Install Alpine Linux on a Raspberry Pi 3

Installing Alpine Linux on a Raspberry Pi 3

Step by step

1. Download the image

Since we have a Raspberry Pi 3B we should be using the aarch64 version.

# Get the OpenPGP signing key and import it into our keyring
# It will be used to verify the integrity of the downloaded archive
wget -O- | gpg --import -

# Download the archive, the SHA256 sum and GPG signature

# Verify SHA256 sum (once the .iso is fully downloaded)
% sha256sum alpine-rpi-3.18.4-aarch64.tar.gz                                                                                                                        ec0c111a465b2fcf8190b45d5b8c41cf9c8b9160f9eb3153590076f8ca1a9942  alpine-rpi-3.18.4-aarch64.tar.gz
% cat alpine-rpi-3.18.4-aarch64.tar.gz.sha256                                                                                                                       ec0c111a465b2fcf8190b45d5b8c41cf9c8b9160f9eb3153590076f8ca1a9942  alpine-rpi-3.18.4-aarch64.tar.gz

# Verify OpenPGP signature
% gpg --verify alpine-rpi-3.18.4-aarch64.tar.gz.asc
gpg: assuming signed data in 'alpine-rpi-3.18.4-aarch64.tar.gz'
gpg: Signature made Thu 28 Sep 2023 03:04:58 PM CEST
gpg:                using RSA key 0482D84022F52DF1C4E7CD43293ACD0907D9495A
gpg: Good signature from "Natanael Copa <>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0482 D840 22F5 2DF1 C4E7  CD43 293A CD09 07D9 495A

All good.

If something is wrong here, either your GNUPG setup is wrong or the files you downloaded are wrong. This should not happen. If it does, well, you’re on your own, but do not try to install something that does not match the cryptographic specifications: it must have been tampered with.

2. Format the SD card

  1. Make a DOS partition table
  2. Make a FAT32 (vfat) partition
  3. Format the partition
sudo fdisk -w always /dev/sdb1 <<EOF
mkdosfs -F32 /dev/sdb1

3. Make it bootable

This requires the syslinux package. The following command assumes you’re running Debian:

sudo apt install syslinux
sudo dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/mbr/mbr.bin of=/dev/sdb

4. Extract Alpine archive to the device

mkdir -p /media/mmcblk0p1
sudo mount -t vfat /dev/sdb1 /media/mmcblk0p1
sudo tar -p -s --atime-preserve --same-owner --one-top-level=/media/mmcblk0p1 -zxvf alpine-rpi-3.18.4-aarch64.tar.gz

Now you may want to add the headless overlay and associated configuration:

sudo cp headless.apkovl.tar.gz /media/mmcblk0p1
# Add the authorized_file (with your own SSH public key)
cp ~/.ssh/ authorized_keys
chmod 0600 authorized_keys
sudo cp authorized_keys /media/mmcblk0p1
# Add the wireless configuration
cat > wpa_supplicant.conf <<EOF

    psk="this is not the actual password but should be"
sudo cp wpa_supplicant.conf /media/mmcblk0p1

5. Boot the Pi and setup Alpine Linux

Unmount the SD card safely:

sudo umount /media/mmcblk0p1

Put the SD Card into the Pi and boot it. You should have a working SSH on the Pi’s IP address on port 22 where root can login without a password. Run setup-alpine.

You should use diskless mode. It did not work for me at first. I had to modify the /etc/fstab file to add:

echo "/dev/mmcblk0p1 /media/mmcblk0p1 vfat auto,rw 0 2" >> /etc/fstab
mkdir /media/mmcblk0p1
setup-apkcache /media/mmcblk0p1

Change repositories:

cat > /etc/apk/repositories <<EOF

Then I could fix the install:

apk update
apk upgrade
# This final step is REQUIRED to keep configurations over reboots!
lbu commit -d

6. Add some configurations before rebooting

Let’s add a firewall:

apk add ufw
ufw default deny incoming
ufw allow ssh
ufw enable

lbu commit -d

And configure SSH to only allow the ssh group with public key authentication:

addgroup ssh
adduser root ssh
adduser $USER ssh
sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i -e 's/#PubkeyAuthentication no/PubkeyAuthentication yes/' /etc/ssh/sshd_config
echo "AllowGroupes ssh" >> /etc/ssh/sshd_config

/etc/init.d/sshd reload

lbu commit -d

7. reboot

Run the reboot command and connect to your IP address. You’re in! Now you can add more packages…

ssh -i ~/.ssh/id_ed25519