Difference between revisions of "LVM on LUKS"

From Alpine Linux
Jump to: navigation, search
(Add separate bootloader section and grub-efi)
(Improve formatting)
Line 4: Line 4:
  
 
Note that you must install the <code>/boot/</code> directory on an unecrypted partition to boot correctly.
 
Note that you must install the <code>/boot/</code> directory on an unecrypted partition to boot correctly.
 
  
 
== Hard Disk Device Name ==
 
== Hard Disk Device Name ==
  
 
The following documentation uses the <code>vda</code> device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples.
 
The following documentation uses the <code>vda</code> device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples.
 
 
 
 
  
 
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =
 
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =
  
 
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.
 
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.
 
 
  
 
== Preparing the Temporary Installation Environment ==
 
== Preparing the Temporary Installation Environment ==
Line 26: Line 19:
 
{{Note|All settings in this section apply only to the temporary environment and not to the later installed Alpine Linux on your hard disk.}}
 
{{Note|All settings in this section apply only to the temporary environment and not to the later installed Alpine Linux on your hard disk.}}
  
* Boot the latest Alpine Linux Installation CD.
+
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without password to log in.
  
* At the login prompt, use the <code>root</code> user without password to log in.
+
Optionally, set the keyboard language:
  
* Optionally, set the keyboard language:
+
<pre># setup-keymap</pre>
 
 
# setup-keymap
 
  
 
: The default keyboard mapping is <code>us-us</code>
 
: The default keyboard mapping is <code>us-us</code>
  
* Configure the network interface:
+
Configure the network interface:
  
# setup-interfaces
+
<pre># setup-interfaces</pre>
  
 
: If you set a static IP address, additionally configure DNS be able to resolve host names:
 
: If you set a static IP address, additionally configure DNS be able to resolve host names:
  
# setup-dns
+
<pre># setup-dns</pre>
  
* Enable the network interface. For example:
+
Enable the network interface. For example:
  
# ifup eth0
+
<pre># ifup eth0</pre>
  
* Set an apk repository and update the cache:
+
Set an apk repository and update the cache:
  
# setup-apkrepos
+
<pre>
# apk update
+
# setup-apkrepos
 +
# apk update
 +
</pre>
  
* Install the following packages required to set up LVM and LUKS:
+
Install the following packages required to set up LVM and LUKS:
  
# apk add lvm2 cryptsetup e2fsprogs
+
<pre>
 
+
# apk add lvm2 cryptsetup e2fsprogs
* Optionally, install and start the <code>haveged</code> service for unpredictable random numbers used for encryption:
+
</pre>
 
 
# apk add haveged
 
# rc-service haveged start
 
  
 +
Optionally, install and start the <code>haveged</code> service for unpredictable random numbers used for encryption:
  
 +
<pre>
 +
# apk add haveged
 +
# rc-service haveged start
 +
</pre>
  
 
== Creating the Partition Layout ==
 
== Creating the Partition Layout ==
Line 68: Line 63:
 
Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted LVM physical volume (PV).
 
Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted LVM physical volume (PV).
  
* Start the <code>fdisk</code> utility to set up partitions:
+
Start the <code>fdisk</code> utility to set up partitions:
  
# fdisk /dev/vda
+
<pre># fdisk /dev/vda</pre>
  
:* Create the <code>/boot/</code> partition:
+
Create the <code>/boot/</code> partition:
::* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>1</code> &rarr; <code>1</code> &rarr; <code>+100m</code> to create a new 100 MB primary partition.
+
* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>1</code> &rarr; <code>1</code> &rarr; <code>+100m</code> to create a new 100 MB primary partition.
  
:* Set the <code>/boot/</code> partition active:
+
Set the <code>/boot/</code> partition active:
::* Enter <code>a</code> &rarr; <code>1</code>.
+
* Enter <code>a</code> &rarr; <code>1</code>.
  
:* Create the LVM PV partition:
+
Create the LVM PV partition:
::* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the size of partition. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively press <code>Enter</code> to set the maximum available size.
+
* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the size of partition. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively press <code>Enter</code> to set the maximum available size.
  
