NixOS grub 2 luks lvm issue

i need help
after updating my bootloader config to make add removable option im having issue booting up. When my os boots into bootloader it straight away shows error saying lvmid/random_uuid not found and goes to grub rescue. Matter of fact here is a picture of the error

I have made such everything is in right place whatever im pretty sure. Im running nixos off external ssd for context and my system is UEFI
lsblk view for my filesystem and uuids

[root@nixos:~]# lsblk -f
NAME          FSTYPE      FSVER            LABEL                    UUID                                   FSAVAIL FSUSE% MOUNTPOINTS
loop0         squashfs    4.0                                                                                    0   100% /nix/.ro-store
├─sda1        vfat        FAT32            BOOTLOADER               BAEB-E6A9                               333.4M    33% /mnt/boot/efi
└─sda2        crypto_LUKS 2                                         abb0bf28-ff6b-441c-aa12-2a678b8ca042                  
  └─cryptroot LVM2_member LVM2 001                                  GpW1at-btt5-hPxj-WoqJ-lSjR-QEM7-oIu6Nl                
    ├─vg-swap swap        1                SWAP                     38a476a4-62fa-496e-8f62-56624447d1fd                  [SWAP]
    └─vg-root f2fs        1.14             ROOT                     745b5250-fc07-472a-ad81-af17316e649d    772.3G    14% /mnt
├─sdb1        exfat       1.0              Ventoy                   9CA0-AE2F                                             
│ └─ventoy    iso9660     Joliet Extension nixos-gnome-22.05-x86_64 1980-01-01-00-00-00-00                       0   100% /iso
└─sdb2        vfat        FAT16            VTOYEFI                  0922-588F                                                                 

Settings for luks and grub in my configuration.nix

  # Use the systemd-boot EFI boot loader.
  #boot.loader.systemd-boot.enable = true;
  boot.initrd.luks.devices = {
      cryptroot = {
        device = "/dev/disk/by-uuid/abb0bf28-ff6b-441c-aa12-2a678b8ca042";
        preLVM = true;
        allowDiscards = true;
  boot.loader = {
    efi = {
      canTouchEfiVariables = false;
      efiSysMountPoint = "/boot/efi";
    grub = {
      enable = true;
      version = 2;
      efiSupport = true;
      efiInstallAsRemovable = true;
      enableCryptodisk = true;
      device = "nodev";

And lastly my hardware configuration.nix filesystems config

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/745b5250-fc07-472a-ad81-af17316e649d";
      fsType = "f2fs";

  fileSystems."/boot/efi" =
    { device = "/dev/disk/by-uuid/BAEB-E6A9";
      fsType = "vfat";

  swapDevices =
    [ { device = "/dev/disk/by-uuid/38a476a4-62fa-496e-8f62-56624447d1fd"; }

helpppppppppppppppppppppppppp me.

Not sure why GRUB is even trying to look for a LVM device.

Try disabling cryptodisk support, you don’t need it. It shouldn’t do what it’s doing despite that but I strongly suspect that’s what’s causing it.

Bro what its Enable support for encrypted partitions. GRUB should automatically unlock the correct encrypted partition and look for filesystems.

You only need grub to understand your encrypted root if you want to keep your kernels, initrds, and grub menu secret. Do you? If you don’t, it’s fine to just let grub not deal with the encryption and have the kernels and initrds copied to the ESP. That would, however, require that you mount the ESP at /boot instead of /boot/efi.

1 Like

Little update so i figured out grub2 has limited encryption support of luks2, it only accepts pkbfs2 encryption and by default luks2 uses argon2

As I said, don’t use GRUB to try to decrypt your root. That should be handled in initrd.

Do you have any updates on this? Have you considered something like this: How to Install NixOS With Full Disk Encryption (FDE) using LUKS2, Detached LUKS Header, and A Separate Boot Partition on an USB/MicroSD Card

It’s perfectly fine to use GRUB for that, it’s just going to be slower than the userspace implementation (cryptsetup).

That and you need to type the password in two times or implement some secure way of passing it through to the kernel which sounds hairy.

There’s no need to implement anything complicated, it’s just a couple of lines:

boot.initrd.secrets."/root.key" = "/path/to/root.key";

boot.initrd.luks.devices.root =
  { device  = "/dev/nvme0n1p2 ";
    keyFile = "/root.key";

GRUB unlocks the device with your passphrase, then the userspace unlocks it with a keyfile stored in the initrd.