Swap on LUKS that gets re-encrypted using /dev/urandom every boot

danf · May 18, 2023, 2:28pm

Hi folks,

On Debian I was used to LUKS encrypt my root partition and unlock it with password and I had swap on a separate partition (real partition, not LVM) and unlock it with /dev/urandom key.

In other words every boot the swap partition data got lost and partition re-encrypted.

It looks like this:

# cat /etc/crypttab
rootcrypt UUID=4d0e286a-53b1-4e11-b971-c7a42c9c700a none luks,discard
swapcrypt PARTUUID=a8e2f38b-7012-4eb0-981f-5c1852944c88 /dev/urandom cipher=aes-xts-plain64,discard,hash=sha512,plain,sector-size=4096,size=512,swap

# cat /etc/fstab
/dev/mapper/rootcrypt   /    btrfs   noatime,subvol=@rootfs 0       0
/dev/mapper/swapcrypt   none swap    sw                     0       0

I set this up before installing from ISO but the nixos-generate-config picked only the fact that swap is on LUKS, not that it is reencrypted/reformatted every boot.

Could you please tell me how to set this up on NixOS?

Thank you.

TLATER · May 18, 2023, 2:39pm

I think you’re looking for the swapDevices.*.randomEncryption.enable option.

danf · May 22, 2023, 8:03am

Thank you very much @TLATER , this works.

Strangely it works even with boot.initrd.systemd.enable = true; without adding a line into /nix/store/xxxxxx-initrd-crypttab that gets generated with when systemd initrd is enabled.