:* Set the partition type for the LVM PV:
+
Set the partition type for the LVM PV:
::* Enter <code>t</code> &rarr; <code>2</code> &rarr; <code>8e</code>
+
* Enter <code>t</code> &rarr; <code>2</code> &rarr; <code>8e</code>
  
:* To verify the settings, press <code>p</code>. The output shows, for example:
+
To verify the settings, press <code>p</code>. The output shows, for example:
  
 +
<pre>
 
     Device Boot    Start      End    Blocks  Id System
 
     Device Boot    Start      End    Blocks  Id System
 
  /dev/vda1  *          1      100      50368+  83 Linux
 
  /dev/vda1  *          1      100      50368+  83 Linux
 
  /dev/vda2            101    10402    5192208  8e Linux LVM
 
  /dev/vda2            101    10402    5192208  8e Linux LVM
 +
</pre>
  
* Press <code>w</code> to save the changes.
+
Press <code>w</code> to save the changes.
  
* Optionally, wipe the LVM PV partition with random values:
+
Optionally, wipe the LVM PV partition with random values:
  
# haveged -n 0 | dd of=/dev/vda2
+
<pre># haveged -n 0 | dd of=/dev/vda2</pre>
  
: Depending on the size of the partition, this process can take several minutes to hours.
+
Depending on the size of the partition, this process can take several minutes to hours.
  
 
== Encrypting the LVM Physical Volume Partition ==  
 
== Encrypting the LVM Physical Volume Partition ==  
  
* To encrypt the partition which will later contain the LVM PV:
+
To encrypt the partition which will later contain the LVM PV:
  
# cryptsetup luksFormat /dev/vda2
+
<pre># cryptsetup luksFormat /dev/vda2</pre>
  
: If you prefer setting an individual hashing algorithm and hashing schema:
+
If you prefer setting an individual hashing algorithm and hashing schema:
:* To run a benchmark:
 
  
# cryptsetup benchmark
+
* To run a benchmark:
  
:* To encrypt the partition using individual settings, enter, for example:
+
<pre># cryptsetup benchmark</pre>
 
 
# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2
 
  
 +
* To encrypt the partition using individual settings, enter, for example:
  
 +
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2</pre>
  
 
== Creating the Logical Volumes and File Systems ==
 
== Creating the Logical Volumes and File Systems ==
  
* Open the LUKS partition:
+
Open the LUKS partition:
  
# cryptsetup open --type luks /dev/vda2 lvmcrypt
+
<pre># cryptsetup open --type luks /dev/vda2 lvmcrypt</pre>
  
* Create the PV on <code>/dev/vda</code>:
+
Create the PV on <code>/dev/vda</code>:
  
# pvcreate /dev/mapper/lvmcrypt
+
<pre># pvcreate /dev/mapper/lvmcrypt</pre>
  
* Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:
+
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:
  
# vgcreate vg0 /dev/mapper/lvmcrypt
+
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>
  
* Create the LVs:
+
Create the LVs:
  
 
: In the following you will create a LV for the root partition. However, you can use the same command with a different LV name to create further LVs for other mount points you want to create.
 
: In the following you will create a LV for the root partition. However, you can use the same command with a different LV name to create further LVs for other mount points you want to create.
  
:* To create a 2 GB LV named <code>root</code> in the <code>vg0</code> VG:
+
* To create a 2 GB LV named <code>root</code> in the <code>vg0</code> VG:
  
# lvcreate -L 2G vg0 -n root
+
<pre># lvcreate -L 2G vg0 -n root</pre>
  
: Create a 512 MB swap LV:
+
* Create a 512 MB swap LV:
  
# lvcreate -L 512M vg0 -n swap
+
<pre># lvcreate -L 512M vg0 -n swap</pre>
  
* The LVs created in the previous steps are automatically marked active. To verify, enter:
+
The LVs created in the previous steps are automatically marked active. To verify, enter:
  
# lvscan
+
<pre># lvscan</pre>
  
: Format the <code>root</code> LV using the ext4 file system:
+
Format the <code>root</code> LV using the ext4 file system:
  
# mkfs.ext4 /dev/vg0/root
+
<pre># mkfs.ext4 /dev/vg0/root</pre>
  
: If you created further LVs in the previous step, create the file systems on them using the same command with the path to the LV.
+
If you created further LVs in the previous step, create the file systems on them using the same command with the path to the LV.
 
