[Solved] Luks crypttab and sops with binary key file

trumee · February 9, 2025, 5:40pm

Hello,

I am using a keyfile to open few disks along crypttab as mentioned here. I want to decrypt the binary keyfile on boot.

I have setup the sops template for /etc/crypttab and encrypted the keyfile. However, I dont know how to decrypt the keyfile in nixos.

This is my template,

# crypttab.nix

{ config, lib, pkgs, modulesPath, ... }:

{

  sops.secrets.mylinuxkeyfile = {};
  sops.templates.crypttab.content = ''              
   mydisk.eli /dev/disk/by-id/ata-WDC_WD80EFZX-68UW8N0  "${config.sops.placeholder.mylinuxkeyfile}"
  '';

  environment.etc = {
  "crypttab" = {              
    source = "${config.sops.templates.crypttab.path}";                
    };
  };

}

The encrypted file is stored in secrets/mylinuxkeyfile,

# .sops.yaml

keys:
  - &users:
    - &user age10keyredacted
creation_rules:
  - path_regex: /home/user/mylinuxkeyfile
    key_groups:
    - age:
      - *user

$ sops -e /home/user/mylinuxkeyfile >secrets/mylinuxkeyfile

I get an error on build,

/nix/store/kfcmb8b2ysdk10pjy9d5mddvnzv6s2mh-sops-install-secrets-0.0.1/bin/sops-install-secrets: manifest is not valid: secret mylinuxkeyfile in /nix/store/8xmqp9mky11c9q4zspf7vmm1wv6w10cb-secrets.yaml is not valid: the key 'mylinuxkeyfile' cannot be found

trumee · February 10, 2025, 1:14pm

Solved with this config,


  sops.secrets.mylinuxkeyfile = {
  format = "binary";
  sopsFile = ../../secrets/mylinuxkeyfile;
  };

  sops.templates."crypttab".content = ''
mydisk.eli /dev/disk/by-id/ata-WDC_WD80EFZX-68UW8N0  ${config.sops.secrets.mylinuxkeyfile.path}
  '';


  environment.etc = {
  "crypttab" = {
    mode = "0600";
    source = "${config.sops.templates."crypttab".path}";
    };
  };