Hi there. I stuggled some time to configure a similar setup. I was not able to make it work with the fileSystems.<name>.encrypted.keyFile way nor the boot.initrd.luks.devices.<name>.keyFile way. Maybe because I use boot.initrd.systemd.enable = true;. I read in LUKS single-password unlock · Issue #24386 · NixOS/nixpkgs · GitHub that one solution is to use the same password for all boot.initrd.luks.devices, and the password can be entered only once and be used for all devices.
I think this should be enough to solve this issue. Using an extra keyfile, depending on its location, doesn’t really change any security properties because both the passphrase and key eventually unlock a master key that’s stored
However, I still wanted to use a keyfile so the solution that I found and works for me is to create a dedicated systemd service:
# mount /media/data on boot
systemd.services.mountData = {
enable = true;
path = with pkgs; [cryptsetup util-linux];
script = ''
mkdir -p /media/data
if [[ ! -e /dev/mapper/data ]]; then
cryptsetup luksOpen --key-file /pathtokeyfile /dev/disk/by-uuid/someuuidhere data
fi
if [[ $(mount | grep data) -ne 1 ]]; then
mount /dev/mapper/data /media/data
fi
'';
wantedBy = [ "multi-user.target" ];
};