Add a crypt data volume to Alpine 3.17

Add a crypt data volume to Alpine 3.17

This is how to setup a data volume on an already configured Alpine 3.17 system.

The disk is at: /dev/sdb, it also could be /dev/vdb

Creating partitions

You can even skip this step and use all the disk at once. Just rename sdb1 to sdb in other commands & scripts.

fdisk /dev/sdb

Enter the keyboard sequence:

# p
# n
# p
# 1
# ENTER
# ENTER
# p
# w

Creating LUKS setup

apk add --update cryptsetup lsblk

Creating the LUKS/LVM/EXT4 partition

Make the LUKS drive:

cryptsetup benchmark --cipher=aes-xts-plain64
# Source: https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_with_dm-crypt
# Use --pbkdf=pbkdf2 for Grub to be able to unlock at boot time
cryptsetup luksFormat --cipher=aes-xts-plain64 --key-size=512 --hash=sha512 --pbkdf=pbkdf2 /dev/sdx1
cryptsetup luksDump /dev/sdx1
cryptsetup luksOpen /dev/sdx1 enc_storage

Create LVM and ext4 into it:

mkfs.ext4 /dev/mapper/enc_storage

Mount it:

mkdir /mnt/storage
lsblk
echo -e "/dev/mapper/enc_storage\t/mnt/storage\text4\tdefaults\t0\t0\n" >> /etc/fstab
mount -a
lsblk
df -h

Helper script

I often put this in ~/open.sh to help unlocking the system when I have forgot the commands.

#!/bin/sh -exu

cryptsetup luksOpen /dev/sdb1 enc_storage
mount -a -v
#echo 'Starting docker'
#rc-service docker start
#echo 'Waiting 4sec for Docker to start'
#sleep 4
echo 'Done !'

Or crypttab

See: https://manpages.ubuntu.com/manpages/focal/en/man5/crypttab.5.html - initramfs "This option is specific to the Debian crypttab format. It's not supported by systemd." - luks "Force LUKS mode" - discard "Allow using of discards (TRIM) requests for device"

Use lsblk -o uuid,mountpoint,path | grep -F "/dev/sdb1" Add enc_storage UUID=xxx-xxx-xx-xx-xxxx none luks,discard,initramfs to /etc/crypttab And update-initramfs -c -k $(uname -r)

See: https://serverfault.com/a/1101450/336084