`extraInitrd` doesn't play well in fresh nixos installation

I have been use keyfile to avoid double keying in passphrase for my /boot encrypted full disk encryption. And it does the job perfectly. Here is the steps I used for fresh nixos installation:
MOUNTPOINT=/mnt, ROOT_PARTITION is the partition of /

	dd bs=512 count=4 if=/dev/random of=${MOUNTPOINT}/keyfile.bin iflag=fullblock
	echo ${MOUNTPOINT}/keyfile.bin | cpio -o -H newc -R +0:+0 --reproducible | gzip -9 >${MOUNTPOINT}/boot/initrd.keys.gz
	echo "Add key to root partition"
	cryptsetup luksAddKey "${ROOT_PARTITION}" ${MOUNTPOINT}/keyfile.bin

And here is the relevant part of my configuration:

  # Use Keyfile to unlock the root partition to avoid keying in twice.
  # Allow fstrim to work on it.
  boot.initrd.luks.devices."cryptroot" = {
    keyFile = "/keyfile.bin";
    allowDiscards = true;

  # Use GRUB with encrypted /boot under EFI env.
  boot.loader = {
    efi = {
      efiSysMountPoint = "/boot/efi";
      canTouchEfiVariables = true;
    grub = {
      enable = true;
      version = 2;
      device = "nodev";
      efiSupport = true;
      enableCryptodisk = true;
      extraInitrd = "/boot/initrd.keys.gz"; # Add LUKS key to the initrd

It works without any error on my machine after installation (i.e. you don’t use keyfile on nixos-install but opt in later) but not on fresh installation.

Here is the trouble that I ran in:

Any thought?
I think this is because on nixos-install, nix failed to include my extra initrd which contains keyfile.
Thanks in advance

Has been fixed because I used the wrong path to generate initrd.

BTW, use boot.initrd.secrets to add keyfile. It is the proper way!

1 Like