How to set up one password unlocking for a FDE system?

Hi, how should I properly configure my full disk encryption system to unlock it with a single password input? Now it asks me to enter my password twice.

I have one drive that I separated like so:

NAME             FSTYPE      FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1                                                                                      
├─nvme0n1p1      vfat        FAT32       11CD-4829                             510.6M     0% /boot/efi
└─nvme0n1p2      crypto_LUKS 1           7c6487af-356a-486d-a4d8-e0685d1700bc                
  └─crypted-root btrfs             root  33ecc27d-9185-412c-93ab-e8c983498390  367.2G    23% /swap
                                                                                             /home
                                                                                             /.snapshots
                                                                                             /nix/store
                                                                                             /nix
                                                                                             /

My configuration file:

  boot = {
    loader = {
      efi = {
        canTouchEfiVariables = true;
        efiSysMountPoint = "/boot/efi";
      };

      grub = {
        enable = true;
        device = "nodev";
        version = 2;
        efiSupport = true;
        enableCryptodisk = true;
      };
    };

    initrd = {
      luks.devices.root = {
        device = "/dev/disk/by-uuid/7c6487af-356a-486d-a4d8-e0685d1700bc";
        preLVM = true;
        keyFile = "/keyfile.bin";
        allowDiscards = true;
      };

      secrets = {
        "keyfile.bin" = "/etc/secrets/initrd/keyfile.bin";
      };
    };
  };

you need to add the keyfile to the initrd, because unlocking / is done in the initrd:

    initrd.secrets = {
      "/keyfile.bin" = "/path/to/actual/keyfile";
    };

make sure to use double quotes (otherwise the keyfile is copied to the store and made world readable) and that /boot is not readable except by root.

EDIT: I had not paid attention that you were on EFI. Also make sure that the initrd is not copied to the ESP (this depends on where you mount the ESP).

First, let me thank you for your reply!

I already have the same lines in my configuration.nix

initrd.secrets = {
  "/keyfile.bin" = "/etc/secrets/initrd/keyfile.bin";
};

Should I also edit the keyFile to that its value specified in the same path (/etc/secrets…)?

initrd.keyFile = "/keyfile.bin";

Make sure that /boot is not readable except by root.

Yes, I have entered

chmod 700 /boot

Also make sure that the initrd is not copied to the ESP (this depends on where you mount the ESP).

Excuse me, how can I check it?
I use nvme0n1p1 as a boot section and I have mounted it in /boot/efi

Excuse me, how can I check it?
I use nvme0n1p1 as a boot section and I have mounted it in /boot/efi

check the content of /boot with tree: if kernels and initrd are in /boot/efi, then they are unencrypted and the keyfile thus leaks.

There is something fishy: the initrd asks for a password whereas fallbackToPassword is not set to true (and defaults to false).

That is what I get

IMG_20220703_201209

Hosted by Flying Circus.