File system encryption in Alpine Linux
This is similar to my previous article Encrypting Filesystem in Void Linux but for Alpine Linux
The point of this recipe is to create a encrypted file sytem so that when the disc is disposed, it does not need to be securely erased. This is particularly important for SSD devices since because of block remapping (for wear levelling) data can't be overwritten consistently.
The idea is that the boot/root filesystem containing the encryption keys are stored in a different device as the encrypted file system.
Create block devices
apk add lvm2 cryptsetup dd if=/dev/urandom of=/etc/crypto_keyfile.bin bs=1024 count=4 chmod 000 /etc/crypto_keyfile.bin cryptsetup luksFormat /dev/xda2 /etc/crypto_keyfile.bin cryptsetup luksOpen --key-file=/etc/crypto_keyfile.bin /dev/xda2 crypt-pool
Look up the UUID
dmcrypt service configuration in
target=crypt-pool source="UUID=xxxxxxxxxxxxxxxxxxxxxxxxxxxx" key=/etc/crypto_keyfile.bin
And enable it with this command:
rc-update add dmcrypt boot
At this point it would be good to backup:
Reboot and make sure that the block device gets created on start-up.
Add to LVM:
vgcreate pool /dev/mapper/crypt-pool lvcreate --name home0 -L 20G pool
Create your file-system and add it to