Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
NixOS install with encrypted /boot /root with single password unlock

Requirements

  1. Encrypt everthing including /boot and /root
  2. Enter password once
  3. Support UEFI

Installation media setup

Download NixOS minimal iso and copy to USB stick. For example on Mac OSX

$ diskutil list
$ diskutil unmountDisk /dev/disk1 # Make sure you got right device
$ dd if=nixos-minimal-20.09.2405.e065200fc90-x86_64-linux.iso of=/dev/disk1

NixOS install

Boot from the USB stick and setup networking. (optionally setup SSH if you want to complete the install from another computer)

$ wpa_passphrase SSID 'PASSWORD' > /etc/wpa_supplicant.conf
$ systemctl start wpa_supplicant
$ systemctl start sshd
$ passwd # So we can login via SSH

Partitioning

I have 2 drives on my system: NVME SSD and a regular SATA drive. This is what the drives should look like after install. I use NVME SSD for booting and SATA drive as a /data mount.

NAME             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                8:0    0 931.5G  0 disk
└─sda1             8:1    0 931.5G  0 part
  └─crypted-data 254:3    0 931.5G  0 crypt /data
nvme0n1          259:0    0 465.8G  0 disk
├─nvme0n1p1      259:1    0   549M  0 part  /boot/efi
└─nvme0n1p2      259:2    0 465.2G  0 part
  └─root         254:0    0 465.2G  0 crypt
    ├─vg-swap    254:1    0     4G  0 lvm   [SWAP]
    └─vg-root    254:2    0 461.2G  0 lvm   /

The only unecrypted partition is nvme0n1p1, which is mounted on /boot/efi. But rest of /boot is encrypted along with swap and root. /dev/sda1 is also encrypted and mounted as /data (Note: If you plan on extending /data with more drives, you should do LUKS-on-LVM )

Use Use gdisk to partition the drives

$ gdisk /dev/nvme0n1
  • o Create partition table
  • n Create new partition of size 550M and of type ef00
  • n Create another partition of type 8300 and use remainig space
  • p Show what gdisk will write
  • w Write to disk an exit
$ gdisk /dev/sda
  • o Create partition table
  • n Create another partition of type 8300 and use all space
  • p Show what gdisk will write
  • w Write to disk an exit

Generate keys for single password unlock

$ dd if=/dev/urandom of=./keyfile0.bin bs=1024 count=4
$ dd if=/dev/urandom of=./keyfile1.bin bs=1024 count=4

Setup LUKS and add the keys

# Enter the passphrase which is used to unlock disk. You will enter this in grub on every boot
$ cryptsetup luksFormat --type luks1 -c aes-xts-plain64 -s 256 -h sha512 /dev/nvme0n1p2

# Add a second key which will be used by nixos. You will need to enter the pasphrase from previous step
$ cryptsetup luksAddKey /dev/nvme0n1p2 keyfile0.bin
$ cryptsetup luksOpen /dev/nvme0n1p2 crypted-nixos -d keyfile0.bin

# For /data just the second random generated key
$ cryptsetup luksFormat -c aes-xts-plain64 -s 256 -h sha512 /dev/sda1 -d keyfile1.bin
$ cryptsetup luksOpen /dev/sda1 crypted-data -d keyfile1.bin

Setup LVM

$ pvcreate /dev/mapper/crypted-nixos
$ vgcreate vg /dev/mapper/crypted-nixos
$ lvcreate -L 4G -n swap vg
$ lvcreate -l '100%FREE' -n root vg

Format the partitions and mount

$ mkfs.fat -F 32 /dev/nvme0n1p1
$ mkswap -L swap /dev/vg/swap
$ mkfs.ext4 -L root /dev/vg/root
$ mkfs.ext4 -L data /dev/mapper/crypted-data
$ mount /dev/vg/root /mnt
$ mkdir -p /mnt/boot/efi
$ mount /dev/nvme0n1p1 /mnt/boot/efi
$ swapon /dev/vg/swap

Copy the keys

$ mkdir -p /mnt/etc/secrets/initrd/
$ cp keyfile0.bin keyfile1.bin /mnt/etc/secrets/initrd
$ chmod 000 /mnt/etc/secrets/initrd/keyfile*.bin

