The standard NixOS installer uses GRUB to decrypt the FDE?
This means that there is no way to use a keyfile on a USB stick, right, when we need initrd for that?
The NixOS installer only does grub-based FDE for legacy BIOS systems for… unfortunate reasons. One day I plan to change this and make it work the same for legacy BIOS and UEFI; i.e. a separate /boot partition with unencrypted kernels / initrds and an encrypted root.
You can do this with a manual install on a legacy BIOS system, but doing it to an existing install is going to require some sort of repartitioning.
It is possible, with a little hack. The boot.loader.grub module uses the grub-install command to build the image and install it in a single step, so it’s not possible to edit the embedded config before it is installed.
There’s also no option to change the config, which is hardcoded in the source, however, you can easily patch grub-install.c like this:
nixpkgs.overlays = lib.singleton (self: super: {
grub2 = super.grub2.overrideAttrs (old: {
postPatch = ''
sed 's@cryptomount -u@cryptomount -a -k (hd0,gpt1)/secret.key -O offset -S keysize\\n'\
'cryptomount -u@' -i util/grub-install.c
'';
});
});
This will try to unlock using a secret.key file on hd0 and if that’s not available fall back to interactive password.
EDIT: I had missed the part about the installer. I’ve never used that, so I have no idea what it does. You can see here the steps to manually install NixOS with full disk encryption: