Difference between revisions of "LVM on LUKS"

From Alpine Linux
Jump to: navigation, search
m (put hardening section)
m (Syslinux with BIOS: changed 'vda' to 'sda' for dd command)
(19 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
This documentation describes how to set up Alpine Linux using a logical volume (LV), that is installed in an encrypted partition. To encrypt the partition the logical volume manager (LVM) the volume group (VG) is installed in, the Device Mapper crypt (dm-crypt) module and Linux Unified Key Setup (LUKS) is used.
+
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.
 
 
Note that you must install the <code>/boot/</code> directory on an unecrypted partition to boot correctly.
 
 
 
 
 
== Hard Disk Device Name ==
 
 
 
The following documentation uses the <code>vda</code> device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples.
 
  
 +
Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.
  
 +
== Storage Device Name ==
  
 +
To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.
  
 +
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.
  
 
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =
 
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =
Line 18: Line 15:
 
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.
 
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.
  
 +
== Preparing the Temporary Installation Environment ==
  
 +
Before you begin to install Alpine Linux, prepare the temporary environment:
  
== Preparing the Temporary Installation Environment ==
+
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.
  
Before you begin to install Alpine Linux, prepare the temporary environment:
+
Run the scripts in this order:
  
{{Note|All settings in this section apply only to the temporary environment and not to the later installed Alpine Linux on your hard disk.}}
+
<pre># setup-keymap
 +
# setup-hostname
 +
# setup-interfaces
 +
# rc-service networking start</pre>
  
* Boot the latest Alpine Linux Installation CD.
+
If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.
  
* At the login prompt, use the <code>root</code> user without password to log in.
+
<pre># passwd
 +
# setup-timezone
 +
# rc-update add networking boot
 +
# rc-update add urandom boot
 +
# rc-update add acpid default
 +
# rc-service acpid start</pre>
  
* Optionally, set the keyboard language:
+
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':
 +
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}
 +
{{Cat|/etc/hosts|127.0.0.1      <hostname> <hostname>.<domain> localhost localhost.localdomain
 +
::1            <hostname> <hostname>.<domain> localhost localhost.localdomain}}
  
# setup-keymap
 
  
: The default keyboard mapping is <code>us-us</code>
+
{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}
  
* Configure the network interface:
+
<pre># setup-apkrepos
 +
# apk update
 +
# setup-sshd
 +
# setup-ntp</pre>
  
# setup-interfaces
+
Now we will deviate from the install script.
  
: If you set a static IP address, additionally configure DNS be able to resolve host names:
+
Install the following packages required to set up LVM and LUKS:
  
# setup-dns
+
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}
  
* Enable the network interface. For example:
+
<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre>
  
# ifup eth0
+
Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:
  
* Set an apk repository and update the cache:
+
<pre># apk add haveged
 +
# rc-service haveged start</pre>
  
# setup-apkrepos
+
== Creating the Partition Layout ==
# apk update
 
  
* Install the following packages required to set up LVM and LUKS:
+
=== BIOS/MBR with DOS disklabel ===
  
# apk add haveged lvm2 cryptsetup e2fsprogs syslinux
+
We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.
  
: Optionally, you can install a different editor, such as <code>nano</code>, to edit files in later steps if you do not want to use VI.
+
<pre>+---------------------------+------------------------+-----------------------+
 +
| Partition name            | Partition purpose      | Filesystem type      |
 +
+---------------------------+------------------------+-----------------------+
 +
| /dev/sda1                | Boot partition        | ext4                  |
 +
| /dev/sda2                | LUKS container        | LUKS                  |
 +
| |-> /dev/mapper/lvmcrypt  | LVM container          | LVM                  |
 +
|  |-> /dev/vg01/root      | Root partition        | ext4                  |
 +
|  |-> /dev/vg01/swap      | Swap partition        | swap                  |
 +
+---------------------------+------------------------+-----------------------+</pre>
  
* Optionally, start the <code>haveged</code> service for unpredictable random numbers used for encryption:
+
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}
  
# rc-service haveged start
+
Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.
  
 +
<pre># parted -a optimal
 +
(parted) mklabel msdos
 +
(parted) mkpart primary ext4 0% 100M
 +
(parted) name 1 boot
 +
(parted) set 1 boot on
 +
(parted) mkpart primary ext4 100M 100%
 +
(parted) name 2 crypto-luks</pre>
  
