I have been use keyfile to avoid double keying in passphrase for my /boot encrypted full disk encryption. And it does the job perfectly. Here is the steps I used for fresh nixos installation:
MOUNTPOINT=/mnt, ROOT_PARTITION is the partition of /
dd bs=512 count=4 if=/dev/random of=${MOUNTPOINT}/keyfile.bin iflag=fullblock
echo ${MOUNTPOINT}/keyfile.bin | cpio -o -H newc -R +0:+0 --reproducible | gzip -9 >${MOUNTPOINT}/boot/initrd.keys.gz
echo "Add key to root partition"
cryptsetup luksAddKey "${ROOT_PARTITION}" ${MOUNTPOINT}/keyfile.bin
And here is the relevant part of my configuration:
# Use Keyfile to unlock the root partition to avoid keying in twice.
# Allow fstrim to work on it.
boot.initrd.luks.devices."cryptroot" = {
keyFile = "/keyfile.bin";
allowDiscards = true;
};
# Use GRUB with encrypted /boot under EFI env.
boot.loader = {
efi = {
efiSysMountPoint = "/boot/efi";
canTouchEfiVariables = true;
};
grub = {
enable = true;
version = 2;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
extraInitrd = "/boot/initrd.keys.gz"; # Add LUKS key to the initrd
};
};
It works without any error on my machine after installation (i.e. you don’t use keyfile on nixos-install but opt in later) but not on fresh installation.
Here is the trouble that I ran in:
Any thought?
I think this is because on nixos-install, nix failed to include my extra initrd which contains keyfile.
Thanks in advance