Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Installation of NixOS with encrypted root

Installation of NixOS with encrypted root

These are my notes on instaling NixOS 16.03 on a Lenovo ThinkPad X1 Carbon (4th generation) with an encrypted root file system using UEFI.

Most of this is scrambled from the following pages:

Preparing installation media

I installed from a USB stick using the NixOS minimal ISO (this one to be precise).

$ dd bs=4M if=nixos-minimal-16.03.678.2597f52-x86_64-linux.iso of=/dev/sdb

Booting the installer

  • Disable Secure Boot Control
  • Disable USB legacy boot
  • Enable Launch CSM

Due to this kernel bug, we have to boot with the following kernel parameter: intel_pstate=no_hwp. Seems like this will be fixed soon.


We create a 500MB EFI boot partition (/dev/sda1) and the rest will be our LUKS encrypted physical volume for LVM (/dev/sda2).

$ gdisk /dev/sda
  • o (create new empty partition table)
  • n (add partition, 500M, type ef00 EFI)
  • n (add partition, remaining space, type 8300 Linux LVM)
  • w (write partition table and exit)

Setup the encrypted LUKS partition and open it:

$ cryptsetup luksFormat /dev/sda2
$ cryptsetup luksOpen /dev/sda2 enc-pv

We create two logical volumes, a 8GB swap parition and the rest will be our root filesystem

$ pvcreate /dev/mapper/enc-pv
$ vgcreate vg /dev/mapper/enc-pv
$ lvcreate -L 8G -n swap vg
$ lvcreate -l '100%FREE' -n root vg

Format the partitions:

$ mkfs.fat /dev/sda1
$ mkfs.ext4 -L root /dev/vg/root
$ mkswap -L swap /dev/vg/swap

Installing NixOS

We mount the partitions we just created under /mnt so we can install NixOS on them.

$ mount /dev/vg/root /mnt
$ mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot
$ swapon /dev/vg/swap

Configure WPA supplicant so we can use WIFI:

$ cat > /etc/wpa_supplicant.conf
$ systemctl start wpa_supplicant

Now generate a NixOS configuration and modify it to our liking. The following is the configuration I started with.

$ nixos-generate-config --root /mnt
$ cat > /mnt/etc/nixos/configuration.nix
{ config, pkgs, ... }:

  imports =
    [ # Include the results of the hardware scan.

  boot.kernelParams = [ "intel_pstate=no_hwp" ];

  # Supposedly better for the SSD.
  fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "nodev";
  boot.loader.grub.efiSupport = true;
  boot.loader.efi.canTouchEfiVariables = true;

  # Grub menu is painted really slowly on HiDPI, so we lower the
  # resolution. Unfortunately, scaling to 1280x720 (keeping aspect
  # ratio) doesn't seem to work, so we just pick another low one.
  boot.loader.grub.gfxmodeEfi = "1024x768";

  boot.initrd.luks.devices = [
      name = "root";
      device = "/dev/disk/by-uuid/06e7d974-9549-4be1-8ef2-f013efad727e";
      preLVM = true;
      allowDiscards = true;

  # Enables wireless support via wpa_supplicant.
  networking.wireless.enable = true;

  # Etcetera ...

If we're happy with the configuration, install NixOS and reboot.

$ nixos-install
$ reboot


If for whatever reason the system doesn't boot, we can go back to the installation environment by booting from the installation media and remounting all partitions:

$ cryptsetup luksOpen /dev/sda2 enc-pv
$ lvchange -a y /dev/vg/swap
$ lvchange -a y /dev/vg/root
$ mount /dev/vg/root /mnt
$ mount /dev/sda1 /mnt/boot
$ swapon /dev/vg/swap
$ cp /mnt/etc/wpa_supplicant.conf /etc
$ systemctl start wpa_supplicant

We can now make further modifications to the configuration and try again.

pradeepcheers commented Oct 10, 2016 edited

Where did you get this value from "/dev/disk/by-uuid/**06e7d974-9549-4be1-8ef2-f013efad727e**"? I'm using /dev/sda2 instead but it didn't work. I tried getting the uuid from the command ``blkid /dev/sda2`.

On nixos-install the installation is successful but on reboot the installation is saving to the boot partition. All the configuration is lost and I have to start over again with the bootable pen drive!

Any help is much appreciated. Thanks


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment