~adnano/adnano.co

ref: 4783f9fe192c637cdec61d4a06cf69ec7343ad11 adnano.co/content/2020-12-12-alpine-setup.gmi -rw-r--r-- 5.5 KiB
4783f9feAdnan Maolood Fix content titles 3 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
---
title: "Alpine Linux: Setup with full-disk encryption"
---

In this tutorial we'll be installing Alpine Linux with full-disk encryption.

## Download

First, you'll need to download Alpine Linux and create bootable media.

=> https://alpinelinux.org/downloads/ Alpine Linux downloads

```
sha256sum -c alpine.iso.sha256
dd if=alpine.iso of=/dev/sdx # sdx is the bootable media device
```

## Setup

Boot from the bootable media. Login as the user 'root' and run the setup script.

```
setup-alpine
```

When prompted for a disk to use, choose 'none'. We'll be setting up disks manually.

## Disks

This tutorial will use the device /dev/nvme0n1, which is an NVME device.

We will use fdisk to partition the disk.

```
fdisk /dev/nvme0n1
```

Type m to see the available commands.

We need to create two partitions:

- The boot partition, 100MiB in size.
- The root partition, taking up the remainder of available space.

Type o to create a new DOS partition table.

For the boot partition, type n to create a new partition, choose p for primary partition and 1 for the partition number, leave the first sector as is, and choose +100M for the last sector.

Type a and choose partion number 1 to make the boot partition bootable.

For the root partition, type n to create a new partition, choose p for primary partition and 2 for the partition number, leave the first sector as is, and leave the last sector as is. The root partition should take up the remainder of the available disk space.

Type p to verify that you made the correct changes.
Type w to write the changes to disk and exit.

We will only be encrypting the root partition. The boot partition must be unencrypted so that we can boot from it.

First install the required packages.

```
apk add cryptsetup e2fsprogs
```

Now create the boot partition filesystem.

If using BIOS:

```
mkfs.ext4 /dev/nvme0n1p1
```

If using UEFI:

```
mkfs.vfat /dev/nvme0n1p1
```

Now encrypt the root partition.

```
cryptsetup luksFormat /dev/nvme0n1p2
```

This will encrypt the second partition of the NVME device. It will prompt you for a password to use.

Tip: to view long help messages, pipe the output into less:

```
cryptsetup --help | less
```

Now open the parition and give it to a memorable name:

```
cryptsetup open /dev/nvme0n1p2 cryptroot
```

The encrypted device will now be available as /dev/mapper/cryptroot.

Now make an ext4 filesystem on the root partition.

```
mkfs.ext4 /dev/mapper/cryptroot
```

## Installation

First, install the required packages:

```
apk add syslinux
```

Mount the encrypted root on /mnt.

```
mount /dev/mapper/cryptroot /mnt
```

Mount the boot partition.

```
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot
```

Install Alpine Linux to disk.

```
setup-disk /mnt
```

Create the file /mnt/etc/crypttab and map the device to the name 'cryptroot'.

```
cryptroot UUID=<UUID> none luks
```

Tip: you can store the UUID with:

```
blkid -s UUID -o value /dev/sda2 > uuid
```

And load it from within vi with:

```
:r uuid
```

Edit /mnt/etc/update-extlinux.conf.
Change the value of 'root' to /dev/mapper/cryptroot.
Specify the cryptroot and cryptdm options. In cryptroot, specify the UUID of the device root. In cryptdm, specify the name we mapped the device to, which was cryptroot.

While you are at it you can remove 'nomodeset' from default_kernel_opts if you want to enable graphics later on.

```
# ...
default_kernel_opts="quiet rootfstype=ext4 cryptroot=UUID=<UUID> cryptdm=cryptroot"
root=/dev/mapper/cryptroot
```

Chroot into the root filesystem and run update-extlinux.

```
chroot /mnt
update-extlinux
exit
```

Modify the mkinitfs.conf file and add the following features.
kms is for Kernel Mode Setting, which is needed for graphics to work properly later on.
nvme is required to allow booting from an NVME device.
cryptsetup is required to boot from an encrypted partition.

```
features="... kms nvme cryptsetup"
```

Now rebuild the initramfs.

```
mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt $(ls /mnt/lib/modules)
```

We are almost done. Just a few more steps to make things bootable.

If we were booting using BIOS and MBR, only one more step would be needed, which would be to write the master boot record:

```
dd if=/usr/share/syslinux/mbr.bin of=/dev/nvme0n1
```

Unfortunately with UEFI things are slightly more complicated.

Make a 'syslinux' directory in the boot partition.
Copy syslinux files to the syslinux directory.

```
mkdir /mnt/boot/syslinux
cp /usr/share/syslinux/efi64/* /mnt/boot/syslinux/
```

Copy extlinux.conf to the syslinux directory.

```
cp /mnt/boot/extlinux.conf /mnt/boot/syslinux/syslinux.cfg
```

Edit the syslinux.cfg file and prepend vmlinuz-lts and initramfs-lts with a forward slash.
You'll have to do this every time update-extlinux is run.

Now add an entry to your UEFI boot system.

```
apk add efibootmgr
efibootmgr --create --disk /dev/nvme0n1 --part 1 --loader "/syslinux/syslinux.efi" --label "Linux" --edd 3
# Shorter version:
efibootmgr -c -d /dev/nvme0n1 -p 1 -l "/syslinux/syslinux.efi" -L "Linux" -e 3
```

We specify --edd 3 because efibootmgr sometimes fails to detect EDD 3.0.

Unmount all filesystems and reboot from hard disk.
If everything worked properly, then you should be prompted for your password to unlock the root filesystem.

```
umount /mnt/boot
umount /mnt
reboot
```

And now you have successfully installed Alpine Linux.

## Troubleshooting

Should anything go wrong, you can boot from the bootable media and remount the filesystems.

```
apk add cryptsetup
cryptsetup open /dev/nvme0n1p2 cryptroot
mount /dev/mapper/cryptroot /mnt
mount /dev/nvme0n1p1 /mnt/boot
```