How to set up one password unlocking for a FDE system?

Guides
1

Hi, how should I properly configure my full disk encryption system to unlock it with a single password input? Now it asks me to enter my password twice.

IMG_20220701_212254
IMG_20220701_2122541280×338 51.5 KB

IMG_20220701_212403
IMG_20220701_2124031280×279 53.8 KB

I have one drive that I separated like so:

NAME             FSTYPE      FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1                                                                                      
├─nvme0n1p1      vfat        FAT32       11CD-4829                             510.6M     0% /boot/efi
└─nvme0n1p2      crypto_LUKS 1           7c6487af-356a-486d-a4d8-e0685d1700bc                
  └─crypted-root btrfs             root  33ecc27d-9185-412c-93ab-e8c983498390  367.2G    23% /swap
                                                                                             /home
                                                                                             /.snapshots
                                                                                             /nix/store
                                                                                             /nix
                                                                                             /

My configuration file:

  boot = {
    loader = {
      efi = {
        canTouchEfiVariables = true;
        efiSysMountPoint = "/boot/efi";
      };

      grub = {
        enable = true;
        device = "nodev";
        version = 2;
        efiSupport = true;
        enableCryptodisk = true;
      };
    };

    initrd = {
      luks.devices.root = {
        device = "/dev/disk/by-uuid/7c6487af-356a-486d-a4d8-e0685d1700bc";
        preLVM = true;
        keyFile = "/keyfile.bin";
        allowDiscards = true;
      };

      secrets = {
        "keyfile.bin" = "/etc/secrets/initrd/keyfile.bin";
      };
    };
  };
2

you need to add the keyfile to the initrd, because unlocking / is done in the initrd:

    initrd.secrets = {
      "/keyfile.bin" = "/path/to/actual/keyfile";
    };

make sure to use double quotes (otherwise the keyfile is copied to the store and made world readable) and that /boot is not readable except by root.

EDIT: I had not paid attention that you were on EFI. Also make sure that the initrd is not copied to the ESP (this depends on where you mount the ESP).

3

First, let me thank you for your reply!

I already have the same lines in my configuration.nix

initrd.secrets = {
  "/keyfile.bin" = "/etc/secrets/initrd/keyfile.bin";
};

Should I also edit the keyFile to that its value specified in the same path (/etc/secrets…)?

initrd.keyFile = "/keyfile.bin";

Make sure that /boot is not readable except by root.

Yes, I have entered

chmod 700 /boot

Also make sure that the initrd is not copied to the ESP (this depends on where you mount the ESP).

Excuse me, how can I check it?
I use nvme0n1p1 as a boot section and I have mounted it in /boot/efi

4

Excuse me, how can I check it?
I use nvme0n1p1 as a boot section and I have mounted it in /boot/efi

check the content of /boot with tree: if kernels and initrd are in /boot/efi, then they are unencrypted and the keyfile thus leaks.

There is something fishy: the initrd asks for a password whereas fallbackToPassword is not set to true (and defaults to false).

5

That is what I get

IMG_20220703_201209