My Problem: Grub is not able to decrypt the boot partition.
My Setup: A laptop with a dual boot with NixOS and Windows.
Since trying to set up NixOS and the boot-partition with encryption, when I start my computer, it always gives this dialogue, despite me typing in the correct passphrase:
Enter passphrase for hd0,gpt7 (091d1307-8765-45ab-8a48-0de7245071ad):
error: Invalid passphrase.
error: disk `cryptouuid/091d1307876545ab8a480de7245071ad` not found.
Entering rescue mode...
grub rescue>
Even trying to cryptomount manually yields the same results:
grub rescue> cryptomount hd0,gpt7
Enter passphrase for hd0,gpt7 (091d1307-8765-45ab-8a48-0de7245071ad):
error: Invalid passphrase.
I checked the most obvious mistakes:
- The password is correct and works, when I decrypt the partitions on a Live-OS.
- There’s no keyboard-layout-shenanigans messing up the password. I previously typed it out in the grub-rescue-shell and saw, that the plain text matched my expectations.
- The UUIDs in
hardware-configuration.nixexactly match thelsblk-output below.
On a Live-OS, I am able to decrypt both partitions and mount root to /mnt and the other ones accordingly. This is the output of lsblk -f (nvme0n1p2 - nvme0n1p4 are Windows-related, nvme0n1p6 is used as shared partition between Windows and NixOS):
# lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
loop0 squashfs 4.0 0 100% /nix/.ro-store
sda
└─sda1 vfat FAT32 NIXOS-PLASM 17EF-1068 55.6G 4% /iso
nvme0n1
├─nvme0n1p1 vfat FAT32 EFI 16B8-C0AA 67.9M 29% /mnt/boot/efi
├─nvme0n1p2
├─nvme0n1p3 ntfs 0AFAD4F1FAD4D9D1
├─nvme0n1p4 ntfs A4DC46D9DC46A600
├─nvme0n1p5 crypto_LUKS 1 3e117c95-9f0e-4c52-8686-cb940ea1642b
│ └─root ext4 1.0 f23c4ea1-b4e0-4a27-9441-42cd2b6dd9f3 283.8G 3% /mnt
├─nvme0n1p6 vfat FAT32 2CF1-CD38
└─nvme0n1p7 crypto_LUKS 2 091d1307-8765-45ab-8a48-0de7245071ad
└─boot ext4 1.0 8fad3051-a6de-4e40-9f42-32d47a507675 827.3M 6% /mnt/boot
In my most recent attempt I roughly followed this guide. I generated only a single key and luksAddKeyed it to both already encrypted partitions (I sudo -ied and nixos-entered):
# dd if=/dev/urandom of=./crypto_keyfile.bin bs=1024 count=4
# cryptsetup luksAddKey /dev/nvme0n1p5 crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p7 crypto_keyfile.bin
And saved the keys on the root-partition:
# mkdir -p /etc/secrets/initrd/
# cp crypto_keyfile.bin /etc/secrets/initrd
# chmod 000 /mnt/etc/secrets/initrd/crypto_keyfile.bin
Then, I let nixos generate the hardware-config:
# nixos-generate-config
The guide put the details on where to find the key into configuration.nix. I think, the encryption details rather belong to my hardware, so I added it to hardware-configuration.nix (Is that a problem?):
...
{
...
fileSystems."/" =
{ device = "/dev/disk/by-uuid/f23c4ea1-b4e0-4a27-9441-42cd2b6dd9f3";
fsType = "ext4";
};
boot.initrd.secrets = {
"crypto_keyfile.bin" = "/etc/secrets/initrd/crypto_keyfile.bin";
};
boot.initrd.luks.devices."root" = {
device = "/dev/disk/by-uuid/3e117c95-9f0e-4c52-8686-cb940ea1642b";
keyFile = "/crypto_keyfile.bin";
allowDiscards = true;
preLVM = true;
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/8fad3051-a6de-4e40-9f42-32d47a507675";
fsType = "ext4";
};
boot.initrd.luks.devices."boot" = {
device = "/dev/disk/by-uuid/091d1307-8765-45ab-8a48-0de7245071ad";
keyFile = "/crypto_keyfile.bin";
allowDiscards = true;
preLVM = true;
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/16B8-C0AA";
fsType = "vfat";
};
...
}
To my configuration.nix I added:
# Bootloader.
boot.loader = {
grub = {
enable = true;
efiSupport = true;
device = "nodev";
enableCryptodisk = true;
# version = 2;
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/efi";
};
};
In a new shell (without sudo-priviliges and not nixos-entered) proceeded to
$ sudo nixos-install
$ reboot
Still the above failure to decrypt keeps happening. Can you help me fix this?