 
* Format the swap LV:
 
 
 
# mkswap /dev/vg0/swap
 
  
 +
Format the swap LV:
  
 +
<pre># mkswap /dev/vg0/swap</pre>
  
 
== Mounting the File Systems ==
 
== Mounting the File Systems ==
  
Before you can install Alpine Linux, you must mount the partitions and LVs:
+
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:
 
 
* Mount the root LV to the <code>/mnt/</code> directory:
 
  
# mount -t ext4 /dev/vg0/root /mnt/
+
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>
  
: If you created further partitions or LVs, create the mount points within the <code>/mnt/</code> directory and mount the devices.
+
If you created further partitions or LVs, create the mount points within the <code>/mnt/</code> directory and mount the devices.
  
 
== Installing Alpine Linux ==
 
== Installing Alpine Linux ==
Line 171: Line 163:
 
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:
 
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:
  
* Install Alpine Linux:
+
Install Alpine Linux:
  
# setup-disk -m sys /mnt/
+
<pre># setup-disk -m sys /mnt/</pre>
  
: The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the <code>fstab</code> file, which are currently mounted in the <code>/mnt/</code> directory.
+
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the <code>fstab</code> file, which are currently mounted in the <code>/mnt/</code> directory.
  
: {{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}
+
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}
  
* To enable the operating system to decrypt the PV at boot time, create the <code>/mnt/etc/crypttab</code> file. Enter the following line into the file to decrypt the <code>/dev/vda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:
+
To enable the operating system to decrypt the PV at boot time, create the <code>/mnt/etc/crypttab</code> file. Enter the following line into the file to decrypt the <code>/dev/vda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:
  
lvmcrypt    /dev/vda2    none    luks
+
<pre>lvmcrypt    /dev/vda2    none    luks</pre>
  
* The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the <code>/mnt/etc/fstab</code> file:
+
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the <code>/mnt/etc/fstab</code> file:
  
/dev/vg0/swap    swap    swap    defaults    0 0
+
<pre>/dev/vg0/swap    swap    swap    defaults    0 0</pre>
  
* Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:
+
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:
  
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u>"
+
<pre>features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u>"</pre>
  
:{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap<code> feature to the list above.}}
+
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap<code> feature to the list above.}}
  
* Rebuild the initial RAM disk:
+
Rebuild the initial RAM disk:
  
# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)
+
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>
  
: The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.
+
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.
  
 
== Installing a bootloader ==
 
== Installing a bootloader ==
 
 
=== Syslinux ===
 
=== Syslinux ===
  
Line 280: Line 271:
 
== Unmounting the Volumes and Partitions ==
 
== Unmounting the Volumes and Partitions ==
  
* Umount <code>/mnt/boot/</code> and <code>/mnt/</code>:
+
Umount <code>/mnt/boot/</code> and <code>/mnt/</code>:
  
# umount /mnt/boot/
+
<pre>
# umount /mnt/
+
# umount /mnt/boot/
 
+
# umount /mnt/
: {{Note|If you mounted further partitions or LVs below <code>/mnt/</code>, you must first unmount all of them before you can unmount <code>/mnt/</code>.}}
+
</pre>
 
 
* Disable the swap partition:
 
 
 
# swapoff -a
 
 
 
* Deactivate the VG:
 
  
# vgchange -a n
+
{{Note|If you mounted further partitions or LVs below <code>/mnt/</code>, you must first unmount all of them before you can unmount <code>/mnt/</code>.}}
  
* Close the <code>lvmcrypt</code> device:
+
Disable the swap partition:
  
# cryptsetup luksClose lvmcrypt
+
<pre># swapoff -a</pre>
  
* Reboot the system:
+
Deactivate the VG:
  
# reboot
+
<pre># vgchange -a n</pre>
  
 +
Close the <code>lvmcrypt</code> device:
  
 +
<pre># cryptsetup luksClose lvmcrypt</pre>
  
 +
Reboot the system:
  
 +
<pre># reboot</pre>
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 311: Line 300:
 
== General Procedure ==
 
== General Procedure ==
  
In case your system fails to boot, you can verify the settings and fix incorrect configurations:
+
In case your system fails to boot, you can verify the settings and fix incorrect configurations.
  
* [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]]
+
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.
  
* Activate the VGs:
+
Activate the VGs:
  
# vgchange -a y
+
<pre># vgchange -a y</pre>
  
* [[#Mounting_the_File_Systems|Mount the file systems]]
+
[[#Mounting_the_File_Systems|Mount the file systems]]
  
* Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.
+
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.
  
