2.2 KiB
Users
It might be nice to add a user to your system.
Doas
Before creating the user install doas
for when root is requiered:
# apk add doas
Also configure doas
through /etc/doas.d/main.conf
:
permit persist :wheel as root
permit nopasss :wheel cmd poweroff
permit nopasss :wheel cmd reboot
Adding a user
Adding a user in alpine can be done using the setup-user
script. Here we can specify the name, fullname, groups and more:
# setup-user -g wheel,plugdev,_seatd,nix -f <"Full Name"> <username>
# passwd <username>
It's also recommended to only have an "admin" account which is in the wheel group.
Don't login yet if you want to encrypt the directory.
If you have checked that doas
works with the user then you can lock the root account because it's insecure to keep open. This can be done with:
# passwd -l root
And editing /etc/passwd
to change the login shell from /bin/ash
to /sbin/nologin
:
root:x:0:0:root:/root:/sbin/nologin
Encrypting the home directory
If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.
Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.
Setup
First install the fscrypt
, e2fsprogs-extra
and util-linux-login
packages:
# apk add fscrypt e2fsprogs-extra util-linux-login
Then make sure our filesystem has the encrypt
feature enabled and setup fscrypt
on the home directory:
# tune2fs -O encrypt /dev/vg<m>/home<n>
# fscrypt setup
# fscrypt setup /home
And edit /etc/pam.d/login
and adding these lines to their corresponding sections:
auth optional pam_fscrypt.so
...
session optional pam_fscrypt.so
Encrypting a user's home
Encrypt the directory with:
# fscrypt encrypt /home/<username> --user=<username>
[Enter 1 so that it's unlocks when the user logs in]
Then login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:
$ fscrypt status /home/<username>