diff --git a/docs/alpine-desktop-setup/provisioning.md b/docs/alpine-desktop-setup/provisioning.md index ea6b5a5..a44b392 100644 --- a/docs/alpine-desktop-setup/provisioning.md +++ b/docs/alpine-desktop-setup/provisioning.md @@ -9,7 +9,7 @@ To set it up `setup-interfaces` and `setup-apkrepos` will be used. # setup-apkrepos -c1 ``` -Because the Alpine Linux ISO is pretty minimal a few packages will have to be installed first: +A few packages will have to be installed first: ``` # apk add cryptsetup lvm2 lsblk e2fsprogs gptfdisk dosfstools @@ -28,10 +28,19 @@ Then to create the filesystem on the efi partition. # mkfs.fat -F 32 -n efi /dev/ ``` -And the encrypted filesystem on the root partition. +The root partition of the system is going to be encrypted using `cryptsetup` but first generate a "key" that has to be used to unlock the device. Later on in the guide `clevis` will be used for automatic decryption so this key only has to be entered a few times before that is installed. But if any changes are made to the bios or secureboot then this key will be needed again so make sure to write it down somewhere safe like Bitwarden. Generate the key and safe it temporarily to the file `/tmp/crypt_passphrase.txt` with: ``` -# cryptsetup luksFormat /dev/ --type luks2 +# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 > /tmp/crypt_passphrase.txt && cat /tmp/crypt_passphrase.txt +``` + +Make sure to write it down. + +Then format the partition using `cryptsetup`: + +``` +# cryptsetup luksFormat /dev/ --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 4000 --key-size 512 --pbkdf argon2id --verify-passphrase +[Enter the generated key] # cryptsetup open --type luks /dev/ luks ```