* [[#Unmounting_the_Volumes_and_Partitions|Unmount the volumes and partitions]]
+
[[#Unmounting_the_Volumes_and_Partitions|Unmount the volumes and partitions]]
  
 
= Hardening =
 
= Hardening =

Revision as of 13:27, 26 June 2019

Introduction

This documentation describes how to set up Alpine Linux using a logical volume (LV), that is installed in an encrypted partition. To encrypt the partition the logical volume manager (LVM) the volume group (VG) is installed in, the Device Mapper crypt (dm-crypt) module and Linux Unified Key Setup (LUKS) is used.

Note that you must install the /boot/ directory on an unecrypted partition to boot correctly.

Hard Disk Device Name

The following documentation uses the vda device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples.

Setting up Alpine Linux Using LVM on Top of a LUKS Partition

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the official installation procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

Preparing the Temporary Installation Environment

Before you begin to install Alpine Linux, prepare the temporary environment:

Note: All settings in this section apply only to the temporary environment and not to the later installed Alpine Linux on your hard disk.

Boot the latest Alpine Linux Installation CD. At the login prompt, use the root user without password to log in.

Optionally, set the keyboard language:

# setup-keymap
The default keyboard mapping is us-us

Configure the network interface:

# setup-interfaces
If you set a static IP address, additionally configure DNS be able to resolve host names:
# setup-dns

Enable the network interface. For example:

# ifup eth0

Set an apk repository and update the cache:

# setup-apkrepos
# apk update

Install the following packages required to set up LVM and LUKS:

# apk add lvm2 cryptsetup e2fsprogs

Optionally, install and start the haveged service for unpredictable random numbers used for encryption:

# apk add haveged
# rc-service haveged start

Creating the Partition Layout

Linux requires an unencrypted /boot/ partition to boot. You can assign the remaining space for the encrypted LVM physical volume (PV).

Start the fdisk utility to set up partitions:

# fdisk /dev/vda

Create the /boot/ partition:

  • Enter np11+100m to create a new 100 MB primary partition.

Set the /boot/ partition active:

  • Enter a1.

Create the LVM PV partition:

  • Enter np2 to start creating the next partition. Press Enter to select the default start cylinder. Enter the size of partition. For example, 512m for 512 MB or 5g for 5 GB. Alternatively press Enter to set the maximum available size.

Set the partition type for the LVM PV:

  • Enter t28e

To verify the settings, press p. The output shows, for example:

    Device Boot     Start       End     Blocks   Id System
 /dev/vda1   *          1       100      50368+  83 Linux
 /dev/vda2            101     10402    5192208   8e Linux LVM

Press w to save the changes.

Optionally, wipe the LVM PV partition with random values:

# haveged -n 0 | dd of=/dev/vda2

Depending on the size of the partition, this process can take several minutes to hours.

Encrypting the LVM Physical Volume Partition

To encrypt the partition which will later contain the LVM PV:

# cryptsetup luksFormat /dev/vda2

If you prefer setting an individual hashing algorithm and hashing schema:

  • To run a benchmark:
# cryptsetup benchmark
  • To encrypt the partition using individual settings, enter, for example:
# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2

Creating the Logical Volumes and File Systems

Open the LUKS partition:

# cryptsetup open --type luks /dev/vda2 lvmcrypt

Create the PV on /dev/vda:

# pvcreate /dev/mapper/lvmcrypt

Create the vg0 LVM VG in the /dev/mapper/lvmcrypt PV:

# vgcreate vg0 /dev/mapper/lvmcrypt

Create the LVs:

In the following you will create a LV for the root partition. However, you can use the same command with a different LV name to create further LVs for other mount points you want to create.
  • To create a 2 GB LV named root in the vg0 VG:
# lvcreate -L 2G vg0 -n root
  • Create a 512 MB swap LV:
# lvcreate -L 512M vg0 -n swap

The LVs created in the previous steps are automatically marked active. To verify, enter:

# lvscan

Format the root LV using the ext4 file system:

# mkfs.ext4 /dev/vg0/root

If you created further LVs in the previous step, create the file systems on them using the same command with the path to the LV.

