Skip to content

Instantly share code, notes, and snippets.

Last active June 8, 2023 18:00
Star You must be signed in to star a gist
What would you like to do?
Installation of NixOS with encrypted root

Installation of NixOS with encrypted root

These are my notes on instaling NixOS 16.03 on a Lenovo ThinkPad X1 Carbon (4th generation) with an encrypted root file system using UEFI.

Most of this is scrambled from the following pages:

Preparing installation media

I installed from a USB stick using the NixOS minimal ISO (this one to be precise).

$ dd bs=4M if=nixos-minimal-16.03.678.2597f52-x86_64-linux.iso of=/dev/sdb

Booting the installer

  • Disable Secure Boot Control
  • Disable USB legacy boot
  • Enable Launch CSM

Due to this kernel bug, we have to boot with the following kernel parameter: intel_pstate=no_hwp. Seems like this will be fixed soon.


We create a 500MB EFI boot partition (/dev/sda1) and the rest will be our LUKS encrypted physical volume for LVM (/dev/sda2).

$ gdisk /dev/sda
  • o (create new empty partition table)
  • n (add partition, 500M, type ef00 EFI)
  • n (add partition, remaining space, type 8300 Linux LVM)
  • w (write partition table and exit)

Setup the encrypted LUKS partition and open it:

$ cryptsetup luksFormat /dev/sda2
$ cryptsetup luksOpen /dev/sda2 enc-pv

We create two logical volumes, a 8GB swap parition and the rest will be our root filesystem

$ pvcreate /dev/mapper/enc-pv
$ vgcreate vg /dev/mapper/enc-pv
$ lvcreate -L 8G -n swap vg
$ lvcreate -l '100%FREE' -n root vg

Format the partitions:

$ mkfs.fat /dev/sda1
$ mkfs.ext4 -L root /dev/vg/root
$ mkswap -L swap /dev/vg/swap

Installing NixOS

We mount the partitions we just created under /mnt so we can install NixOS on them.

$ mount /dev/vg/root /mnt
$ mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot
$ swapon /dev/vg/swap

Configure WPA supplicant so we can use WIFI:

$ cat > /etc/wpa_supplicant.conf
$ systemctl start wpa_supplicant

Now generate a NixOS configuration and modify it to our liking. The following is the configuration I started with.

$ nixos-generate-config --root /mnt
$ cat > /mnt/etc/nixos/configuration.nix
{ config, pkgs, ... }:

  imports =
    [ # Include the results of the hardware scan.

  boot.kernelParams = [ "intel_pstate=no_hwp" ];

  # Supposedly better for the SSD.
  fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "nodev";
  boot.loader.grub.efiSupport = true;
  boot.loader.efi.canTouchEfiVariables = true;

  # Grub menu is painted really slowly on HiDPI, so we lower the
  # resolution. Unfortunately, scaling to 1280x720 (keeping aspect
  # ratio) doesn't seem to work, so we just pick another low one.
  boot.loader.grub.gfxmodeEfi = "1024x768";

  boot.initrd.luks.devices = [
      name = "root";
      device = "/dev/disk/by-uuid/06e7d974-9549-4be1-8ef2-f013efad727e";
      preLVM = true;
      allowDiscards = true;

  # Enables wireless support via wpa_supplicant.
  networking.wireless.enable = true;

  # Etcetera ...

If we're happy with the configuration, install NixOS and reboot.

$ nixos-install
$ reboot


If for whatever reason the system doesn't boot, we can go back to the installation environment by booting from the installation media and remounting all partitions:

$ cryptsetup luksOpen /dev/sda2 enc-pv
$ lvchange -a y /dev/vg/swap
$ lvchange -a y /dev/vg/root
$ mount /dev/vg/root /mnt
$ mount /dev/sda1 /mnt/boot
$ swapon /dev/vg/swap
$ cp /mnt/etc/wpa_supplicant.conf /etc
$ systemctl start wpa_supplicant

We can now make further modifications to the configuration and try again.

Copy link

pradeepcheers commented Oct 10, 2016

Where did you get this value from "/dev/disk/by-uuid/**06e7d974-9549-4be1-8ef2-f013efad727e**"? I'm using /dev/sda2 instead but it didn't work. I tried getting the uuid from the command ``blkid /dev/sda2`.

On nixos-install the installation is successful but on reboot the installation is saving to the boot partition. All the configuration is lost and I have to start over again with the bootable pen drive!

Any help is much appreciated. Thanks

Copy link


Copy link

jtojnar commented Jun 30, 2017

@prapradeepcheers Using the UUID returned by blkid /dev/sda2 worked for me.

Copy link

jb55 commented Jul 21, 2017

boot.kernelParams = [ "intel_pstate=no_hwp" ];

wasn't needed for me on my gen5 / nixos-unstable

Copy link

ahstro commented Oct 26, 2017

For who it may concern: nixos-generate-config --root /mnt generated

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

instead of the GRUB 2 related config for me, and it works fine.

Edit: Also, thanks for this gist! ❤️

Copy link

MrRacoon commented Nov 3, 2017

Worked Beautifully, Thank you so much

Copy link

phdoerfler commented Nov 3, 2017

The hex code for Linux LVM partitions seems to be 8e00 and not 8300.

Copy link

andersk commented Dec 2, 2017

@phdoerfler Beware, using 8e00 “Linux LVM” for an LUKS-encrypted LVM partition might confuse the Debian installer into destroying your partition in certain circumstances! In the apparent absence of a dedicated LUKS code, I went for 8301 “Linux reserved”.

By the way, the EFI spec requires the EFI system partition to be FAT32, not FAT16, so you may want mkfs.fat -F 32 /dev/sda1. (Some implementations seem to allow FAT16, but not all of them.)

Copy link

ladinu commented Jan 8, 2018

Thank you for this! Really helped me out.

I wrote a guide where /boot is also encrypted and single password unlock for multiple devices

Copy link

wpa_passphrase SSID PASSWORD >/etc/wpa_supplicant.conf should be better ;)

Copy link

FintanH commented Feb 16, 2018

I wasn't sure how to connect to WiFi at first which meant nixos-install wasn't able to complete.

To solve this I ran: nmcli dev wifi connect <mySSID> password <myPassword> :)

Copy link

dbwest commented Mar 22, 2018

I have a Lenovo Legion Y520. To get the wireless working for the installer on boot off USB drive I pressed F1 at the boot menu for the live installation, chose 'e' to edit the boot options and added modprobe.blacklist=ideapad_laptop. Fixes rfkill always listing wifi as hard blocked and wifi just works after that :)

Copy link

thanks for this!

Copy link

flyx commented Jun 17, 2018

In case someone wants to do this with legacy BIOS boot:

  • when partitioning, add a 1M BIOS Boot partition (ef02) in front of everything else. GRUB needs this partition on GPT. Create the /boot partition with 8300 instead of ef00.
  • /boot will be on /dev/sda2 and the encrypted partitions on /dev/sda3, change the commands accordingly.
  • You can format /boot with mkfs.ext2 instead of mkfs.fat.
  • boot.loader.grub.device should be "/dev/sda". remove the *efi* lines.

Copy link

I am having the same issue as @pradeepcheers, All the configuration is lost when i reboot it. i am installing it on virtual box. Can anyone suggest a solution.

Copy link

sfultong commented Oct 15, 2018

I've been using this method successfully for 18.03. One odd thing is that asked me for my password twice and tried to mount root twice.

In 18.09 it also asks me for my password twice, but fails after the second time because root is already mounted.


Fixed. The luks device was listed both in hardware-configuration.nix and configuration.nix so I just commented one out.

Copy link

michelrandahl commented Dec 11, 2018

If you have problems installing nixos with a 18.09 image, then try to install it using a 17.09 image instead and then upgrade to 18.09 post installation.

I used many hours this weekend trying to install nixos on my machine using a 18.09 image. I had no problems installing it, and the boot loader worked fine, but after that I just got a black screen. I tried many permutations of nixos-configurations and BIOS-configurations. Nothing seemed to work. Not even a plain installation with no luks encryption. At last I downloaded a 17.09 image and performed the installation with no trouble at all. Today I upgraded my system from 17.09 to 18.09 smoothly with no problems as well (change the nixos nix-channel to 18.09 and do the usual nixos-rebuild switch).

I could not find any 'official' nixos site with old images, so I downloaded it from distrowatch

Hope this helps some other poor soul, so that my countless wasted hours haven't been wasted for nothing :)

Copy link

Akii commented May 5, 2019

@flyx Thank you!

Copy link

rikhuijzer commented Jul 23, 2019

Edit: Great tutorial. NixOS runs like a charm on my NUC8I5BEH2!
Small remark: Could you remove the block size specification (bs=4M) for the dd command? On my Ubuntu machine the copy reported a transfer rate of 16 GB/s with the block size specified, which meant it did not copy the files. Without the specification it actually copied the files. In general I don't think specifying the block size is needed in most cases. The NixOS manual also does not mention it[1].


Copy link

In the context of this installation the device UUID is the is the UUID of the partition on /dev/sda2.

[root@nixos:/etc/nixos]# lsblk --fs
NAME                 FSTYPE      LABEL UUID                                   FSAVAIL FSUSE% MOUNTPOINT
├─sda1               vfat              71D0-533E                               468.8M     6% /boot
└─sda2               crypto_LUKS       06e7d974-9549-4be1-8ef2-f013efad727e                  
  └─root             LVM2_member       cPI2OD-d9Kg-d9Zq-VY9W-kPUu-zFY7-wtrZ1N                
    ├─vg-swap swap               swap  8656d2a4-ebf8-4603-854e-ed34fdfb1b3f                  [SWAP]
    └─vg-root ext4               root  fab073dd-d0ee-4855-a897-5327a3b7b3ce    213.7G     2% /
boot.initrd.luks.devices = [
      name = "root";
      device = "/dev/disk/by-uuid/06e7d974-9549-4be1-8ef2-f013efad727e";
      preLVM = true;
      allowDiscards = true;

Copy link

Thanks for this write up, and for all the helpful comment, it was invaluable. After running into several issues, I kept my own notes on the step by step commands needed to set this up correctly: . These steps are closer to the nixos installation manual, and I've tried to add more annotations. One big issue I ran into was that I had not booted the UEFI boot option on the installation media, and, even though the partitioning and nix config were correct, I had to go into the BIOS boot selection menu and explicitly select the UEFI boot option on my flash drive.

Copy link

ErnestKz commented Jan 8, 2021

If nixos-install is not recognising boot.initrd.luks.devices, then NixOS must be 20.04 or over, in that case the updated syntax is:

boot.initrd.luks.devices.luksroot = { device: "..."; preLVM = true; allowDiscards = true; };

Copy link

cideM commented Feb 11, 2021

Just in case someone stumbles over this, the UUID for luksroot is the one for the unencrypted luks device, not the volume inside of that. luksroot is what NixOS will use during stage 1 of the boot process to unlock the encrypted device. If you give it the UUID of an actual volume inside the luks container then it'll just say it can't find that device.

Copy link

RobWalt commented Feb 21, 2022

@cideM Thanks! This helped me a lot!

Copy link

Thanks!! I have tested it on NixOS 21.11 with the following configuration and it worked fine for me. As @ErnestKz, I had to adapt the boot.initrd.luks.device.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment