Full disk encryption secure boot
 Do not follow instructions here until this notice is removed. |
This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition on a nvme drive, with UEFI & Secure Boot.
Sequence of Events
- Installing packages
- Partitioning the disk
- Configuring LUKS
- Installing Alpine
- Configuring Secure Boot
Installing packages
To facilitate the partitioning we will use gdisk :
# apk add gptfdisk
For encryption, we will use cryptsetup :
# apk add cryptsetup
For using and managing UEFI, multiple packages are needed :
# apk add e2fsprogs grub grub-efi
Partitioning the disk
Let's assume the disk is /dev/nvme0n1 and no partitions are present, we will create two partitions only : one for UEFI, one for /
# gdisk /dev/nvme0n1
Command (? for help): n
Partition number (1-128, default 1):
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}:
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'
Command (? for help): n
Partition number (2-128, default 2):
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}:
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}:
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'
Command (? for help): w
Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!
Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.