Generate and edit configuration

$ nixos-generate-config --root /mnt

Add the following to /etc/nixos/configuration.nix

  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
  boot.loader.grub = {
    enable = true;
    device = "nodev";
    version = 2;
    efiSupport = true;
    enableCryptodisk = true;
  };
  
  boot.initrd = {
    luks.devices."root" = {
      device = "/dev/disk/by-uuid/a8b302cf-5296-4a2e-a7ba-707e6fa75123"; # UUID for /dev/nvme01np2 
      preLVM = true;
      keyFile = "/keyfile0.bin";
      allowDiscards = true;
    };
    secrets = {
      # Create /mnt/etc/secrets/initrd directory and copy keys to it
      "keyfile0.bin" = "/etc/secrets/initrd/keyfile0.bin";
      "keyfile1.bin" = "/etc/secrets/initrd/keyfile1.bin";
    };
};

# Data mount
fileSystems."/data" = {
  device = "/dev/disk/by-uuid/79630267-5766-4c7d-85a5-1d5f1dcd58ad"; # UUID for /dev/mapper/crypted-data
  encrypted = {
    enable = true;
    label = "crypted-data";
    blkDev = "/dev/disk/by-uuid/3476cb09-b3c4-4301-9ec9-84f60f32828a"; # UUID for /dev/sda1
    keyFile = "/keyfile1.bin";
  };
};
  

You can get the UUIDs by running

$ blkid

Install NixOS and reboot

$ nixos-install
$ reboot

Thats it! Once you reboot, GRUB will ask for the password. If password is correct, GRUB will show you the NixOS system profiles menu. After that, your system will boot without asking for the disk password.

Future work

If I enter an incorrect disk password, GRUB does not handle it gracefully. It will drop me into a shell without re-prompting for a password. I have to run the following commands for it to prompt again. Need to figure out if GRUB has an option for it to re-prompt.

cryptomount hdX,gptY    # Device to mount: drive X, GPT partition Y, this forces the re-prompt.
insmod normal           # Load the normal mode boot module.
normal                  # Enter normal mode and display the GRUB menu.

Credits

@EmilGedda

This comment has been minimized.

Copy link

@EmilGedda EmilGedda commented Jan 9, 2018

Nice guide.

Need to figure out if GRUB has an option for it to re-prompt.

This can be achieved with something like this in the GRUB rescue prompt:

cryptomount hdX,gptY    # Device to mount: drive X, GPT partition Y, this forces the re-prompt.
insmod normal           # Load the normal mode boot module.
normal                  # Enter normal mode and display the GRUB menu.

https://www.gnu.org/software/grub/manual/grub/html_node/cryptomount.html

@ladinu

This comment has been minimized.

Copy link
Owner Author

@ladinu ladinu commented Jan 10, 2018

Nice! Will give it a try. Definitely better than a hard reboot.

Although, I wonder how hard it would be to modify GRUB (or cryptomount) to re-prompt.

@lenzj

This comment has been minimized.

Copy link

@lenzj lenzj commented Aug 29, 2018

Thank you for posting this @ladinu! Very helpful and well written.

@ElvishJerricco

This comment has been minimized.

Copy link

@ElvishJerricco ElvishJerricco commented Sep 29, 2018

  extraInitrd = /boot/initrd.keys.gz;

I believe the use of path literal syntax will cause initrd.keys.gz to be placed in your nix store, allowing all users to read the file. Just putting the path in a string literal will have the same functionality but won't put it in the nix store.

Anyway thanks for this. Very useful!

@whoizit

This comment has been minimized.

Copy link

@whoizit whoizit commented Apr 6, 2019

you should not do LVM-on-LUKS for /data disk, cause you can extend your /data disks array with another disks (LVM spanning) only with LUKS-on-LVM
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LUKS_on_LVM
https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

@starfys

This comment has been minimized.

Copy link

@starfys starfys commented Nov 25, 2019

Ran into some issues getting this working recently, because cryptsetup now defaults to LUKS2 when formatting, which is not compatible with GRUB. The fix is to modify the format line for the root partition as follows:

cryptsetup luksFormat --type luks1 -c aes-xts-plain64 -s 256 -h sha512 /dev/nvme0n1p2

The /data partition should not need this

@WolfangAukang

This comment has been minimized.

Copy link

@WolfangAukang WolfangAukang commented Dec 20, 2020

Hey, just wanted to provide some updates (Dec 2020) to anyone that came to this guide:

