Disko luks `keyFile` option not working?

solomon · November 25, 2024, 6:09am

I’m using disko to setup a machine with a LUKS partition like this:

        luks = {
          size = "100%";
          content = {
            type = "luks";
            name = "CRYPT";
            extraOpenArgs = [ ];
            settings = {
              keyFile = "/tmp/disk.key";
              allowDiscards = true;
            };
            content = {
              type = "zfs";
              pool = "tank";
            };
          };
        };

I’m then using nixos-anywhere to run the installer and copy in the keyFile:

    nix run github:numtide/nixos-anywhere -- \
	--extra-files "$temp" \
        --disk-encryption-keys /tmp/disk.key <(echo -n "password") \
	--flake ".#${MACHINE}" "root@${IP}" \
	--no-reboot

Nixos-anywhere’s installation succeeds and a secret is added to the LUKS partition but password is not working to decrypt it. Any ideas whats going on?

lassulus · November 25, 2024, 2:25pm

I think you want to use passwordFile instead of keyFile? keyFile is for files that are used for decryption during boot and if they are not present decryption will fail.

solomon · November 26, 2024, 12:57am

Thank you! That solved the issue.