Difference between revisions of "LVM on LUKS"

From Alpine Linux
Jump to: navigation, search
(Rewrote doc. The previous version was outdated, missed important steps to get a bootable system, and did not describe what what most of the commands do. The new procedure is more clear, contains more details, and is validated on AL 3.5.3.)
Line 1: Line 1:
 +
= Introduction =
  
== Configuring LVM on top of LUKS ==
+
This documentation describes how to set up Alpine Linux using a logical volume (LV), that is installed in an encrypted partition. To encrypt the partition the logical volume manager (LVM) the volume group (VG) is installed in, the Device Mapper crypt (dm-crypt) module and Linux Unified Key Setup (LUKS) is used.
  
The manual notes on this page can be [http://it-offshore.co.uk/linux/21-linux/alpine-linux/25-alpine-linux-luks-encrypted-installations automated] with:
+
Note that you must install the <code>/boot/</code> directory on an unecrypted partition to boot correctly.
  
* '''A custom version of 'setup-disk' with LUKS support.'''
 
* '''A custom Partition Editor ('setup-partitions') to create & mount normal / LUKS / LVM partitions.'''
 
* '''[http://it-offshore.co.uk/linux/21-linux/alpine-linux/25-alpine-linux-luks-encrypted-installations Both scripts] support GPT Partition Schemes.'''
 
  
 +
== Hard Disk Device Name ==
  
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:
+
The following documentation uses the <code>vda</code> device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples.
  
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support
 
  mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT
 
  
or alternatively rebuild the initramfs with:
 
  
  apk fix --root $MNT linux-grsec
 
  
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)
 
  dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda
 
  
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM
+
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =
  fdisk /dev/vda
 
  
 +
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.
  
----
 
  
'''Additional Notes'''
 
  
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with:
+
== Preparing the Temporary Installation Environment ==
  cryptsetup benchmark
 
 
(You may or may not be able to take advantage of AES hardware acceleration)
 
  
 +
Before you begin to install Alpine Linux, prepare the temporary environment:
  
* [http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)
+
'''Note:''' All settings in this section apply only to the temporary environment and not to the later installed Alpine Linux on your hard disk.
  
    rc-update add haveged default
+
* Boot the latest Alpine Linux Installation CD.
  
* As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:
+
* At the login prompt, use the <code>root</code> user without password to log in.
  
    tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777  0 0
+
* Optionally, set the keyboard language:
----
 
  
'''ALPINE KVM SETUP'''
+
# setup-keymap
  
 +
: The default keyboard mapping is <code>us-us</code>
  
<code>setup-interfaces
+
* Configure the network interface:
  
ifup eth0
+
# setup-interfaces
  
setup-apkrepos
+
: If you set a static IP address, additionally configure DNS be able to resolve host names:
  
apk update
+
# setup-dns
  
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux
+
* Enable the network interface. For example:
  
rc-service haveged start
+
# ifup eth0
  
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki>
+
* Set an apk repository and update the cache:
  
fdisk /dev/vda
+
# setup-apkrepos
 +
# apk update
  
m
+
* Install the following packages required to set up LVM and LUKS:
  
n
+
# apk add haveged lvm2 cryptsetup e2fsprogs syslinux
  
etc........ 
+
: Optionally, you can install a different editor, such as <code>nano</code>, to edit files in later steps if you do not want to use VI.
  
<nowiki># Wipe partition with random data</nowiki>
+
* Optionally, start the <code>haveged</code> service for unpredictable random numbers used for encryption:
  
haveged -n 0 | dd of=/dev/vda2
+
# rc-service haveged start
  
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki>
 
  
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2
 
  
<nowiki># Open LUKS partition</nowiki>
+
== Creating the Partition Layout ==
  
cryptsetup open --type luks /dev/vda2 lvmcrypt
+
Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted LVM physical volume (PV).
  
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki>
+
* Start the <code>fdisk</code> utility to set up partitions:
  
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki>
+
# fdisk /dev/vda
  
pvcreate /dev/mapper/lvmcrypt
+
:* Create the <code>/boot/</code> partition:
 +
::* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>1</code> &rarr; <code>1</code> &rarr; <code>100m</code> to create a new 100 MB primary partition.
  
