Setting up encrypted volumes with LUKS

From Alpine Linux

LUKS allows encrypting a partition and mapping it as a virtual block device, which can then be used as a normal partition. Guides for other Linux distributions should serve as a general references for installing Alpine onto a LUKS encrypted disk.

The installer has built-in support for encryption. The default installer will not encrypt the swap partition and the boot partition. To setup Alpine Linux with an encrypted swap partition, refer to LVM on LUKS. The GRUB bootloader supports BIOS and EFI boot with an encrypted boot partition.

mkinitfs and LUKS

For those familiar with setting up FDE on other Linux distributions, this section contains only Alpine-specific knowledge required is understanding mkinitfs.

First of all, the cryptsetup feature needs to be added to /etc/mkinitfs/mkinitfs.conf. Additionally, the following kernel parameters are required:

  • cryptroot kernel parameter should point to the encrypted block device.
  • root kernel parameter should point to the mapped block device (e.g.: the ext4/btrfs volume that is exposed once the encrypted partition is unlocked).
  • rootfstype: The filesystem type of the root partition (e.g.: btrfs).

See also