  • First, @starfys comment is totally accurate. Remember to specify the --type luks1 when encrypting the partition with root, as GRUB still does not support luks2, which is the default type used by cryptsetup.
  • Second, to avoid putting the password too many times, you can mount the encrypted partition with cryptsetup luksOpen /dev/sda1 -d keyfile1.bin crypted-name. Just remember to use the corresponding key.
  • The initrd part is obsolete. Now NixOS uses the boot.initrd.secrets section for this. So, for example, if I try to set up this guide with this new setting (plus other minimal fixes), it will look like this:
boot.initrd = {
  luks.devices."root" = {
    device = "/dev/disk/by-uuid/a8b302cf-5296-4a2e-a7ba-707e6fa75123"; # UUID for /dev/nvme01np2 
    preLVM = true;
    keyFile = "/keyfile0.bin";
    allowDiscards = true;
  };
  secrets = {
    # Create /mnt/etc/secrets/initrd directory and copy keys to it
    "keyfile0.bin" = "/etc/secrets/initrd/keyfile0.bin";
    "keyfile1.bin" = "/etc/secrets/initrd/keyfile1.bin";
  };
};

# Data mount
fileSystems."/data" = {
  device = "/dev/disk/by-uuid/79630267-5766-4c7d-85a5-1d5f1dcd58ad"; # UUID for /dev/mapper/crypted-data
  encrypted = {
    enable = true;
    label = "crypted-data";
    blkDev = "/dev/disk/by-uuid/3476cb09-b3c4-4301-9ec9-84f60f32828a"; # UUID for /dev/sda1
    keyFile = "/keyfile1.bin";
  };
};
@bryanasdev000

This comment has been minimized.

Copy link

@bryanasdev000 bryanasdev000 commented Jan 1, 2021

Hey, just wanted to provide some updates (Dec 2020) to anyone that came to this guide:

  • First, @starfys comment is totally accurate. Remember to specify the --type luks1 when encrypting the partition with root, as GRUB still does not support luks2, which is the default type used by cryptsetup.
  • Second, to avoid putting the password too many times, you can mount the encrypted partition with cryptsetup luksOpen /dev/sda1 -d keyfile1.bin crypted-name. Just remember to use the corresponding key.
  • The initrd part is obsolete. Now NixOS uses the boot.initrd.secrets section for this. So, for example, if I try to set up this guide with this new setting (plus other minimal fixes), it will look like this:
boot.initrd = {
  luks.devices."root" = {
    device = "/dev/disk/by-uuid/a8b302cf-5296-4a2e-a7ba-707e6fa75123"; # UUID for /dev/nvme01np2 
    preLVM = true;
    keyFile = "/keyfile0.bin";
    allowDiscards = true;
  };
  secrets = {
    # Create /mnt/etc/secrets/initrd directory and copy keys to it
    "keyfile0.bin" = "/etc/secrets/initrd/keyfile0.bin";
    "keyfile1.bin" = "/etc/secrets/initrd/keyfile1.bin";
  };
};

# Data mount
fileSystems."/data" = {
  device = "/dev/disk/by-uuid/79630267-5766-4c7d-85a5-1d5f1dcd58ad"; # UUID for /dev/mapper/crypted-data
  encrypted = {
    enable = true;
    label = "crypted-data";
    blkDev = "/dev/disk/by-uuid/3476cb09-b3c4-4301-9ec9-84f60f32828a"; # UUID for /dev/sda1
    keyFile = "/keyfile1.bin";
  };
};

Thanks! Worked like a charm with ZFS native encryption.

@ladinu

This comment has been minimized.

Copy link
Owner Author

@ladinu ladinu commented Jan 2, 2021

I've updated the doc. Thank you everyone for the feedback!

@YellowOnion

This comment has been minimized.

Copy link

@YellowOnion YellowOnion commented Jan 15, 2021

grub merged LUKS2 support in Jan 2020, It should work in theory.

@bryanasdev000

This comment has been minimized.

Copy link

@bryanasdev000 bryanasdev000 commented Jan 15, 2021

grub merged LUKS2 support in Jan 2020, It should work in theory.

Thanks for the heads up!

Here is ref:

https://git.savannah.gnu.org/cgit/grub.git/log/

https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ec46685ed4ea7bf0dd81c8254c2d9e0e8514976c (last commit with luks2 message)

@ja0nz

This comment has been minimized.

Copy link

@ja0nz ja0nz commented Mar 21, 2021

grub merged LUKS2 support in Jan 2020, It should work in theory.

Yet at time of writing GRUB is still in version 2.04 from 2019! So no, LUKS2 is not working at the moment.
The next major release of GRUB 2.06 is expected in April 2021 and hopefully lands of NixOS soon after.

@maralorn

This comment has been minimized.

Copy link

@maralorn maralorn commented Jul 4, 2021

I just wanted to share that we have now grub 2.06~rc1 in nixos stable. Sadly booting from a luks2 header failed for me without helpful error message. (It just doesn‘t decrypt on boot.) With luks1 header this guide works fine.

EDIT: Maybe this is because I had an argon2i header on the disk, but the key I wanted grub to unlock was pkdf2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment