituting in the proper parameters.


== mkinitfs and LUKS ==
== mkinitfs and LUKS ==


For those familiar with setting up FDE on other Linux distributions, this section contains only Alpine-specific knowledge required is understanding [[mkinitfs]].
For those familiar with setting up FDE on other Linux distributions, this section contains only Alpine-specific knowledge required and understanding [[mkinitfs]].


First of all, the <code>cryptsetup</code> feature needs to be added to {{path|/etc/mkinitfs/mkinitfs.conf}}. Additionally, the following kernel parameters are required:
First of all, the <code>cryptsetup</code> feature needs to be added to {{path|/etc/mkinitfs/mkinitfs.conf}}. Additionally, the following kernel parameters are required:
Line 31: Line 19:
* <code>rootfstype</code>: the filesystem type of the root partition (e.g.: <code>btrfs</code>).
* <code>rootfstype</code>: the filesystem type of the root partition (e.g.: <code>btrfs</code>).


 
For example, if you use grub with GPT partition table using ext4 without LVM the {{path|/etc/default/grub}} file will be as follows:{{Cat|/etc/default/grub|<nowiki>GRUB_TIMEOUT=2
For example if you use grub with GPT partition table, no LVM and ext4 you will have in {{path|/etc/default/grub}}:
<pre>
GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_DISABLE_RECOVERY=true
Line 40: Line 25:
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt"
GRUB_ENABLE_CRYPTODISK=y
GRUB_ENABLE_CRYPTODISK=y
</pre>
</nowiki>}}
 
== Decrypting non-root volumes during boot ==
{{Main|LVM on LUKS#Mounting additional encrypted filesystems at boot}}
To have an encrypted non-root volume be decrypted prior to automatically mounting it somewhere via <code>/etc/fstab</code>,  configure <code>dmcrypt</code> in the {{path|/etc/conf.d/dmcrypt}} file. The comments inside that file should guide you, but as a simple example, here's what you should include in that file to decrypt and map a partition to some volume named, say, “<code>myvolume</code>”, given its UUID (here represented using a series of <code>X</code>s), using a passphrase {{Cat|/etc/conf.d/dmcrypt|<nowiki>...
target=myvolume
source=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
key=/etc/keys/myvolume.key  #not needed as passphrase is used in this example
...</nowiki>}}
 
In {{path|/etc/fstab}} file, then, you would include the following line as follows:{{Cat|/etc/fstab|<nowiki>...
/dev/mapper/myvolume <path> <fstype> <options>
...</nowiki>}}
 
substituting in the proper parameters.


== See also ==
== See also ==

Revision as of 16:29, 13 March 2025

LUKS allows encrypting a partition and mapping it as a virtual block device, which can then be used as a normal partition. Guides for other Linux distributions should serve as a general references for installing Alpine onto a LUKS encrypted disk.

The following approaches are known to work:

The installer has built-in support for encryption. The default installer will not encrypt the swap partition and the boot partition. To setup Alpine Linux with an encrypted swap partition, refer to LVM on LUKS. The GRUB bootloader supports BIOS and EFI boot with an encrypted boot partition.

mkinitfs and LUKS

For those familiar with setting up FDE on other Linux distributions, this section contains only Alpine-specific knowledge required and understanding mkinitfs.

First of all, the cryptsetup feature needs to be added to /etc/mkinitfs/mkinitfs.conf. Additionally, the following kernel parameters are required:

  • cryptroot kernel parameter should point to the encrypted block device.
  • cryptdm: the name that will be given to the device.
  • root kernel parameter should point to the mapped block device: /dev/mapper/<name used in cryptdm>.
  • rootfstype: the filesystem type of the root partition (e.g.: btrfs).

For example, if you use grub with GPT partition table using ext4 without LVM the /etc/default/grub file will be as follows:

Contents of /etc/default/grub

GRUB_TIMEOUT=2 GRUB_DISABLE_SUBMENU=y GRUB_DISABLE_RECOVERY=true GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4 quiet rootfstype=ext4 cryptroot=UUID=a7dc90c4-6746-417e-b25b-cb8769ee6334 cryptdm=alpine-rootfs root=/dev/mapper/alpine-rootfs" GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt" GRUB_ENABLE_CRYPTODISK=y

Decrypting non-root volumes during boot

Main article: LVM on LUKS#Mounting additional encrypted filesystems at boot

To have an encrypted non-root volume be decrypted prior to automatically mounting it somewhere via /etc/fstab, configure dmcrypt in the /etc/conf.d/dmcrypt file. The comments inside that file should guide you, but as a simple example, here's what you should include in that file to decrypt and map a partition to some volume named, say, “myvolume”, given its UUID (here represented using a series of Xs), using a passphrase

Contents of /etc/conf.d/dmcrypt

... target=myvolume source=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX key=/etc/keys/myvolume.key #not needed as passphrase is used in this example ...

In /etc/fstab file, then, you would include the following line as follows:

Contents of /etc/fstab

... /dev/mapper/myvolume <path> <fstype> <options> ...

substituting in the proper parameters.

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Setting_up_encrypted_volumes_with_LUKS&oldid=29277"