 +
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:
 +
<pre>(parted) print
 +
Model: ATA TOSHIBA ******** (scsi)
 +
Disk /dev/sda: 1000GB
 +
Sector size (logical/physical): 512B/4096B
 +
Partition Table: msdos
 +
Disk Flags:
  
== Creating the Partition Layout ==
+
Number  Start  End    Size    Type    File system  Flags
 +
1      1049kB  99.6MB  98.6MB  primary  ext4        boot
 +
2      99.6MB  1000GB  1000GB  primary  ext4</pre>
  
Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted LVM physical volume (PV).
+
=== UEFI with GPT disklabel ===
  
* Start the <code>fdisk</code> utility to set up partitions:
+
We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:
  
  # fdisk /dev/vda
+
<pre>+---------------------------+------------------------+-----------------------+
 +
| Partition name            | Partition purpose      | Filesystem type      |
 +
+---------------------------+------------------------+-----------------------+
 +
| /dev/sda1                | EFI system partition  | fat32                |
 +
| /dev/sda2                | LUKS container        | LUKS                  |
 +
| |-> /dev/mapper/lvmcrypt | LVM container          | LVM                  |
 +
|  |-> /dev/vg01/root      | Root partition        | ext4                  |
 +
|  |-> /dev/vg01/boot      | Boot partition        | ext4                  |
 +
|  |-> /dev/vg01/swap      | Swap partition        | swap                  |
 +
+---------------------------+------------------------+-----------------------+</pre>
  
:* Create the <code>/boot/</code> partition:
+
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}
::* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>1</code> &rarr; <code>1</code> &rarr; <code>100m</code> to create a new 100 MB primary partition.
 
  
:* Set the <code>/boot/</code> partition active:
+
Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.
::* Enter <code>a</code> &rarr; <code>1</code>.
 
  
:* Create the LVM PV partition:
+
<pre># parted -a optimal
::* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the size of partition. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively press <code>Enter</code> to set the maximum available size.
+
(parted) mklabel gpt
 +
(parted) mkpart primary fat32 0% 200M
 +
(parted) name 1 esp
 +
(parted) set 1 esp on
 +
(parted) mkpart primary ext4 200M 100%
 +
(parted) name 2 crypto-luks</pre>
  
:* Set the partition type for the LVM PV:
+
== Optional: Overwrite LUKS Partition with Random Data ==
::* Enter <code>t</code> &rarr; <code>2</code> &rarr; <code>8e</code>
 
  
:* To verify the settings, press <code>p</code>. The output shows, for example:
+
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.
  
    Device Boot    Start      End    Blocks  Id System
+
We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.
/dev/vda1  *          1      100      50368+  83 Linux
 
/dev/vda2            101    10402    5192208  8e Linux LVM
 
  
* Press <code>w</code> to save the changes.
+
<pre># haveged -n 0 | dd of=/dev/sda2</pre>
  
* Optionally, wipe the LVM PV partition with random values:
+
== Encrypting the LVM Physical Volume Partition ==
  
# haveged -n 0 | dd of=/dev/vda2
+
To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:
  
: Depending on the size of the partition, this process can take several minutes to hours.
+
Default settings:
  
 +
<pre># cryptsetup luksFormat /dev/sda2</pre>
  
 +
Optimized for security:
  
== Encrypting the LVM Physical Volume Partition ==
+
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre>
  
* To encrypt the partition which will later contain the LVM PV:
+
== Creating the Logical Volumes and File Systems ==
  
# cryptsetup luksFormat /dev/vda2
+
Open the LUKS partition:
  
:{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping when prompting for the password to encrypt the partition at boot time. If you changed the keyboard map in the temporary environment, the password you enter during encrypting the partition in this step, may not match the password you will enter during the system boots.}}
+
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre>
: If you prefer setting an individual hashing algorithm and hashing schema:
 
:* To run a benchmark:
 
  
# cryptsetup benchmark
+
Create the PV on <code>lvmcrypt</code>:
  
:* To encrypt the partition using individual settings, enter, for example:
+
<pre># pvcreate /dev/mapper/lvmcrypt</pre>
  
# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2
+
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:
  
 +
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre>
  
 +
=== LV Creation fro BIOS/MBR ===
  
== Creating the Logical Volumes and File Systems ==
+
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).
  
