LUKS on LVM external HDD, after HW scan system won't boot

animaldaydream · November 1, 2020, 3:19pm

Hi, I’m completely new to NixOS and after tinkering for the better part of two days I managed to install it. There’s a problem with LUKS though.

After mounting an external HDD that has LUKS on LVM, the “nixos-generate-config” command generates a “hardware-configuration.nix” that renders my PC unbootable after a rebuild.

I’m guessing there’s a problem with LVM on initrd. Anyways, I really don’t need the external drive to be available on stage 1 and I’d like to input the password during systemd launch, which I don’t know if its possible. I’d like the system to ask for a passphrase when the drive is present and not fail when it isn’t connected.

Back on Arch Linux I just added additional drives to /etc/crypttab and specified the nofail option on /etc/fstab but NixOS doesn’t have crypttab.

What do I do? What is the best way to do this?

[NixOS 20.09 channel. LUKS on LVM on mdadm root, EFI partition mounted at /etc/boot, using GRUB as bootmanager]

My GRUB config:

  boot.loader.grub = {
      enable = true;
      version = 2;
      device = "nodev";
      efiSupport = true;
      enableCryptodisk = true;
    };
  boot.loader.efi.canTouchEfiVariables = true;

EDIT: It turns out “/etc/crypttab” is also read by systemd at boot on NixOS. This lets me type the passphrase after root has been mounted.

However the generated “hardware-configuration.nix” still makes the system unbootable. I have to modify it or otherwise I can’t rebuild:

## Commented out the offending line:
#  boot.initrd.luks.devices."ilanders-crypt".device = "/dev/disk/by-uuid/[uuidhere]"

Perhaps there is a way to modify “configuration.nix” instead but I haven’t figured out how to do it yet. Any thoughts?

ElvishJerricco · November 1, 2020, 10:15pm

There really ought to be an option in the luks options for opening the volume in stage two with /etc/crypttab. Maybe I’ll give that a go this evening…

animaldaydream · November 2, 2020, 2:48pm

It should be done after KMS kicks in, otherwise the password prompt gets corrupted like it does now. I think changing the order of the modules would fix that.

Anyways there’s something weird happening here. It should at least just force me to mount the external drive, but because root is LVM on LUKS and the external drive is LUKS on LVM, the configuration gets confused. I think. I get some LVM errors on boot so that’s my guess.

ElvishJerricco · November 2, 2020, 9:23pm

Wait, your post says the opposite.

Anyway, I believe the default is to do luksOpen before the LVM scan. But if it’s LUKS on LVM, I think you have to manually set boot.initrd.luks.devices."ilanders-crypt".preLVM = true; which should let you keep the default hardware configuration and not bother with /etc/crypttab.

animaldaydream · November 2, 2020, 9:52pm

Wait, your post says the opposite.

Fixed!

if LUKS on LVM, set preLVM = true

No, no matter what I set preLVM to [EDIT please see edit below], it won’t boot unless I comment out the section on hardware-configuration.nix.

EDIT: I had to set “preLVM = false” instead. Man that is a confusing name. It means “if set to true, decryption will be attempted before LVM scan”.

Still, this isn’t a good solution because now I can’t boot without the external drive plugged in, so I still depend on crypttab for now.

But it is a solution, I guess. Thanks!