Encrypted rootfs with Alpine Linux

Posted on 2020-10-08 by ungleich

Introduction

This is a short guide on how to encrypt your root filesystem on Alpine Linux. This article assumes an EFI based system.

Booting Alpine Linux

Use the standard Alpine Linux installer to boot. Prepare networking and and apkrepos:

setup-interfaces

If you are in an IPv6 only network, setup a nameserver. At the moment Alpine Linux does not start rdnssd by default. The following works for VMs on Data Center Light

echo nameserver 2a0a:e5c0:2:a::a

Then setup the repos:

setup-apkrepos

Optional, if you want to continue the installation remotely from another computer via ssh:

setup-sshd

And then add your ssh key to /root/.ssh/authorized keys. We are using the key.wf service for staff at ungleich:

mkdir -p /root/.ssh/
wget -O ~/.ssh/authorized_keys  key.wf/nico

Create partitions

In this guide we assume you create 3 partitions, based on gpt:

  • /boot: a vfat partition usable for EFI boot (usually ~500MB)
  • swap: the swap partition (usually ~half RAM)
  • root: the partition containing the root filesystem

In the the following sections we assume your disk is /dev/sda. If you are using NVMe, your disk might also be /dev/nvme0n1 or similar.

apk add gptfdisk
gdisk /dev/sda
# create new partition table if it does not exist or you want to start clean
# create the partitions

Format partitions

mkfs.vfat /dev/sda1
apk add cryptsetup

# Enter YES and your password twice
cryptsetup luksFormat /dev/sda3

# Create DM device
cryptsetup luksOpen /dev/sda3 rootfs

# Create filesystem
apk add e2fsprogs
mkfs.ext4 /dev/mapper/rootfs

# Mount filesytems
mount /dev/mapper/rootfs /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

Configure initramfs

We need to enable rootfs decryption on boot. For this we need to add cryptsetup into the feature list of /etc/mkinitfs/mkinitfs.conf:

hike:/etc# cat /etc/mkinitfs/mkinitfs.conf
features="ata base ide scsi usb virtio ext4 cryptsetup"

Regenerate the initramfs:

mkinitfs

Configure and install the bootloader

We will be using grub for booting:

apk add grub-efi efibootmgr

Update the /etc/default/grub to contain the cryptroot kernel parameter in the GRUB_CMDLINE_LINUX_DEFAULT variable:

hike:/# cat /etc/default/grub
GRUB_DISTRIBUTOR="Alpine"
GRUB_TIMEOUT=2
GRUB_DISABLE_SUBMENU=y
GRUB_DISABLE_RECOVERY=true
GRUB_CMDLINE_LINUX_DEFAULT="cryptroot=/dev/sda3 cryptdm=root"

Regenerate the grub configuration:

grub-mkconfig -o /mnt/boot/grub/grub.cfg

Verify it has been added correctly:

hike:/# grep crypt /boot/grub/grub.cfg
        linux   /vmlinuz-lts root=UUID=fa67b307-e155-47d8-98a6-4930131b5cd3 ro  modules=sd-mod,usb-storage,ext4 nomodeset quiet rootfstype=ext4 cryptroot=/dev/sda3 cryptdm=root

Install grub:

grub-install --efi-directory /mnt/boot

Install to disk

All changes so far have been done in RAM. Let's persist them:

setup-disk /mnt

Final step

If everything went well so far - it's time to reboot your fully encrypted system. The usual steps like setting up the root password or the hostname have been skipped for the sake brevity.

Enjoy your full encrypted Alpine Linux!