Setting up basic LUKS encrypted alpine install.
One for Boot and one for the rest. Make the boot partition bootable.
/dev/sda1 - Boot /dev/sda2 - LUKS
Create the encrypted block.
cryptsetup -y -v luksFormat /dev/sda2 cryptsetup open /dev/sda2 cryptroot mkfs.ext4 /dev/mapper/cryptroot mount /dev/mapper/cryptroot /mnt
Confirm its working as expected.
umount /mnt cryptsetup close cryptroot cryptsetup open /dev/sda2 cryptroot mount /dev/mapper/cryptroot /mnt
Format the boot partition. This will be in plain text.
mkfs.ext4 /dev/sda1 mkdir /boot mount /dev/sda1 /mnt/boot
Install the base system to the mounted and unlocked encrypted partition. Make sure that you've mounted the boot partition because it will also install the necessary files there.
setup-disk -m sys /mnt
cd /mnt mount --bind /dev dev mount -t devpts devpts dev/pts mount -t tmpfs tmpfs dev/shm mount -t proc proc proc mount -t sysfs sysfs sys chroot /mnt /bin/ash
Add information about the encrypted file system.
echo "cryptroot /dev/sda2 none luks" > /etc/crypttab
We also need to make sure that root and boot are mounted automatically via
/dev/sda1 /boot ext4 defaults 0 2 /dev/mapper/cryptroot / ext4 errors=remount-ro 0 1
Make sure that kernel can be start by loading the drivers needed to deal with an encrypted device.
/etc/mkinitfs/mkinitfs.conf- Features should include cryptsetup
/etc/update-extlinux.conf- defaultkernelopts should include "cryptroot=/dev/sda2" and "cryptdm=cryptroot"
Rebuild initramfs with the new options.
apk fix linux-grsec
You can ignore the error from extlinux:
/boot is device /dev/sda1 extlinux: cannot open device /dev/sda1
This is related to the bootloader.
dd bs=440 count=1 conv=notrunc if=/usr/share/syslinux/mbr.bin of=/dev/sda