<nowiki># Create LVM partitions</nowiki>
+
:* Set the <code>/boot/</code> partition active:
 +
::* Enter <code>a</code> &rarr; <code>1</code>.
  
vgcreate vg0 /dev/mapper/lvmcrypt
+
:* Create the LVM PV partition:
 +
::* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the size of partition. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively press <code>Enter</code> to set the maximum available size.
  
lvcreate -L 1G vg0 -n root
+
:* Set the partition type for the LVM PV:
 +
::* Enter <code>t</code> &rarr; <code>2</code> &rarr; <code>8e</code>
  
lvcreate -L 256M vg0 -n swap
+
:* To verify the settings, press <code>p</code>. The output shows, for example:
  
lvcreate -L 500M vg0 -n home
+
    Device Boot    Start      End    Blocks  Id System
 +
/dev/vda1  *          1      100      50368+  83 Linux
 +
/dev/vda2            101    10402    5192208  8e Linux LVM
  
lvcreate -L 50M vg0 -n tmp
+
* Press <code>w</code> to save the changes.
  
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki>
+
* Optionally, wipe the LVM PV partition with random values:
  
lvcreate -l 100%FREE vg0 -n var
+
# haveged -n 0 | dd of=/dev/vda2
  
<nowiki># Create filesystems</nowiki>
+
: Depending on the size of the partition, this process can take several minutes to hours.
  
mkfs.ext2 /dev/vda1
 
  
mkfs.ext4 /dev/mapper/vg0-root
 
  
mkfs.ext4 /dev/mapper/vg0-home
+
== Encrypting the LVM Physical Volume Partition ==
  
mkfs.ext4 /dev/mapper/vg0-tmp
+
* To encrypt the partition which will later contain the LVM PV:
  
mkfs.ext4 /dev/mapper/vg0-var
+
# cryptsetup luksFormat /dev/vda2
  
mkswap /dev/mapper/vg0-swap
+
: '''Note:''' Alpine Linux uses the <code>en-us</code> keyboard mapping when prompting for the password to encrypt the partition at boot time. If you changed the keyboard map in the temporary environment, the password you enter during encrypting the partition in this step, may not match the password you will enter during the system boots.
  
<nowiki># Make vda1 bootable</nowiki>
+
: If you prefer setting an individual hashing algorithm and hashing schema:
 +
:* To run a benchmark:
  
fdisk /dev/vda
+
# cryptsetup benchmark
  
m
+
:* To encrypt the partition using individual settings, enter, for example:
  
a
+
# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2
  
1
 
  
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki>
 
  
fdisk /dev/vda
+
== Creating the Logical Volumes and File Systems ==
  
m
+
* Open the LUKS partition:
  
t
+
# cryptsetup open --type luks /dev/vda2 lvmcrypt
  
2
+
* Create the PV on <code>/dev/vda</code>:
  
8e
+
# pvcreate /dev/mapper/lvmcrypt
  
w
+
* Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:
  
<nowiki># Open LVM volumes</nowiki>
+
# vgcreate vg0 /dev/mapper/lvmcrypt
  
vgchange -a y
+
* Create the LVs:
  
<nowiki># Mount Partitions</nowiki>
+
: In the following you will create a LV for the root partition. However, you can use the same command with a different LV name to create further LVs for other mount points you want to create.
  
<nowiki># *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.</nowiki>
+
:* To create a 2 GB LV named <code>root</code> in the <code>vg0</code> VG:
  
<nowiki># mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper </nowiki>
+
# lvcreate -L 2G vg0 -n root
  
<nowiki># LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems</nowiki>
+
: Create a 512 MB swap LV:
  
mount -t ext4 /dev/vg0/root /mnt
+
# lvcreate -L 512M vg0 -n swap
  
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var
+
* The LVs created in the previous steps are automatically marked active. To verify, enter:
  
mount -t ext4 /dev/vg0/home /mnt/home
+
# lvscan
  
mount -t ext4 /dev/vg0/tmp /mnt/tmp
+
: Format the <code>root</code> LV using the ext4 file system:
  
mount -t ext4 /dev/vg0/var /mnt/var
+
# mkfs.ext4 /dev/vg0/root
  
mount -t ext2 /dev/vda1 /mnt/boot
+
: If you created further LVs in the previous step, create the file systems on them using the same command with the path to the LV.
  
swapon /dev/mapper/vg0-swap
+
* Format the swap LV:
  
<nowiki># Install Alpine</nowiki>
+
# mkswap /dev/vg0/swap
  
setup-disk -m sys /mnt
+
* Format the <code>/dev/vda1</code> device for the <code>/boot/</code> partition using the ext4 file system:
  