* Open the LUKS partition:
+
<pre># lvcreate -L 2G vg0 -n swap
 +
# lvcreate -l 100%FREE vg0 -n root</pre>
  
# cryptsetup open --type luks /dev/vda2 lvmcrypt
+
The LVs created in the previous steps are automatically marked active. To verify, enter:
  
* Create the PV on <code>/dev/vda</code>:
+
<pre># lvscan</pre>
  
# pvcreate /dev/mapper/lvmcrypt
+
=== LV Creation for UEFI/GPT ===
  
* Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:
+
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).
  
# vgcreate vg0 /dev/mapper/lvmcrypt
+
<pre># lvcreate -L 2G vg0 -n swap
 +
# lvcreate -L 2G vg0 -n boot
 +
# lvcreate -l 100%FREE vg0 -n root</pre>
  
* Create the LVs:
+
The LVs created in the previous steps are automatically marked active. To verify, enter:
  
: In the following you will create a LV for the root partition. However, you can use the same command with a different LV name to create further LVs for other mount points you want to create.
+
<pre># lvscan</pre>
  
:* To create a 2 GB LV named <code>root</code> in the <code>vg0</code> VG:
+
== Creating and Mounting the File Systems ==
  
# lvcreate -L 2G vg0 -n root
+
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:
  
: Create a 512 MB swap LV:
+
<pre># mkfs.ext4 /dev/vg0/root</pre>
  
# lvcreate -L 512M vg0 -n swap
+
Format the swap LV:
  
* The LVs created in the previous steps are automatically marked active. To verify, enter:
+
<pre># mkswap /dev/vg0/swap</pre>
  
# lvscan
+
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:
  
: Format the <code>root</code> LV using the ext4 file system:
+
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre>
  
# mkfs.ext4 /dev/vg0/root
+
Next format your boot partition, create a mount point and mount it:
  
: If you created further LVs in the previous step, create the file systems on them using the same command with the path to the LV.
+
* If you're using BIOS and MBR:
  
* Format the swap LV:
+
<pre># mkfs.ext4 /dev/sda1
 +
# mkdir -v /mnt/boot
 +
# mount -t ext4 /dev/sda1 /mnt/boot</pre>
  
# mkswap /dev/vg0/swap
+
* If you're using UEFI and GPT:
  
* Format the <code>/dev/vda1</code> device for the <code>/boot/</code> partition using the ext4 file system:
+
<pre># apk add dosfstools
 +
# mkfs.fat -F32 /dev/sda1
 +
# mkfs.ext4 /dev/vg0/boot
 +
# mkdir -v /mnt/boot
 +
# mount -t ext4 /dev/vg0/boot /mnt/boot
 +
# mkdir -v /mnt/boot/efi
 +
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre>
  
# mkfs.ext4 /dev/vda1
+
Lastly, activate your swap partition:
  
 +
<pre># swapon /dev/vg0/swap</pre>
  
 +
== Installing Alpine Linux ==
  
== Mounting the File Systems ==
+
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:
  
Before you can install Alpine Linux, you must mount the partitions and LVs:
+
<pre># setup-disk -m sys /mnt/</pre>
  
* Mount the root LV to the <code>/mnt/</code> directory:
+
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.
  
# mount -t ext4 /dev/vg0/root /mnt/
+
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}
  
* Create <code>/mnt/boot/</code> directory and mount the <code>/dev/vda1</code> partition in this directory:
+
To get the UUID of your storage device into a file for later use, use this command:
  
# mkdir /mnt/boot/
+
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre>
# mount -t ext4 /dev/vda1 /mnt/boot/
 
  
: If you created further partitions or LVs, create the mount points within the <code>/mnt/</code> directory and mount the devices.
+
To enable the operating system to decrypt the PV at boot time, create the {{Path|/mnt/etc/crypttab}} file. Enter the following line into the file to decrypt the <code>/dev/sda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:
  
== Installing Alpine Linux ==
+
<pre>lvmcrypt    UUID=<UUID>    none    luks</pre>
  
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:
+
{{Tip|To easily read the UUID into this file so you don't have to type it manually, open it in <code>vi</code>, then type <code>:r ~/uuid</code> to load the UUID onto a new line.}}
  
