LUKS installation instructions


#1

I’m setting up a new laptop with NixOS 18.03, with disk encryption, and I noticed a problem while following the LUKS instructions: https://nixos.org/nixos/manual/index.html#sec-luks-file-systems

When you do a cryptsetup luksFormat dev/disk/by-uuid/… the uuid of the device will change as part of this process, and this will cause it to fail.

What I did instead, to make this command work, was to refer to the device by-partlabel. I assigned labels to all my partitions. The partlabel is not changed by the luksFormat command, so it succeeds.

The manual could be updated with this.


#2

Hy,
there is no need of use UUID to format your device, plain /dev/sd*
are fine, as long as you choose the right device. UUID matter
when you write them down in final /etc/nixos/configuration.nix.

So if your LUKS dev is for instance /dev/sda3 you can do
cryptsetup --verbose --verify-passphrase luksFormat /dev/sda3
after you look at the right UUID dev with blkid or a simple
ls -l /dev/disk/by-uuid | grep sda3
and with the new UUID you found do luksOpen, write it in
configuration.nix etc.

If you want for some reason to keep you “original” UUID you can
tell that to cryptsetup adding --uuid=$OLD_UUID

On the manual: I see no need to manually put
fileSystems."/".device = “/dev/mapper/crypted”;

In my config, LUKS+zfs and LUKS+lvm+nilfs2 I simply have
boot.supportedFilesystems = [ “$MY_ROOT_FS” ];
and
boot.initrd.luks.devices = [
{
name = “nixRootDsk”;
device = “/dev/disk/by-uuid/$LUKS_DSK_UUID”;
allowDiscards = true;
preLVM = true;
}
];

the hardware-configuration.nix, automatically created by
nixos-generate-config --root /mnt
in the live, after I mount anything in the proper order under /mnt
do all the needed stuff, I simply put some extra mount option for
discard&c…

– Ingmar


#3

Yeah, I noticed that as well. The generate-config command picks it up automatically. This could also be mentioned in the manual.