What's the difference between `boot.initrd.luks.devices` and `fileSystems.<name>.encrypted`?


I want to add another encrypted SSD to my PC that will just hold user data (i.e. is not required for boot, only at the point I log in).

Of course I added the required fileSystems.<name> stuff but when it comes to the encryption part, I see two options:

  • boot.initrd.luks.devices and
  • fileSystems.<name>.encryption

I went with the filesyStems approach because I don’t need the disk to be available very early and I guess this approach opens the encrypted disk later during boot, which in my imagination might improve boot time (due to parallel running tasks at boot time).

Then I realized, that allowDiscards = true and bypassWorkqueues = true (which increase SSD performance) can not be set using fileSystems.<name>.encryption, so I dove into the nix code of both modules to find out their differences.

It seems to me that fileSystems.<name>.encryption actually just adds the value of it’s blkDev setting as boot.initrd.luks.devices.<name>.device and adds a luks open call to boot.initrd.postMountCommands. (see encrypted-devices.nix#L72-L85)

But why is it then, that I get asked for the disk password, when I set boot.initrd.luks.devices.<name>.device myself?

So what’s really the difference between those two? And If it wasn’t for the allowDiscard and bypassWorkqueses options (which require me to use boot.initrd.luks.devices anyways) which option should one use?

1 Like

I’m in a similar situation, and from what i found in the internet this kind of thing is achievable in other distros by editing /etc/crypttab, but i can’t find an option related on nixos, only stuff to unlock in initrd…