Format the swap LV:

# mkswap /dev/vg0/swap

Mounting the File Systems

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the /mnt/ directory:

# mount -t ext4 /dev/vg0/root /mnt/

If you created further partitions or LVs, create the mount points within the /mnt/ directory and mount the devices.

Installing Alpine Linux

In this step you will install Alpine Linux in the /mnt/ directory, which contains the mounted file system structure:

Install Alpine Linux:

# setup-disk -m sys /mnt/

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the fstab file, which are currently mounted in the /mnt/ directory.

Note: The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.

To enable the operating system to decrypt the PV at boot time, create the /mnt/etc/crypttab file. Enter the following line into the file to decrypt the /dev/vda2 partition using the luks module and map it to the lvmcrypt name:

lvmcrypt    /dev/vda2    none    luks

The swap LV is not automatically added to the fstab file. To add it manually, add the following line to the /mnt/etc/fstab file:

/dev/vg0/swap    swap    swap    defaults    0 0

Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter:

features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u>"
Note: Alpine Linux uses the en-us keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the keymap feature to the list above.

Rebuild the initial RAM disk:

# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)

The command uses the settings from the mkinitfs.conf file set in the -c parameter to generate the RAM disk. The command is executed in the /mnt/ directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the $(ls /mnt/lib/modules/) option, mkinitfs tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the setup-disk utility.

Installing a bootloader

Syslinux

Format the /dev/vda1 device for the /boot/ partition using the ext4 file system:

# mkfs.ext4 /dev/vda1

Create /mnt/boot/ directory and mount the /dev/vda1 partition in this directory:

# mkdir /mnt/boot/
# mount -t ext4 /dev/vda1 /mnt/boot/

Install the Syslinux package:

# apk add syslinux

Edit the /mnt/etc/update-extlinux.conf file and append the following kernel options to the default_kernel_opts parameter:

default_kernel_opts="... <u>cryptroot=/dev/vda2 cryptdm=lvmcrypt</u>"
The cryptroot parameter sets the name of the device that contains the root file system. The cryptdm parameter sets the name of the mapping previously set in the crypttab file.

Because the update-extlinux utility operators only on the /boot/ directory, temporarily change the root to the /mnt/ directory and update the boot loader configuration:

# chroot /mnt/
# update-extlinux
# exit
Ignore the errors the update-extlinux utility displays.

Write the MBR to the /dev/vda device:

# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda

Grub on EFI

Format the /dev/vda1 device for the /boot/ partition using the FAT32 file system:

# apk add dosfstools
# mkfs.fat -F32 /dev/vda1

Create /mnt/boot/ directory and mount the /dev/vda1 partition in this directory:

# mkdir /mnt/boot/
# mount /dev/vda1 /mnt/boot/

Edit the /mnt/etc/default/grub file and add the following kernel options to the GRUB_CMDLINE_LINUX_DEFAULT parameter:

cryptroot=/dev/vda2 cryptdm=lvmcrypt

The cryptroot parameter sets the name of the device that contains the root file system. The cryptdm parameter sets the name of the mapping previously set in the crypttab file.

Mount the required filesystems for the Grub EFI installer to the installation:

# mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev

Then chroot in and use grub-install to install Grub.

# (chroot) chroot /mnt
# (chroot) apk add grub grub-efi efibootmgr
# (chroot) grub-install --target=x86_64-efi --efi-directory=/boot
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit

Unmounting the Volumes and Partitions

Umount /mnt/boot/ and /mnt/:

# umount /mnt/boot/
# umount /mnt/
Note: If you mounted further partitions or LVs below /mnt/, you must first unmount all of them before you can unmount /mnt/.

Disable the swap partition:

# swapoff -a

Deactivate the VG:

# vgchange -a n

Close the lvmcrypt device:

# cryptsetup luksClose lvmcrypt

Reboot the system:

# reboot

Troubleshooting

General Procedure

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in Prepare the temporary installation environment again.

Activate the VGs:

# vgchange -a y

Mount the file systems

Verify that you run the steps described in the Installing Alpine Linux section correctly. Update the configuration if necessary.

Unmount the volumes and partitions

Hardening

  • To harden, you should disable DMA[1] and install a hardened version of AES (TRESOR[2] or Loop-Amnesia[3]) since by default cryptsetup with luks uses AES by default.
  • Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[4]
  • Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.