* Install Alpine Linux:
+
{{Note|To enable TRIM append <code>discard</code> after <code>luks</code> in <code>/mnt/etc/crypttab</code> (coma separated). If LVM is being used you'll also need to change <code>issue_discards</code> to equal 1 in <code>/mnt/etc/lvm.conf</code>. You will then want to add a cron job for <code>/sbin/fstrim</code> to run periodically. Be aware that there are security risks involved when enabling TRIM with LUKS.}}
  
# setup-disk -m sys /mnt/
 
  
: The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the <code>fstab</code> file, which are currently mounted in the <code>/mnt/</code> directory.
+
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:
  
: {{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}
+
<pre>/dev/vg0/swap    swap    swap    defaults    0 0</pre>
  
* To enable the operating system to decrypt the PV at boot time, create the <code>/mnt/etc/crypttab</code> file. Enter the following line into the file to decrypt the <code>/dev/vda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:
+
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:
  
lvmcrypt    /dev/vda2    none    luks
+
<pre>features="... cryptsetup"</pre>
  
* The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the <code>/mnt/etc/fstab</code> file:
+
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}
  
/dev/vg0/swap    swap    swap    defaults    0 0
+
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}
  
* Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:
 
  
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u>"
+
Rebuild the initial RAM disk:
  
* Rebuild the initial RAM disk:
+
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre>
  
# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)
+
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.
  
: The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.
+
== Installing a bootloader ==
 +
=== Syslinux with BIOS ===
  
* Edit the <code>/mnt/etc/update-extlinux.conf</code> file and append the following kernel options to the <code>default_kernel_opts</code> parameter:
+
Install the Syslinux package:
  
default_kernel_opts="... <u>cryptroot=/dev/vda2 cryptdm=lvmcrypt</u>"
+
<pre># apk add syslinux</pre>
  
: The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.
+
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:
  
* Because the <code>update-extlinux</code> utility operators only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:
+
<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre>
  
# chroot /mnt/
+
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.
# update-extlinux
 
# exit
 
  
: Ignore the errors the <code>update-extlinux</code> utility displays.
+
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:
  
* Write the MBR to the <code>/dev/vda</code> device:
+
<pre># chroot /mnt/
 +
# update-extlinux
 +
# exit</pre>
  
# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda
+
: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.
  
== Unmounting the Volumes and Partitions ==
+
Write the MBR to the <code>/dev/sda</code> device:
  
* Umount <code>/mnt/boot/</code> and <code>/mnt/</code>:
+
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre>
  
# umount /mnt/boot/
+
=== Grub with UEFI ===
# umount /mnt/
 
  
: {{Note|If you mounted further partitions or LVs below <code>/mnt/</code>, you must first unmount all of them before you can unmount <code>/mnt/</code>.}}
+
Mount the required filesystems for the Grub EFI installer to the installation:
  
* Disable the swap partition:
+
<pre># mount -t proc /proc /mnt/proc
 +
# mount --rbind /dev /mnt/dev
 +
# mount --make-rslave /mnt/dev
 +
# mount --rbind /sys /mnt/sys</pre>
  
# swapoff -a
+
Then chroot in and use <code>grub-install</code> to install Grub.
  
* Deactivate the VG:
+
<pre># chroot /mnt
 +
# source /etc/profile
 +
# export PS1="(chroot) $PS1"</pre>
  
# vgchange -a n
+
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:
  
* Close the <code>lvmcrypt</code> device:
+
<pre># apk add grub grub-efi efibootmgr
 +
# apk del syslinux</pre>
  
# cryptsetup luksClose lvmcrypt
+
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):
  
* Reboot the system:
+
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt</pre>
  
# reboot
+
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.
  
 +
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
 +
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
 +
# (chroot) exit</pre>
  
 +
== Unmounting the Volumes and Partitions ==
  
 +
Unmount the <code>/mnt/</code> partitions and reboot:
  
 +
<pre># cd
 +
# umount -ql /mnt/dev
 +
# umount -R /mnt
 +
# reboot</pre>
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 261: Line 333:
 
== General Procedure ==
 
== General Procedure ==
  
In case your system fails to boot, you can verify the settings and fix incorrect configurations:
+
In case your system fails to boot, you can verify the settings and fix incorrect configurations.
 +
 
 +
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.
 +
 
 +
Setup the LUKS partition and activate the LVs:
  
* [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]]
+
<pre># cryptsetup luksOpen /dev/sda2
 +
# vgchange -ay</pre>
  
* Activate the VGs:
+
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]
  
# vgchange -a y
+
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.
  
* [[#Mounting_the_File_Systems|Mount the file systems]]
+
== System can't find boot device ==
  
* Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.
+
This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.
  
