LUKS encrypted image

Hello. I am interested in creating a NixOS image for aarch64 with LUKS-encrypted rootfs. I see there is a very nice sd-image-aarch64.nix that generates a non-encrypted image ready for dd. I could add cryptsetup luksFormat etc. in the appropriate place before making the filesystem, except that for cryptsetup luksOpen you need to be root, and apparently you can’t run commands with root privileges at build time according to https://github.com/NixOS/nix/issues/1436.

I guess my only option then is to unpack sd-image-aarch64.nix and relevant imports into a script to be run outside of Nix, build the NixOS derivation, and then copy files into the image again outside of Nix. I’m still new to Nix, I just want to ask here before doing this to make sure I’m not ignoring some path that might let me do the whole build with a single .nix and minimal duplication of logic already implemented in sd-image*.nix.

Might also be worth noting I’m building from non-NixOS host.

You can look at make-disk-image.nix and do something similar. (preview: it attaches a block device to a VM, provisions it, and then you’re done.

I haven’t seen a version with LUKS but you might not even be the first… :wink:

1 Like