the reusepassphrase option work between root and swap, but for the other disks (backup…) it does not reuse the same passphrase. i have to enter a second time the passphrase !
this is part of my hardware-configuration.nix file :
boot.initrd.luks.reusePassphrases = true;
boot.initrd.luks = {
devices = {
luks-ROOT = {
device = "/dev/disk/by-uuid/b21675cd-83a5-4899-9684-e799cb0e3c4d";
allowDiscards = true;
};
#luks-SWAP = {
# device = "/dev/disk/by-uuid/029378ea-1130-4e9b-9404-df85f0c3ebea";
# allowDiscards = true;
# };
luks-BACKUP4T_SSD = {
device = "/dev/disk/by-uuid/4891218f-a065-4485-acc4-692b6e2d8de2";
preLVM = false;
allowDiscards = true;
};
luks-BACKUP4T_HDD = {
device = "/dev/disk/by-uuid/7813d2bc-ad40-4f5c-8834-a8a6e7c827af";
preLVM = false;
};
luks-BACKUP8T_HDD = {
device = "/dev/disk/by-uuid/3ec687a1-873d-4259-aefa-3d85dbf0bff5";
preLVM = false;
};
};
#reusePassphrases = true;
};
Yea that seems like a bug. Though I bet it would work better if you used systemd initrd with boot.initrd.systemd.enable = true;, since it just uses the kernel keyring to share the passphrase. But with systemd initrd, reusePassphrase is the default, and preLVM does nothing because device ordering is dynamic, so you’ll want to remove those settings.
That said, honestly, for anything other than rootfs, nix store fs, and swap, just don’t use the boot.initrd.luks option. Instead, use a key file stored on the rootfs and unlock them with /etc/crypttab in stage 2.
environment.etc.crypttab.text = ''
luks-BACKUP4T_SSD /dev/disk/by-uuid/4891218f-a065-4485-acc4-692b6e2d8de2 /root/keyfile
luks-BACKUP4T_HDD /dev/disk/by-uuid/7813d2bc-ad40-4f5c-8834-a8a6e7c827af /root/keyfile
luks-BACKUP8T_HDD /dev/disk/by-uuid/3ec687a1-873d-4259-aefa-3d85dbf0bff5 /root/keyfile
'';
You can use multiple LUKS keyslots so that you can unlock these with either the keyfile or a password.
In general, it’s better to do as little as possible during stage 1, so it’s better to do encrypted devices this way. But of course the rootfs and nix store have to be mounted in stage 1, and swap has to be decrypted in stage 1 to support hibernation. Anything else though, you might as well do it in stage 2.
in configuration.nix, when i try that :
environment.etc.crypttab.text = ''
luks-BACKUP4T_SSD 4891218f-a065-4485-acc4-692b6e2d8de2 /root/tribdisk.bin
luks-BACKUP4T_HDD 7813d2bc-ad40-4f5c-8834-a8a6e7c827af /root/tribdisk.bin
luks-BACKUP8T_HDD 3ec687a1-873d-4259-aefa-3d85dbf0bff5 /root/tribdisk.bin
'';
fileSystems."/BACKUP4T_SSD" =
{
#device = "/dev/disk/by-uuid/adbbb6c7-2401-4c5d-9895-250b3b51ebad"; # LUKS mapped device
device = "/dev/mapper/luks-BACKUP4T_SSD";
fsType = "ext4";
options = [ "rw" "noatime" "nodiratime" ];
};
fileSystems."/BACKUP4T_HDD" =
{
#device = "/dev/disk/by-uuid/1b0510c5-f0fb-4af2-b1f3-91dc24cdb25d"; # LUKS mapped device
device = "/dev/mapper/luks-BACKUP4T_HDD";
fsType = "ext4";
options = [ "rw" "noatime" "nodiratime" ];
};
fileSystems."/BACKUP8T_HDD" =
{
#device = "/dev/disk/by-uuid/f2969fa6-6aab-4050-a68c-74482355dba2"; # LUKS mapped device
device = "/dev/mapper/luks-BACKUP8T_HDD";
fsType = "ext4";
options = [ "rw" "noatime" "nodiratime" ];
};
i have multiple errors or krach after sudo nixos-rebuild switch:
building Nix...
building the system configuration...
activating the configuration...
setting up /etc...
reloading user units for david...
restarting sysinit-reactivation.target
A dependency job for cryptsetup.target failed. See 'journalctl -xe' for details.