* [[#Unmounting_the_Volumes_and_Partitions|Unmount the volumes and partitions]]
+
== Secure boot ==
 +
 
 +
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.
  
 
= Hardening =
 
= Hardening =
  
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or LoopAmnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup uses AES by default.
+
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.
 +
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]
 +
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.
 +
 
 +
= See also =
 +
*[[Bootloaders]]
 +
*[[Alpine setup scripts]]
 +
*[[Installing on GPT LVM]]
 +
*[[Setting up LVM on GPT-labeled disks]]
 +
*[[Setting up disks manually]]
 +
*https://wiki.gentoo.org/wiki/Syslinux
 +
*https://wiki.gentoo.org/wiki/GRUB2
 +
*https://wiki.archlinux.org/index.php/Syslinux
 +
*https://wiki.archlinux.org/index.php/GRUB
 +
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide
  
 
[[Category:Storage]]
 
[[Category:Storage]]
 
[[Category:Security]]
 
[[Category:Security]]

Revision as of 00:22, 30 December 2019

Introduction

This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the cryptsetup command) and its LUKS subsystem is used.

Note that your /boot/ partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from Evil Maid attacks, but Syslinux doesn't support this.

Storage Device Name

To find your storage device's name, you could either install util-linux (apk add util-linux) and find your device using the lspci command, or you could make an educated guess by using BusyBox's blkid and df commands, and running ls /dev/sd* if you are installing to a USB, SATA or SCSI device, ls /dev/fd* for floppy disks and ls /dev/hd* for IDE (PATA) devices.

The following documentation uses the /dev/sda device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.

Setting up Alpine Linux Using LVM on Top of a LUKS Partition

To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the official installation procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.

Preparing the Temporary Installation Environment

Before you begin to install Alpine Linux, prepare the temporary environment:

Boot the latest Alpine Linux Installation CD. At the login prompt, use the root user without a password to log in. Now we will follow the Setup-alpine script and make our changes along the way.

Run the scripts in this order:

# setup-keymap
# setup-hostname
# setup-interfaces
# rc-service networking start

If you are configuring static networking (you didn't configure any interfaces to use DHCP), run setup-dns.

# passwd
# setup-timezone
# rc-update add networking boot
# rc-update add urandom boot
# rc-update add acpid default
# rc-service acpid start

Edit your /etc/hosts to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':

Tip: The default text editor in BusyBox is vi (pronounced vee-eye).

Contents of /etc/hosts

127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain ::1 <hostname> <hostname>.<domain> localhost localhost.localdomain


Note: In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that efibootmgr is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the setup-apkrepos step.
# setup-apkrepos
# apk update
# setup-sshd
# setup-ntp

Now we will deviate from the install script.

Install the following packages required to set up LVM and LUKS:

Note: The parted partition editor is needed for advanced partitioning and GPT disklabels. BusyBox fdisk is a very stripped-down version with minimal functionality
# apk add lvm2 cryptsetup e2fsprogs parted

Optionally, if you want to overwrite your storage with random data first, install haveged, which is a random number generator based on hardware events and has a higher throughput than /dev/urandom:

# apk add haveged
# rc-service haveged start

Creating the Partition Layout

BIOS/MBR with DOS disklabel

We will be partitioning the storage device with a non-encrypted /boot partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.

+---------------------------+------------------------+-----------------------+
| Partition name            | Partition purpose      | Filesystem type       |
+---------------------------+------------------------+-----------------------+
| /dev/sda1                 | Boot partition         | ext4                  |
| /dev/sda2                 | LUKS container         | LUKS                  |
| |-> /dev/mapper/lvmcrypt  | LVM container          | LVM                   |
|  |-> /dev/vg01/root       | Root partition         | ext4                  |
|  |-> /dev/vg01/swap       | Swap partition         | swap                  |
+---------------------------+------------------------+-----------------------+
Tango-dialog-warning.png
Warning: This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.


Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.

# parted -a optimal
(parted) mklabel msdos
(parted) mkpart primary ext4 0% 100M
(parted) name 1 boot
(parted) set 1 boot on
(parted) mkpart primary ext4 100M 100%
(parted) name 2 crypto-luks

To view your partition table, type print while still in parted. Your results should look something like this:

(parted) print
Model: ATA TOSHIBA ******** (scsi)
Disk /dev/sda: 1000GB
Sector size (logical/physical): 512B/4096B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
 1      1049kB  99.6MB  98.6MB  primary  ext4         boot
 2      99.6MB  1000GB  1000GB  primary  ext4

UEFI with GPT disklabel

We will be encrypting the whole disk but the EFI system partition mounted at /boot/efi. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:

+---------------------------+------------------------+-----------------------+
| Partition name            | Partition purpose      | Filesystem type       |
+---------------------------+------------------------+-----------------------+
| /dev/sda1                 | EFI system partition   | fat32                 |
| /dev/sda2                 | LUKS container         | LUKS                  |
| |-> /dev/mapper/lvmcrypt  | LVM container          | LVM                   |
|  |-> /dev/vg01/root       | Root partition         | ext4                  |
|  |-> /dev/vg01/boot       | Boot partition         | ext4                  |
|  |-> /dev/vg01/swap       | Swap partition         | swap                  |
+---------------------------+------------------------+-----------------------+
Tango-dialog-warning.png
Warning: This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.


Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.

# parted -a optimal
(parted) mklabel gpt
(parted) mkpart primary fat32 0% 200M
(parted) name 1 esp
(parted) set 1 esp on
(parted) mkpart primary ext4 200M 100%
(parted) name 2 crypto-luks

Optional: Overwrite LUKS Partition with Random Data

This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.

We will be using haveged as it is considerably faster than /dev/urandom when generating pseudo-random numbers (it's almost as high as /dev/zero in throughput), and is (supposedly) very close to truly random.

# haveged -n 0 | dd of=/dev/sda2

Encrypting the LVM Physical Volume Partition

To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:

Default settings:

# cryptsetup luksFormat /dev/sda2

Optimized for security:

# cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2

Creating the Logical Volumes and File Systems

Open the LUKS partition:

# cryptsetup luksOpen /dev/sda2 lvmcrypt

Create the PV on lvmcrypt:

# pvcreate /dev/mapper/lvmcrypt

Create the vg0 LVM VG in the /dev/mapper/lvmcrypt PV:

# vgcreate vg0 /dev/mapper/lvmcrypt

LV Creation fro BIOS/MBR

This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after # lvcreate -L).

# lvcreate -L 2G vg0 -n swap
# lvcreate -l 100%FREE vg0 -n root

The LVs created in the previous steps are automatically marked active. To verify, enter:

# lvscan

LV Creation for UEFI/GPT

This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after # lvcreate -L).

# lvcreate -L 2G vg0 -n swap
# lvcreate -L 2G vg0 -n boot
# lvcreate -l 100%FREE vg0 -n root

The LVs created in the previous steps are automatically marked active. To verify, enter:

# lvscan

Creating and Mounting the File Systems

Format the root and boot LVs using the ext4 file system:

# mkfs.ext4 /dev/vg0/root

Format the swap LV:

# mkswap /dev/vg0/swap

Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the /mnt/ directory:

# mount -t ext4 /dev/vg0/root /mnt/

Next format your boot partition, create a mount point and mount it:

  • If you're using BIOS and MBR:
# mkfs.ext4 /dev/sda1
# mkdir -v /mnt/boot
# mount -t ext4 /dev/sda1 /mnt/boot
  • If you're using UEFI and GPT:
# apk add dosfstools
# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/vg0/boot
# mkdir -v /mnt/boot
# mount -t ext4 /dev/vg0/boot /mnt/boot
# mkdir -v /mnt/boot/efi
# mount -t vfat /dev/sda1 /mnt/boot/efi

Lastly, activate your swap partition:

# swapon /dev/vg0/swap

Installing Alpine Linux

In this step you will install Alpine Linux in the /mnt/ directory, which contains the mounted file system structure:

# setup-disk -m sys /mnt/

The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in /etc/fstab file, which is currently mounted in the /mnt/ directory.

Note: The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.

To get the UUID of your storage device into a file for later use, use this command:

# blkid -s UUID -o value /dev/sda2 > ~/uuid

To enable the operating system to decrypt the PV at boot time, create the /mnt/etc/crypttab file. Enter the following line into the file to decrypt the /dev/sda2 partition using the luks module and map it to the lvmcrypt name:

lvmcrypt    UUID=<UUID>    none    luks
Tip: To easily read the UUID into this file so you don't have to type it manually, open it in vi, then type :r ~/uuid to load the UUID onto a new line.
Note: To enable TRIM append discard after luks in /mnt/etc/crypttab (coma separated). If LVM is being used you'll also need to change issue_discards to equal 1 in /mnt/etc/lvm.conf. You will then want to add a cron job for /sbin/fstrim to run periodically. Be aware that there are security risks involved when enabling TRIM with LUKS.


The swap LV is not automatically added to the fstab file. To add it manually, add the following line to the /mnt/etc/fstab file:

/dev/vg0/swap    swap    swap    defaults    0 0

Edit the /mnt/etc/mkinitfs/mkinitfs.conf file and append the cryptsetup module to the features parameter:

features="... cryptsetup"
Note: Alpine Linux uses the en-us keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the keymap feature to the list above.
Note: Check the output of mkinitfs -L and add the features necessary for your system to boot. You may need to add kms in order to see a password prompt at boot.


Rebuild the initial RAM disk:

# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)

The command uses the settings from the mkinitfs.conf file set in the -c parameter to generate the RAM disk. The command is executed in the /mnt/ directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the $(ls /mnt/lib/modules/) option, mkinitfs tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the setup-disk utility.

Installing a bootloader

Syslinux with BIOS

Install the Syslinux package:

# apk add syslinux

Edit /mnt/etc/update-extlinux.conf and append the following kernel options to the default_kernel_opts parameter, replacing <UUID> with the UUID of /dev/sda2:

default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"

The cryptroot parameter sets the name of the device that contains the root file system, and the cryptdm parameter sets the name of the mapping previously set in crypttab.

Because the update-extlinux utility operates only on the /boot/ directory, temporarily change the root to the /mnt/ directory and update the boot loader configuration:

# chroot /mnt/
# update-extlinux
# exit
If an error occurs in the update-extlinux command you can most likely ignore it.

Write the MBR to the /dev/sda device:

# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda

Grub with UEFI

Mount the required filesystems for the Grub EFI installer to the installation:

# mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --make-rslave /mnt/dev
# mount --rbind /sys /mnt/sys

Then chroot in and use grub-install to install Grub.

# chroot /mnt
# source /etc/profile
# export PS1="(chroot) $PS1"

Install GRUB2 for EFI and (optionally) remove syslinux:

# apk add grub grub-efi efibootmgr
# apk del syslinux

Edit /etc/default/grub and add the following kernel options to the GRUB_CMDLINE_LINUX_DEFAULT parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, /dev/sda2):

cryptroot=UUID=<UUID> cryptdm=lvmcrypt

The cryptroot parameter sets the name of the device that contains the root file system. The cryptdm parameter sets the name of the mapping previously set in the crypttab file.

# (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg
# (chroot) exit

Unmounting the Volumes and Partitions

Unmount the /mnt/ partitions and reboot:

# cd
# umount -ql /mnt/dev
# umount -R /mnt
# reboot

Troubleshooting

General Procedure

In case your system fails to boot, you can verify the settings and fix incorrect configurations.

Reboot and do the steps in Prepare the temporary installation environment again.

Setup the LUKS partition and activate the LVs:

# cryptsetup luksOpen /dev/sda2
# vgchange -ay

Mount the file systems

Verify that you run the steps described in the Installing Alpine Linux section correctly. Update the configuration if necessary, unmount the partitions, then reboot.

System can't find boot device

This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.

Secure boot

If secure boot complains of an unsigned bootloader, you can either disable it or adapt this guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.

Hardening

  • To harden, you should disable DMA[1] and install a hardened version of AES (TRESOR[2] or Loop-Amnesia[3]) since by default cryptsetup with luks uses AES by default.
  • Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[4]
  • Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

See also