Setting up encrypted volumes with LUKS
LUKS allows encrypting a partition and mapping it as a virtual block device, which can then be used as a normal partition. Guides for other Linux distributions should serve as a general references for installing Alpine onto a LUKS encrypted disk.
The installer has built-in support for encryption. The default installer will not encrypt the swap partition and the boot partition. To setup Alpine Linux with an encrypted swap partition, refer to LVM on LUKS. The GRUB bootloader supports BIOS and EFI boot with an encrypted boot partition.
Decrypting non-root volumes during boot
Differently to other Linux distributions, Alpine does not use the file /etc/crypttab. Instead, to have an encrypted volume be decrypted prior to automatically mounting it somewhere via /etc/fstab, you must configure dmcrypt in /etc/conf.d/dmcrypt. The comments inside that file should guide you, but as a simple example, here's what you should include in that file to decrypt and map a partition to some volume named, say, “myvolume”, given its UUID (here represented using a series of Xs), using a passphrase:
target=myvolume source=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
In /etc/fstab, then, you would include the following line:
/dev/mapper/myvolume <path> <fstype> <options>
substituting in the proper parameters.
mkinitfs and LUKS
For those familiar with setting up FDE on other Linux distributions, this section contains only Alpine-specific knowledge required is understanding mkinitfs.
First of all, the cryptsetup feature needs to be added to /etc/mkinitfs/mkinitfs.conf. Additionally, the following kernel parameters are required:
cryptrootkernel parameter should point to the encrypted block device.cryptdm: the name that will be given to the device.rootkernel parameter should point to the mapped block device:/dev/mapper/<name used in cryptdm>.rootfstype: the filesystem type of the root partition (e.g.:btrfs).
For example if you use grub with GPT partition table, no LVM and ext4 you will have in /etc/default/grub:
GRUB_TIMEOUT=2 GRUB_DISABLE_SUBMENU=y GRUB_DISABLE_RECOVERY=true GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4 quiet rootfstype=ext4 cryptroot=UUID=a7dc90c4-6746-417e-b25b-cb8769ee6334 cryptdm=alpine-rootfs root=/dev/mapper/alpine-rootfs" GRUB_PRELOAD_MODULES="luks cryptodisk part_gpt" GRUB_ENABLE_CRYPTODISK=y