the following new units were started: BACKUP4T_HDD.mount, BACKUP4T_SSD.mount, BACKUP8T_HDD.mount, libvirtd.service, system-systemd\x2dcryptsetup.slice
warning: the following units failed: systemd-cryptsetup@luks\x2dBACKUP4T_HDD.service, systemd-cryptsetup@luks\x2dBACKUP4T_SSD.service, systemd-cryptsetup@luks\x2dBACKUP8T_HDD.service
× systemd-cryptsetup@luks\x2dBACKUP4T_HDD.service - Cryptography Setup for luks-BACKUP4T_HDD
Loaded: loaded (/etc/crypttab; generated)
Active: failed (Result: exit-code) since Sun 2024-10-20 18:19:55 CEST; 1s ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Process: 6428 ExecStart=/nix/store/nswmyag3qi9ars0mxw5lp8zm0wv5zxld-systemd-255.9/bin/systemd-cryptsetup attach luks-BACKUP4T_HDD 7813d2bc-ad40-4f5c-8834-a8a6e7c827af /root/tribdisk.bin (code=exited, status=1/FAILURE)
Main PID: 6428 (code=exited, status=1/FAILURE)
IP: 0B in, 0B out
CPU: 8ms
oct. 20 18:19:55 nixos systemd[1]: Starting Cryptography Setup for luks-BACKUP4T_HDD...
oct. 20 18:19:55 nixos systemd-cryptsetup[6428]: Device 7813d2bc-ad40-4f5c-8834-a8a6e7c827af does not exist or access denied.
oct. 20 18:19:55 nixos systemd-cryptsetup[6428]: crypt_init() failed: Block device required
oct. 20 18:19:55 nixos systemd[1]: systemd-cryptsetup@luks\x2dBACKUP4T_HDD.service: Main process exited, code=exited, status=1/FAILURE
oct. 20 18:19:55 nixos systemd[1]: systemd-cryptsetup@luks\x2dBACKUP4T_HDD.service: Failed with result 'exit-code'.
oct. 20 18:19:55 nixos systemd[1]: Failed to start Cryptography Setup for luks-BACKUP4T_HDD.
× systemd-cryptsetup@luks\x2dBACKUP4T_SSD.service - Cryptography Setup for luks-BACKUP4T_SSD
Loaded: loaded (/etc/crypttab; generated)
Active: failed (Result: exit-code) since Sun 2024-10-20 18:19:55 CEST; 1s ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Process: 6429 ExecStart=/nix/store/nswmyag3qi9ars0mxw5lp8zm0wv5zxld-systemd-255.9/bin/systemd-cryptsetup attach luks-BACKUP4T_SSD 4891218f-a065-4485-acc4-692b6e2d8de2 /root/tribdisk.bin (code=exited, status=1/FAILURE)
Main PID: 6429 (code=exited, status=1/FAILURE)
IP: 0B in, 0B out
CPU: 7ms
oct. 20 18:19:55 nixos systemd[1]: Starting Cryptography Setup for luks-BACKUP4T_SSD...
oct. 20 18:19:55 nixos systemd-cryptsetup[6429]: Device 4891218f-a065-4485-acc4-692b6e2d8de2 does not exist or access denied.
oct. 20 18:19:55 nixos systemd-cryptsetup[6429]: crypt_init() failed: Block device required
oct. 20 18:19:55 nixos systemd[1]: systemd-cryptsetup@luks\x2dBACKUP4T_SSD.service: Main process exited, code=exited, status=1/FAILURE
oct. 20 18:19:55 nixos systemd[1]: systemd-cryptsetup@luks\x2dBACKUP4T_SSD.service: Failed with result 'exit-code'.
oct. 20 18:19:55 nixos systemd[1]: Failed to start Cryptography Setup for luks-BACKUP4T_SSD.
× systemd-cryptsetup@luks\x2dBACKUP8T_HDD.service - Cryptography Setup for luks-BACKUP8T_HDD
Loaded: loaded (/etc/crypttab; generated)
Active: failed (Result: exit-code) since Sun 2024-10-20 18:19:55 CEST; 1s ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Process: 6431 ExecStart=/nix/store/nswmyag3qi9ars0mxw5lp8zm0wv5zxld-systemd-255.9/bin/systemd-cryptsetup attach luks-BACKUP8T_HDD 3ec687a1-873d-4259-aefa-3d85dbf0bff5 /root/tribdisk.bin (code=exited, status=1/FAILURE)
Main PID: 6431 (code=exited, status=1/FAILURE)
IP: 0B in, 0B out
CPU: 7ms
oct. 20 18:19:55 nixos systemd[1]: Starting Cryptography Setup for luks-BACKUP8T_HDD...
oct. 20 18:19:55 nixos systemd-cryptsetup[6431]: Device 3ec687a1-873d-4259-aefa-3d85dbf0bff5 does not exist or access denied.
oct. 20 18:19:55 nixos systemd-cryptsetup[6431]: crypt_init() failed: Block device required
oct. 20 18:19:55 nixos systemd[1]: systemd-cryptsetup@luks\x2dBACKUP8T_HDD.service: Main process exited, code=exited, status=1/FAILURE
oct. 20 18:19:55 nixos systemd[1]: systemd-cryptsetup@luks\x2dBACKUP8T_HDD.service: Failed with result 'exit-code'.
oct. 20 18:19:55 nixos systemd[1]: Failed to start Cryptography Setup for luks-BACKUP8T_HDD.
warning: error(s) occurred while switching to the new configuration
Why did you just put the UUID? You have to point it to a device. You can do either UUID=4891218f-a065-4485-acc4-692b6e2d8de2 or /dev/disk/by-uuid/4891218f-a065-4485-acc4-692b6e2d8de2