NixOS install with encrypted /boot /root with single password unlock

encryptedNixos.md

Requirements

1. Encrypt everthing including /boot and /root
2. Enter password once

Installation media setup

Download unstable NixOS graphical live iso (cause vim on graphical live iso and easier to read this guide in browser) and write to USB stick.

lsblk
umount /dev/sdX1
dd if=path/to/nixos-graphical-unstable-x86_64-linux.iso of=/dev/sdX bs=10M oflag=direct status=progress

NixOS install

Boot from the USB stick and setup networking. (optionally setup SSH if you want to complete the install from another computer)

wpa_passhrase SSID PASSWORD > /etc/wpa_supplicant.conf
systemctl start wpa_supplicant
systemctl start sshd
passwd # So we can login via SSH

Partitioning

Use fdisk to partition the drives

fdisk /dev/sdX

• g Create a new empty GPT partition table
• n Create new partition of size 2M and of type BIOS boot
• t Change a partition type
• n Create another partition of type Linux filesystem and use remainig space
• p Show what fdisk will write
• w Write to disk an exit

Generate keys for single password unlock

dd if=/dev/urandom of=keyfile_root.bin bs=1024 count=4

Setup LUKS and add the keys

# grub-2.02 don't know how to load from luks2 which is used by default in cryptsetup
cryptsetup luksFormat --type luks1 -h sha512 /dev/sdX2
cryptsetup luksAddKey /dev/sdX2 keyfile_root.bin
cryptsetup luksOpen /dev/sdX2 crypted-nixos

# you should backup LUKS Headers always after creating LUKS partition and save it to safe place
cryptsetup luksHeaderBackup /dev/sdX2 --header-backup-file dev_sdX2_headers.backup

Setup LVM

you can skip these steps if you don't need it

pvcreate /dev/mapper/crypted-nixos
vgcreate vg /dev/mapper/crypted-nixos
lvcreate -L {RAM_SIZE}G -n swap vg
lvcreate -l '100%FREE' -n root vg

# you should backup LVM configs in safe place after LVM setup
man vgcfgbackup

Format the partitions and mount

mkswap -L swap /dev/vg/swap
mkfs.ext4 -L root /dev/vg/root

mount /dev/vg/root /mnt
swapon /dev/vg/swap

Create an initrd which only contain the key files

mkdir /mnt/boot
find keyfile*.bin -print0 | sort -z | cpio -o -H newc -R +0:+0 --reproducible --null | gzip -9 > /mnt/boot/extra_initramfs_keys.gz
chmod 000 /mnt/boot/extra_initramfs_keys.gz

Generate and edit configuration

nixos-generate-config --root /mnt

Add the following to /etc/nixos/configuration.nix

  boot.loader.grub.device = "/dev/sdX"; # or "nodev" for efi only
  boot.loader.grub.enableCryptodisk = true;
  boot.loader.grub.extraInitrd = "/boot/extra_initramfs_keys.gz"
  
  boot.initrd.luks.devices = [{
    name = "crypted-nixos";
    keyFile = "/keyfile_root.bin";
    allowDiscards = true;
  }];

You can get the UUIDs by running

blkid

Install NixOS and reboot

nixos-install
reboot

Thats it! Once you reboot, GRUB will ask for the password. If password is correct, GRUB will show you the NixOS system profiles menu. After that, your system will boot without asking for the disk password.

Notes

• You should not do LVM-on-LUKS for additional /data disks array, cause you can extend your /data disks array with another disks (LVM spanning disks) only with LUKS-on-LVM. But it's fine to use LVM-on-LUKS for /root or do not use LVM at all for /root, only LUKS.
• No need to reboot if you entered the GRUB password incorrectly

cryptomount hd0,gpt2    # Device to mount: drive X, GPT partition Y, this forces the re-prompt.
insmod normal           # Load the normal mode boot module.
normal                  # Enter normal mode and display the GRUB menu.

Credits

• Installation of NixOS with encrypted root by martijnvermaat
• Full disk encryption with LUKS (including /boot) by Pavel Kogan
• dm-crypt/Encrypting an entire system by Arch Linux wiki
• Full Disk Encryption w/Encrypted Boot by Void Linux wiki