<nowiki># Setup crypttab</nowiki>
+
# mkfs.ext4 /dev/vda1
  
echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab
 
  
<nowiki># Setup fstab</nowiki>
 
  
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki>
+
== Mounting the File Systems ==
  
echo "/dev/mapper/vg0-root  /      ext4      defaults,errors=remount-ro  0  1" >> /mnt/etc/fstab
+
Before you can install Alpine Linux, you must mount the partitions and LVs:
  
echo "/dev/mapper/vg0-var  /var  ext4      defaults      0  2" >> /mnt/etc/fstab
+
* Mount the root LV to the <code>/mnt/</code> directory:
  
echo "/dev/mapper/vg0-home  /home  ext4      defaults      0  2" >> /mnt/etc/fstab
+
# mount /dev/vg0/root /mnt/
  
echo "/dev/mapper/vg0-tmp  /tmp    ext4      defaults,noexec,noatime,nodev,nosuid      0  2" >> /mnt/etc/fstab
+
* Create <code>/mnt/boot/</code> directory and mount the <code>/dev/vda1</code> partition in this directory:
  
echo "/dev/mapper/vg0-swap  none  swap      sw            0  0" >> /mnt/etc/fstab
+
# mkdir -t ext4 /mnt/boot/
 +
# mount -t ext4 /dev/vda1 /mnt/boot/
  
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki>  
+
: If you created further partitions or LVs, create the mount points within the <code>/mnt/</code> directory and mount the devices.
  
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki>
 
  
<nowiki># (this field is also space-separated and quoted)</nowiki>
 
  
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki>
+
== Installing Alpine Linux ==
 
extlinux --install $MNT/boot --update
 
  
<nowiki># Rebuild initramfs</nowiki>
+
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:
  
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT
+
* Install Alpine Linux:
  
<nowiki># alternative method (ignore extlinux errors)</nowiki>
+
# setup-disk -m sys /mnt/
  
<nowiki># apk fix --root $MNT linux-grsec</nowiki>
+
: The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the <code>fstab</code> file, which are currently mounted in the <code>/mnt/</code> directory.
  
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki>
+
: '''Note:''' The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.
  
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki>
+
* To enable the operating system to decrypt the PV at boot time, create the <code>/mnt/etc/crypttab</code> file. Enter the following line into the file to decrypt the <code>/dev/vda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:
  
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda
+
lvmcrypt    /dev/vda2    none    luks
  
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code>
+
* The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the <code>/mnt/etc/fstab</code> file:
  
----
+
/dev/vg0/swap    swap    swap    defaults    0 0
  
 +
* Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:
  
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:
+
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u>"
  
 +
* Rebuild the initial RAM disk:
  
<code>
+
# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls -1 /mnt/lib/modules/)
<nowiki># CHROOT MOUNTS ###</nowiki>
 
  
vgchange -a y
+
: The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls -1 /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.
  
<nowiki># Follow instructions above for mounting LVM partitions</nowiki>
+
* Edit the <code>/mnt/etc/update-extlinux.conf</code> file and append the following kernel options to the <code>default_kernel_opts</code> parameter:
  
cd /mnt
+
default_kernel_opts="... <u>cryptroot=/dev/vda2 cryptdm=lvmcrypt</u>"
  
mount --bind /dev dev
+
: The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.
  
mount -t devpts devpts dev/pts
+
* Because the <code>update-extlinux</code> utility operators only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:
  
mount -t tmpfs tmpfs dev/shm
+
# chroot /mnt/
 +
# update-extlinux
 +
# exit
  
mount -t proc proc proc
+
: Ignore the errors the <code>update-extlinux</code> utility displays.
  
mount -t sysfs sysfs sys
+
* Write the MBR to the <code>/dev/vda</code> device:
  
chroot /mnt /bin/ash
+
# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda
  
  
<nowiki># UNMOUNTING ###</nowiki>
 
  
umount dev/pts
+
== Unmounting the Volumes and Partitions ==
  
umount dev/shm
+
* Umount <code>/mnt/boot/</code> and <code>/mnt/</code>:
  
umount dev
+
# umount /mnt/boot/
 +
# umount /mnt/
  
umount /mnt/boot
+
: '''Note:''' If you mounted further partitions or LVs below <code>/mnt/</code>, you must first unmount all of them before you can unmount <code>/mnt/</code>.
  
umount /mnt/var
+
* Disable the swap partition:
  
umount /mnt/home
+
# swapoff -a
  
umount /mnt/tmp
+
* Deactivate the VG:
  
swapoff /dev/mapper/vg0-swap
+
# vgchange -a n
  
umount /mnt
+
* Close the <code>lvmcrypt</code> device:
  
<nowiki># Deactivate LVM volumes</nowiki>
+
# cryptsetup luksClose lvmcrypt
  
vgchange -a n 
+
* Reboot the system:
  
<nowiki># Close LUKS partition</nowiki>
+
# reboot
  
cryptsetup luksClose lvmcrypt   
 
</code>
 
  
  
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)
 
  
[[Category:Storage]]
+
 
[[Category:Security]]
+
= Troubleshooting =
 +
 
 +
== General Procedure ==
 +
 
 +
In case your system fails to boot, you can verify the settings and fix incorrect configurations:
 +
 
 +
* [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]]
 +
 
 +
* Activate the VGs:
 +
 
 +
# vgchange -a y
 +
 
 +
* [[#Mounting_the_File_Systems|Mount the file systems]]
 +
 
 +
* Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.
 +
 
 +
* [[#Unmounting_the_Volumes_and_Partitions|Unmount the volumes and partitions]]

Revision as of 14:45, 16 April 2017

Introduction

This documentation describes how to set up Alpine Linux using a logical volume (LV), that is installed in an encrypted partition. To encrypt the partition the logical volume manager (LVM) the volume group (VG) is installed in, the Device Mapper crypt (dm-crypt) module and Linux Unified Key Setup (LUKS) is used.

Note that you must install the /boot/ directory on an unecrypted partition to boot correctly.


Hard Disk Device Name

The following documentation uses the vda device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples.



Setting up Alpine Linux Using LVM on Top of a LUKS Partition

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the official installation procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.


Preparing the Temporary Installation Environment

Before you begin to install Alpine Linux, prepare the temporary environment:

Note: All settings in this section apply only to the temporary environment and not to the later installed Alpine Linux on your hard disk.

  • Boot the latest Alpine Linux Installation CD.
  • At the login prompt, use the root user without password to log in.
  • Optionally, set the keyboard language:
# setup-keymap
The default keyboard mapping is us-us
  • Configure the network interface:
# setup-interfaces
If you set a static IP address, additionally configure DNS be able to resolve host names:
# setup-dns
  • Enable the network interface. For example:
# ifup eth0
  • Set an apk repository and update the cache:
# setup-apkrepos
# apk update
  • Install the following packages required to set up LVM and LUKS:
# apk add haveged lvm2 cryptsetup e2fsprogs syslinux
Optionally, you can install a different editor, such as nano, to edit files in later steps if you do not want to use VI.
  • Optionally, start the haveged service for unpredictable random numbers used for encryption:
# rc-service haveged start


Creating the Partition Layout

Linux requires an unencrypted /boot/ partition to boot. You can assign the remaining space for the encrypted LVM physical volume (PV).

  • Start the fdisk utility to set up partitions:
# fdisk /dev/vda
  • Create the /boot/ partition:
  • Enter np11100m to create a new 100 MB primary partition.
  • Set the /boot/ partition active:
  • Enter a1.
  • Create the LVM PV partition:
  • Enter np2 to start creating the next partition. Press Enter to select the default start cylinder. Enter the size of partition. For example, 512m for 512 MB or 5g for 5 GB. Alternatively press Enter to set the maximum available size.
  • Set the partition type for the LVM PV:
  • Enter t28e
  • To verify the settings, press p. The output shows, for example:
   Device Boot     Start       End     Blocks   Id System
/dev/vda1   *          1       100      50368+  83 Linux
/dev/vda2            101     10402    5192208   8e Linux LVM
  • Press w to save the changes.
  • Optionally, wipe the LVM PV partition with random values:
# haveged -n 0 | dd of=/dev/vda2
Depending on the size of the partition, this process can take several minutes to hours.


Encrypting the LVM Physical Volume Partition

  • To encrypt the partition which will later contain the LVM PV:
# cryptsetup luksFormat /dev/vda2
Note: Alpine Linux uses the en-us keyboard mapping when prompting for the password to encrypt the partition at boot time. If you changed the keyboard map in the temporary environment, the password you enter during encrypting the partition in this step, may not match the password you will enter during the system boots.
If you prefer setting an individual hashing algorithm and hashing schema:
  • To run a benchmark:
# cryptsetup benchmark
  • To encrypt the partition using individual settings, enter, for example:
# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2


Creating the Logical Volumes and File Systems

  • Open the LUKS partition:
# cryptsetup open --type luks /dev/vda2 lvmcrypt
  • Create the PV on /dev/vda:
# pvcreate /dev/mapper/lvmcrypt
  • Create the vg0 LVM VG in the /dev/mapper/lvmcrypt PV:
# vgcreate vg0 /dev/mapper/lvmcrypt
  • Create the LVs:
In the following you will create a LV for the root partition. However, you can use the same command with a different LV name to create further LVs for other mount points you want to create.
  • To create a 2 GB LV named root in the vg0 VG:
# lvcreate -L 2G vg0 -n root
Create a 512 MB swap LV:
# lvcreate -L 512M vg0 -n swap
  • The LVs created in the previous steps are automatically marked active. To verify, enter:
# lvscan
Format the root LV using the ext4 file system:
# mkfs.ext4 /dev/vg0/root
If you created further LVs in the previous step, create the file systems on them using the same command with the path to the LV.
  • Format the swap LV:
# mkswap /dev/vg0/swap
  • Format the /dev/vda1 device for the /boot/ partition using the ext4 file system:
# mkfs.ext4 /dev/vda1


Mounting the File Systems

Before you can install Alpine Linux, you must mount the partitions and LVs:

  • Mount the root LV to the /mnt/ directory:
# mount /dev/vg0/root /mnt/
  • Create /mnt/boot/ directory and mount the /dev/vda1 partition in this directory:
# mkdir -t ext4 /mnt/boot/
# mount -t ext4 /dev/vda1 /mnt/boot/
If you created further partitions or LVs, create the mount points within the /mnt/ directory and mount the devices.


Installing Alpine Linux

In this step you will install Alpine Linux in the /mnt/ directory, which contains the mounted file system structure:

  • Install Alpine Linux:
# setup-disk -m sys /mnt/
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the fstab file, which are currently mounted in the /mnt/ directory.
Note: The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.
  • To enable the operating system to decrypt the PV at boot time, create the /mnt/etc/crypttab file. Enter the following line into the file to decrypt the /dev/vda2 partition using the luks module and map it to the lvmcrypt name:
lvmcrypt    /dev/vda2    none    luks
  • The swap LV is not automatically added to the fstab file. To add it manually, add the following line to the /mnt/etc/fstab file:
/dev/vg0/swap    swap    swap    defaults    0 0
  • Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter:
features="ata base ide scsi usb virtio ext4 lvm cryptsetup"
  • Rebuild the initial RAM disk:
# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls -1 /mnt/lib/modules/)
The command uses the settings from the mkinitfs.conf file set in the -c parameter to generate the RAM disk. The command is executed in the /mnt/ directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the $(ls -1 /mnt/lib/modules/) option, mkinitfs tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the setup-disk utility.
  • Edit the /mnt/etc/update-extlinux.conf file and append the following kernel options to the default_kernel_opts parameter:
default_kernel_opts="... cryptroot=/dev/vda2 cryptdm=lvmcrypt"
The cryptroot parameter sets the name of the device that contains the root file system. The cryptdm parameter sets the name of the mapping previously set in the crypttab file.
  • Because the update-extlinux utility operators only on the /boot/ directory, temporarily change the root to the /mnt/ directory and update the boot loader configuration:
# chroot /mnt/
# update-extlinux
# exit
Ignore the errors the update-extlinux utility displays.
  • Write the MBR to the /dev/vda device:
# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda


Unmounting the Volumes and Partitions

  • Umount /mnt/boot/ and /mnt/:
# umount /mnt/boot/
# umount /mnt/
Note: If you mounted further partitions or LVs below /mnt/, you must first unmount all of them before you can unmount /mnt/.
  • Disable the swap partition:
# swapoff -a
  • Deactivate the VG:
# vgchange -a n
  • Close the lvmcrypt device:
# cryptsetup luksClose lvmcrypt
  • Reboot the system:
# reboot



Troubleshooting

General Procedure

In case your system fails to boot, you can verify the settings and fix incorrect configurations:

  • Activate the VGs:
# vgchange -a y
  • Verify that you run the steps described in the Installing Alpine Linux section correctly. Update the configuration if necessary.