Grub fails to decrypt boot-partition. Are my configs at fault?

My Problem: Grub is not able to decrypt the boot partition.

My Setup: A laptop with a dual boot with NixOS and Windows.

Since trying to set up NixOS and the boot-partition with encryption, when I start my computer, it always gives this dialogue, despite me typing in the correct passphrase:

Enter passphrase for hd0,gpt7 (091d1307-8765-45ab-8a48-0de7245071ad):
error: Invalid passphrase.
error: disk `cryptouuid/091d1307876545ab8a480de7245071ad` not found.
Entering rescue mode...
grub rescue>

Even trying to cryptomount manually yields the same results:

grub rescue> cryptomount hd0,gpt7
Enter passphrase for hd0,gpt7 (091d1307-8765-45ab-8a48-0de7245071ad):
error: Invalid passphrase.

I checked the most obvious mistakes:

  • The password is correct and works, when I decrypt the partitions on a Live-OS.
  • There’s no keyboard-layout-shenanigans messing up the password. I previously typed it out in the grub-rescue-shell and saw, that the plain text matched my expectations.
  • The UUIDs in hardware-configuration.nix exactly match the lsblk-output below.

On a Live-OS, I am able to decrypt both partitions and mount root to /mnt and the other ones accordingly. This is the output of lsblk -f (nvme0n1p2 - nvme0n1p4 are Windows-related, nvme0n1p6 is used as shared partition between Windows and NixOS):

# lsblk -f
NAME        FSTYPE      FSVER LABEL       UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
loop0       squashfs    4.0                                                          0   100% /nix/.ro-store
└─sda1      vfat        FAT32 NIXOS-PLASM 17EF-1068                              55.6G     4% /iso
├─nvme0n1p1 vfat        FAT32 EFI         16B8-C0AA                              67.9M    29% /mnt/boot/efi
├─nvme0n1p3 ntfs                          0AFAD4F1FAD4D9D1
├─nvme0n1p4 ntfs                          A4DC46D9DC46A600
├─nvme0n1p5 crypto_LUKS 1                 3e117c95-9f0e-4c52-8686-cb940ea1642b
│ └─root    ext4        1.0               f23c4ea1-b4e0-4a27-9441-42cd2b6dd9f3  283.8G     3% /mnt
├─nvme0n1p6 vfat        FAT32             2CF1-CD38
└─nvme0n1p7 crypto_LUKS 2                 091d1307-8765-45ab-8a48-0de7245071ad
  └─boot    ext4        1.0               8fad3051-a6de-4e40-9f42-32d47a507675  827.3M     6% /mnt/boot

In my most recent attempt I roughly followed this guide. I generated only a single key and luksAddKeyed it to both already encrypted partitions (I sudo -ied and nixos-entered):

# dd if=/dev/urandom of=./crypto_keyfile.bin bs=1024 count=4
# cryptsetup luksAddKey /dev/nvme0n1p5 crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p7 crypto_keyfile.bin

And saved the keys on the root-partition:

# mkdir -p /etc/secrets/initrd/
# cp crypto_keyfile.bin /etc/secrets/initrd
# chmod 000 /mnt/etc/secrets/initrd/crypto_keyfile.bin

Then, I let nixos generate the hardware-config:

# nixos-generate-config

The guide put the details on where to find the key into configuration.nix. I think, the encryption details rather belong to my hardware, so I added it to hardware-configuration.nix (Is that a problem?):

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/f23c4ea1-b4e0-4a27-9441-42cd2b6dd9f3";
      fsType = "ext4";

  boot.initrd.secrets = {
      "crypto_keyfile.bin" = "/etc/secrets/initrd/crypto_keyfile.bin";

  boot.initrd.luks.devices."root" = {
      device = "/dev/disk/by-uuid/3e117c95-9f0e-4c52-8686-cb940ea1642b";
      keyFile = "/crypto_keyfile.bin";
      allowDiscards = true;
      preLVM = true;

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/8fad3051-a6de-4e40-9f42-32d47a507675";
      fsType = "ext4";

  boot.initrd.luks.devices."boot" = {
      device = "/dev/disk/by-uuid/091d1307-8765-45ab-8a48-0de7245071ad";
      keyFile = "/crypto_keyfile.bin";
      allowDiscards = true;
      preLVM = true;

  fileSystems."/boot/efi" =
    { device = "/dev/disk/by-uuid/16B8-C0AA";
      fsType = "vfat";

To my configuration.nix I added:

  # Bootloader.
  boot.loader = {
    grub = {
      enable = true;
      efiSupport = true;
      device = "nodev";
      enableCryptodisk = true;
      # version = 2;
    efi = {
      canTouchEfiVariables = true;
      efiSysMountPoint = "/boot/efi";

In a new shell (without sudo-priviliges and not nixos-entered) proceeded to

$ sudo nixos-install
$ reboot

Still the above failure to decrypt keeps happening. Can you help me fix this?