Decrypt my LUKS with an SD card upon boot

moritzschaefer · March 3, 2024, 3:08pm

Dear community,

I faithfully followed the tutorial in the Wiki to decrypt my hard drive during boot using a USB stick (in my case an SD card). However, it does not work. Error is that LUKS is ‘waiting for nopassphrasekey’, but it doesn’t come up.

Could someone have a look at my config and check whether there is an obvious mistake? Of note, if I use cryptkey everything works fine, however, cryptkey is unfortunately passphrase-protected (and I don’t want to type it upon boot).


  boot.initrd.kernelModules = [ "mmc_core" ];

  boot.initrd.luks.devices = {
    cryptkey.device = "/dev/disk/by-uuid/ccd19ab7-0e4d-4df4-8912-b87139de56af";
    nopassphrasekey = {
         device = "/dev/disk/by-id/mmc-SD02G_0x6035b72d";
         allowDiscards = true;
         keyFileSize = 4096;
         # pinning to /dev/disk/by-id/usbkey works
         keyFile = "/dev/mmcblk0";
    };
    cryptroot = {
      device="/dev/disk/by-uuid/88242cfe-48a1-44d2-a29b-b55e6f05d3d3";
      keyFile="/dev/mapper/nopassphrasekey";
    };
    cryptswap = {
      device="/dev/disk/by-uuid/f6fa3573-44a9-41cc-bab7-da60d21e27b3";
      keyFile="/dev/mapper/nopassphrasekey";
    };
  };

Best wishes,
Moritz

ElvishJerricco · March 3, 2024, 8:12pm

I wonder if the scripted initrd is just doing them in lexicographical order. You can try renaming nopassphrasekey to something that would come first, like anopassphrasekey. Or you can try enabling systemd initrd, which handles this sort of thing way better. boot.initrd.systemd.enable = true;

moritzschaefer · March 4, 2024, 12:21pm

I’ll try, thanks!

Also, yes, it seems to do it alphabetically (I needed to type my password for cryptkey). However, this is of secondary importance, as it in any case did not find nopassphrasekey

moritzschaefer · March 4, 2024, 5:28pm

@ElvishJerricco I tried, but without success. It seems to fully “ignore” my anopassphrasekey, as it asks for my passphrase (for cryptkey) and then cannot load my root partition /dev/disk/by-uuid/8f0a4152-e9f1-4315-8c34-0402ff7efff4 (it says “start job is running for anopassphrasekey”)

(Just for context, my root partition)

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/8f0a4152-e9f1-4315-8c34-0402ff7efff4";
      fsType = "btrfs";
    };