Luks encryption on secondary drive only

mothproof · March 24, 2024, 10:23pm

I’m struggling to add a secondary encrypted drive to my nixos setup.

Steps I took:

Made a partition on my drive and enabled encryptino:

$ cryptsetup luksFormat /dev/disk/by-uuid/e7d67827-f3e8-4035-bc2f-408ede82b65a

Opened the disk and formatted it

$ cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
$ mkfs.ext4 /dev/mapper/crypted

$ lsblk -f
NAME        FSTYPE      FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
...                                      
sdb                                                                                     
└─sdb1      crypto_LUKS 2           e7d67827-f3e8-4035-bc2f-408ede82b65a                
  └─crypted ext4        1.0         ded7fc5b-0ebc-4226-ae45-cdb46185b16a

Added the following to my configuration.nix

boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.grub = {
  enable = true;
  enableCryptodisk = true;
  efiSupport = true;
  device = "nodev";
};
fileSystems."/media/crypted" = {
  device = "/dev/disk/by-uuid/ded7fc5b-0ebc-4226-ae45-cdb46185b16a";
  fsType = "ext4";
};
boot.initrd.luks.devices."crypted" = {
  device = "/dev/disk/by-uuid/e7d67827-f3e8-4035-bc2f-408ede82b65a";
  preLVM = true;
};

But when I reboot, It goes straight to login without asking for a password to unlock the drive. Also doesn’t mount it

$ lsblk -f
NAME        FSTYPE      FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
...                                     
sdb                                                                                     
└─sdb1      crypto_LUKS 2           e7d67827-f3e8-4035-bc2f-408ede82b65a

I’m thinking maybe its because I don’t encrypt my boot drive? Or possibly because I use rEFInd to boot to an nvme drive on an older computer. Any help appreciated

ElvishJerricco · March 24, 2024, 10:34pm

Your config looks fine to me. The actual functionality of decrypting the drive and mounting it has nothing to do with your boot loader or rEFInd (so you don’t need that enableCryptodisk = true; part). The boot.initrd.luks things all happen way after the boot loader has finished its job when the machine boots.

The only thing that comes to mind for me is that maybe you’re booting an old generation for some reason and not the latest generation that has the new configuration.

mothproof · March 24, 2024, 11:52pm

I ran nixos-rebuild switch afterwards…that should update the configuration right?

ElvishJerricco · March 24, 2024, 11:55pm

It should. But how did you set up refind? If you just put it on the ESP manually pointed it at a particular generation, that wouldn’t be updated. If you pointed it to just chainload the grub that NixOS is managing, then I would expect it to be fine.

mothproof · March 25, 2024, 12:04am

I assume its just chainloading…like I can select from a list of generations after rEFInd upon booting to nix. Is there a way I can make sure?

ElvishJerricco · March 25, 2024, 12:06am

oh, yea if it’s giving you a list of generations, that sounds like the nixos-managed grub. You should verify that you’re actually booting the latest generation though. The boot menu should tell you the generation number, and you can use sudo nix-env -p /nix/var/nix/profiles/system --list-generations to see what the real newest one is.

mothproof · March 25, 2024, 8:47pm

Finally figured it out, rEFInd made an additional boot option for grub that needed to be selected instead of the original systemd boot. Selecting the grub worked as expected. Thank you so much for your help!

ElvishJerricco · March 25, 2024, 8:50pm

ah, yea, switching from systemd-boot to grub can have this effect even without rEFInd, because we don’t remove the systemd-boot files and it doesn’t get updated with new generations.