I want to unlock all my luks devices/partitions by typing the passphrase only once during boot.
When I installed NixOS I used the built-in partition manager to set up the partitions as btrfs encrypted with luks (except /boot). Afterwards I manually set up a data disk as a luks device with a btrfs filesystem.
I’ve adjusted my configuration.nix, but I’m being asked twice for the passphrase during boot, even though I explicitly set boot.initrd.luks.reusePassphrases
to true.
I’ve tried to set preLVM = true;
but that didn’t change anything.
The passphrases are the same for all the encrypted luks devices.
How to make NixOS reuse the typed passphrase during boot?
lsblk (irrelevant devices removed)
NAME UUID MOUNTPOINT
sda e94541c7-7111-46c8-a1f6-3347c6761191
└─data ed7fc4d7-944a-48e5-854a-2eb9d0c54ee0 /mnt/data
nvme1n1
├─nvme1n1p1 1546-8FD5 /boot
├─nvme1n1p2 8be8b25f-42a1-41c4-ab25-d0c40b958efd
│ └─luks-8be8b25f-42a1-41c4-ab25-d0c40b958efd 7bf3cc97-e149-4be7-a161-c623780fec07 /nix/store
└─nvme1n1p3 bfdf62d2-38eb-4e79-bddf-3b0fcbfa2063
└─luks-bfdf62d2-38eb-4e79-bddf-3b0fcbfa2063 24e15ca0-e03f-4c9b-8c38-99a916264600 [SWAP]
journalctl -b 0
stage-1-init: Passphrase for /dev/disk/by-uuid/8be8b25f-42a1-41c4-ab25-d0c40b958efd:
kernel: Key type encrypted registered
stage-1-init: Verifying passphrase for /dev/disk/by-uuid/8be8b25f-42a1-41c4-ab25-d0c40b958efd... - success
stage-1-init: Passphrase for /dev/disk/by-uuid/bfdf62d2-38eb-4e79-bddf-3b0fcbfa2063: reused
stage-1-init: Verifying passphrase for /dev/disk/by-uuid/bfdf62d2-38eb-4e79-bddf-3b0fcbfa2063... - success
stage-1-init: Starting device mapper and LVM...
kernel: BTRFS: device label nixroot devid 1 transid 921 /dev/mapper/luks-8be8b25f-42a1-41c4-ab25-d0c40b958efd scanned by btrfs (700)
stage-1-init: Scanning for Btrfs filesystems
stage-1-init: Registered: /dev/mapper/luks-8be8b25f-42a1-41c4-ab25-d0c40b958efd
stage-1-init: Passphrase for /dev/disk/by-uuid/e94541c7-7111-46c8-a1f6-3347c6761191:
stage-1-init: Verifying passphrase for /dev/disk/by-uuid/e94541c7-7111-46c8-a1f6-3347c6761191... - success
stage-1-init: Mounting /dev/disk/by-uuid/7bf3cc97-e149-4be7-a161-c623780fec07 on /...
kernel: BTRFS info (device dm-0): First mount of filesystem 7bf3cc97-e149-4be7-a161-c623780fec07
kernel: BTRFS info (device dm-0): Using crc32c (crc32c-intel) checksum algorithm
kernel: BTRFS info (device dm-0): Using free space tree
kernel: BTRFS info (device dm-0): Enabling ssd optimizations
unknown: Booting system configuration /nix/store/7yig8lxp471pzvrf5p3g19qxsxj4153p-nixos-system-taurus-23.11.6981.27c13997bf45
/etc/nixos/configuration.nix
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
<home-manager/nixos>
];
# Bootloader
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# LUKS
## Swap
boot.initrd.luks.devices."luks-bfdf62d2-38eb-4e79-bddf-3b0fcbfa2063".device = "/dev/disk/by-uuid/bfdf62d2-38eb-4e79-bddf-3b0fcbfa2063";
## Data drive
boot.initrd.luks.reusePassphrases = true;
boot.initrd.luks.devices = {
data = {
device = "/dev/disk/by-uuid/e94541c7-7111-46c8-a1f6-3347c6761191";
preLVM = false;
};
};
# File systems
fileSystems."/mnt/data" = {
device = "/dev/disk/by-uuid/ed7fc4d7-944a-48e5-854a-2eb9d0c54ee0";
fsType = "btrfs";
};
/etc/nixos/hardware-configuration.nix
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7bf3cc97-e149-4be7-a161-c623780fec07";
fsType = "btrfs";
options = [ "subvol=@" ];
};
boot.initrd.luks.devices."luks-8be8b25f-42a1-41c4-ab25-d0c40b958efd".device = "/dev/disk/by-uuid/8be8b25f-42a1-41c4-ab25-d0c40b958efd";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1546-8FD5";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/24e15ca0-e03f-4c9b-8c38-99a916264600"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}