Full disk encryption secure boot

From Alpine Linux
Revision as of 20:59, 26 July 2022 by Blt (talk | contribs) (Packages & Partitions)
This material is work-in-progress ...

Do not follow instructions here until this notice is removed.
(Last edited by Blt on 26 Jul 2022.)

This guide is to explain step by step how to setup Alpine Linux with Full Disk Encryption using LUKS2, /boot & / together on the same partition on a nvme drive, with UEFI & Secure Boot.

Sequence of Events

  • Installing packages
  • Partitioning the disk
  • Configuring LUKS
  • Installing Alpine
  • Configuring Secure Boot

Installing packages

To facilitate the partitioning we will use gdisk :

# apk add gptfdisk

For encryption, we will use cryptsetup :

# apk add cryptsetup

For using and managing UEFI, multiple packages are needed :

# apk add e2fsprogs grub grub-efi

Partitioning the disk

Let's assume the disk is /dev/nvme0n1 and no partitions are present, we will create two partitions only : one for UEFI, one for /

# gdisk /dev/nvme0n1
Command (? for help): n
Partition number (1-128, default 1): 
First sector (2048-1000215182, default = 2048) or {+-}size{KMGTP}: 
Last sector (2048-1000215182, default = 1000214527) or {+-}size{KMGTP}: 512M
Hex code or GUID (L to show codes, Enter = 8300): ef00
Changed type of partition to 'EFI system partition'

Command (? for help): n
Partition number (2-128, default 2): 
First sector (1048577-1000215182, default = 1050624) or {+-}size{KMGTP}: 
Last sector (1050624-1000215182, default = 1000214527) or {+-}size{KMGTP}: 
Current type is 8300 (Linux filesystem)
Hex code or GUID (L to show codes, Enter = 8300): 8309
Changed type of partition to 'Linux LUKS'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): Y
OK; writing new GUID partition table (GPT) to /dev/nvme0n1.
The operation has completed successfully.