Do you think it’s possible to have automatic reboot somehow using kexec for decrypting FDE? It would be a really useful NixOS feature in server environments.
It’s certainly possible, though I’m not sure how you would do it. You would have to somehow acquire the necessary key, add it to a temporary initrd that’s otherwise the same as your normal one, and use kexec
with that initrd instead of your normal one. LUKS makes it possible to extract the real master key from the kernel, but e.g. ZFS doesn’t make this possible for its encryption implementation. You could either ask the user for the necessary keys when they invoke kexec, or store them somewhere safe so they’re always accessible as long as the disk is already decrypted.
So this could be a script which does something like this:
- asks for the key (stdin or file path)
- appends the key to
/nix/var/nix/profiles/system/initrd
and stores resultinginitrd
in temporary directory - loads
initrd
from temporary directory via kexec - removes
initrd
file - does kexec
The most non-trivial parts seems to be:
- In step №2
initrd
would need to be decompressed, modified to include the key (by appending a new cpio archive to the end? or isinitrd
needs to be extracted first?) and then recompressed again (is it even necessary for kexec?). - There’s also should be some script in
boot.initrd.postDeviceCommands
which would read integrated key and do something with it.
Actually initrd can be a concatenated sequence of compressed cpio images, so no need to decompress and modify the original image; just make a totally separate image with what you need and append it. But yes, you will have to have boot.initrd.luks.devices.<name>.keyFile
set to the name of your key file. I don’t remember if NixOS falls back to a password input if that keyFile doesn’t exist (for the case where you’re booting without this mechanism), but if it doesn’t you’ll have to figure something out for that.