I tried many solutions, with boot.initrd.systemd.mounts, fileSystems.<name>.encrypted, keyFile, etc. I am using nixos unstable.
I have a FAT32 partition with the key at /dev/disk/by-uuid/2989-2930.
The key file in the partition is called lukskey.bin. The luks is called luks-245f537d-f6b9-4e94-9c2f-c5c56a543fa8. The LUKS2 partition is /dev/disk/by-uuid/245f537d-f6b9-4e94-9c2f-c5c56a543fa8. The / partition is BTRFS in the encrypted partition /dev/disk/by-uuid/4f7eb8c6-fd2e-4ca5-b2a2-4d93a984b40f.
If someone can help me try out different configuration, I can post the error messages / describe what happens. Since I tried so many things it would take a long time to post everything I tried and all the results.
Here is the latest thing I tried:
boot.initrd.systemd.mounts = [
{
what = "/dev/disk/by-uuid/2989-2930";
where = "/key";
type = "vfat";
}
];
boot.initrd.systemd.enable = true;
boot.initrd.luks.devices."luks-245f537d-f6b9-4e94-9c2f-c5c56a543fa8" = {
keyFile = "/key/lukskey.bin";
keyFileTimeout = 5;
};
the /key was mounted, but systemd kept waiting 90s for the root partition to be available. Then after it went into rescue mode and I pressed enter, NixOS booted without me having to enter the password. So it’s kind of working but not working.
Where are your fileSystems."/" and boot.initrd.luks.devices."luks-....".device definitions? Hard to say what’s going wrong without seeing the whole picture.
It is in the hardware configuration:
fileSystems."/" = {
device = "/dev/disk/by-uuid/4f7eb8c6-fd2e-4ca5-b2a2-4d93a984b40f";
fsType = "btrfs";
options = [ "subvol=@" ];
};
boot.initrd.luks.devices."luks-245f537d-f6b9-4e94-9c2f-c5c56a543fa8" = {
device = "/dev/disk/by-uuid/245f537d-f6b9-4e94-9c2f-c5c56a543fa8";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/411B-EDE1";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
Huh, that’s interesting. I really don’t know why that wouldn’t be working, assuming those two UUIDs are correct
Having a similar issue but with an ext4 root partition. Wondering if you were able to get a passphrase prompt fallback to show if the usb key isn’t detected?
I still didn’t find any solution to this.
Here’s what I found works:
boot.initrd = {
systemd.enable = true;
luks.devices."cryptusb" = {
keyFile = "/key:/dev/disk/by-uuid/faa67c8c-ceed-4283-b3d9-8d5515c62149";
crypttabExtraOpts = [ "keyfile-timeout=10" ];
};
};
And make sure the root file system in hardware-configuration.nix has device = "/dev/mapper/cryptusb"; instead of device = "/dev/disk/by-uuid/..."; or whatever, because the /dev/mapper/ path for you LUKS device will have better timeout behavior.
Obviously adjust the name cryptusb for whatever your LUKS volume is named, and adjust keyfile-timeout=10 for whatever timeout you’d like.
I found, to my surprise, that you have to explicitly add the keyfile-timeout=xyz option to get it to fallback to a password. Without it, it’s treated as a failure when the external device times out.
And note the keyFile = "/key:/dev/disk/by-uuid/faa67c8c-ceed-4283-b3d9-8d5515c62149"; syntax, which tells systemd that the keyfile will be found at the /key path under the file system on the /dev/disk/by-uuid/faa67c8c-ceed-4283-b3d9-8d5515c62149 device.
@ElvishJerricco thanks for the info.
After reading your comment I did some more trial and error and this is what works for me:
fileSystems."/" = {
device = "/dev/mapper/luks-245f537d-f6b9-4e94-9c2f-c5c56a543fa8";
fsType = "btrfs";
options = [ "subvol=@" ];
};
boot.initrd.luks.devices."luks-245f537d-f6b9-4e94-9c2f-c5c56a543fa8" = {
device = "/dev/disk/by-uuid/245f537d-f6b9-4e94-9c2f-c5c56a543fa8";
keyFile = "/dev/disk/by-id/usb-SanDisk_Cruzer_Blade_2005224270118ED170CB-0:0";
keyFileSize = 64;
crypttabExtraOpts = [ "keyfile-timeout=5" ];
fallbackToPassword = true;
};
I ended up writing the key directly to the disk. I didn’t try making it in a file system again. Also for some reason it only worked properly if I did not enable initrd.systemd. And for some reason even though I set the keyfile timeout to 5, it says 10 seconds on the screen (which is fine with me though).
How did it not work?
Well you disabled systemd initrd, and like I said crypttabExtraOpts only applies to systemd initrd.