I want to add another encrypted SSD to my PC that will just hold user data (i.e. is not required for boot, only at the point I log in).
Of course I added the required
fileSystems.<name> stuff but when it comes to the encryption part, I see two options:
I went with the
filesyStems approach because I don’t need the disk to be available very early and I guess this approach opens the encrypted disk later during boot, which in my imagination might improve boot time (due to parallel running tasks at boot time).
Then I realized, that
allowDiscards = true and
bypassWorkqueues = true (which increase SSD performance) can not be set using
fileSystems.<name>.encryption, so I dove into the nix code of both modules to find out their differences.
It seems to me that
fileSystems.<name>.encryption actually just adds the value of it’s
blkDev setting as
boot.initrd.luks.devices.<name>.device and adds a
luks open call to
boot.initrd.postMountCommands. (see encrypted-devices.nix#L72-L85)
But why is it then, that I get asked for the disk password, when I set
So what’s really the difference between those two? And If it wasn’t for the
bypassWorkqueses options (which require me to use
boot.initrd.luks.devices anyways) which option should one use?