Last active
April 28, 2024 00:29
-
-
Save geoffeg/06bb18fbd122945ac2372af5341342aa to your computer and use it in GitHub Desktop.
Encrypted NixOS (including swap and /boot) using btrfs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Notes: | |
# * https://wiki.archlinux.org/title/dm-crypt/Device_encryption | |
# * https://nixos.wiki/wiki/Full_Disk_Encryption | |
# * https://mutschler.dev/linux/ubuntu-btrfs-20-04/#add-a-key-file-to-type-luks-passphrase-only-once-optional-but-recommended | |
# * https://discourse.nixos.org/t/how-to-unlock-some-luks-devices-with-a-keyfile-on-a-first-luks-device/18949 | |
echo "Enter passphrase for encrypted devices:" | |
PASSPHRASE=$(read -s PASSPHRASE) | |
echo $PASSPHRASE | cryptsetup -v luksFormat /dev/sda3 | |
echo $PASSPHRASE | cryptsetup -v luksFormat /dev/sda1 | |
echo $PASSPHRASE | cryptsetup -v luksFormat /dev/sda2 | |
echo $PASSPHRASE | cryptsetup open /dev/sda1 cryptboot | |
echo $PASSPHRASE | cryptsetup open /dev/sda2 cryptswap | |
echo $PASSPHRASE | cryptsetup open /dev/sda3 cryptroot | |
mkfs.vfat -n boot /dev/mapper/cryptboot | |
mkswap /dev/mapper/cryptswap | |
swapon /dev/mapper/cryptswap | |
mkfs.btrfs /dev/mapper/cryptroot | |
mount -t btrfs /dev/mapper/cryptroot /mnt | |
btrfs subvolume create /mnt/root | |
btrfs subvolume create /mnt/home | |
btrfs subvolume create /mnt/nix | |
btrfs subvolume create /mnt/persist | |
btrfs subvolume create /mnt/log | |
btrfs subvolume snapshot -r /mnt/root /mnt/root-blank | |
umount /mnt | |
mkdir -p /mnt /mnt/boot /mnt/home /mnt/nix /mnt/persist /mnt/var/log | |
mount -o subvol=root,compress=zstd,noatime,space_cache=v2,autodefrag /dev/mapper/enc /mnt | |
mount -o subvol=home,compress=zstd,noatime,space_cache=v2,autodefrag /dev/mapper/enc /mnt/home | |
mount -o subvol=nix,compress=zstd,noatime,space_cache=v2,autodefrag /dev/mapper/enc /mnt/nix | |
mount -o subvol=persist,compress=zstd,noatime,space_cache=v2,autodefrag /dev/mapper/enc /mnt/persist | |
mount -o subvol=log,compress=zstd,noatime,space_cache=v2,autodefrag /dev/mapper/enc /mnt/log | |
mount /dev/mapper/cryptboot /mnt/boot | |
mkdir /etc/luks | |
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 | |
chmod u=rx,go-rwx /etc/luks | |
chmod u=r,go-rwx /etc/luks/boot_os.keyfile | |
echo $PASSPHRASE | cryptsetup luksAddKey /dev/sda1 /etc/luks/boot_os.keyfile | |
echo $PASSPHRASE | cryptsetup luksAddKey /dev/sda2 /etc/luks/boot_os.keyfile | |
echo $PASSPHRASE | cryptsetup luksAddKey /dev/sda3 /etc/luks/boot_os.keyfile | |
# append crypttab info to the end of configuration.nix (but not the end of the file, before the last bracket) | |
sed -i '/}$/i { \n environment.etc.crypttab.text = \'\'\n cryptroot UUID=uuid-of-sda /etc/luks/boot_os.keyfile\n \'\''} | |
mount /dev/mapper/cryptboot /mnt/boot | |
mkdir /etc/luks | |
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 | |
chmod u=rx,go-rwx /etc/luks | |
chmod u=r,go-rwx /etc/luks/boot_os.keyfile | |
cryptsetup luksAddKey /dev/sda2 /etc/luks/boot_os.keyfile | |
cryptsetup luksAddKey /dev/sda2 /etc/luks/boot_os.keyfile | |
cryptsetup luksAddKey /dev/sda3 /etc/luks/boot_os.keyfile |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment