Hi,
I want to add another encrypted SSD to my PC that will just hold user data (i.e. is not required for boot, only at the point I log in).
Of course I added the required fileSystems.<name>
stuff but when it comes to the encryption part, I see two options:
-
boot.initrd.luks.devices
and fileSystems.<name>.encryption
I went with the filesyStems
approach because I don’t need the disk to be available very early and I guess this approach opens the encrypted disk later during boot, which in my imagination might improve boot time (due to parallel running tasks at boot time).
Then I realized, that allowDiscards = true
and bypassWorkqueues = true
(which increase SSD performance) can not be set using fileSystems.<name>.encryption
, so I dove into the nix code of both modules to find out their differences.
It seems to me that fileSystems.<name>.encryption
actually just adds the value of it’s blkDev
setting as boot.initrd.luks.devices.<name>.device
and adds a luks open
call to boot.initrd.postMountCommands
. (see encrypted-devices.nix#L72-L85)
But why is it then, that I get asked for the disk password, when I set boot.initrd.luks.devices.<name>.device
myself?
So what’s really the difference between those two? And If it wasn’t for the allowDiscard
and bypassWorkqueses
options (which require me to use boot.initrd.luks.devices
anyways) which option should one use?