Full Disk Encryption
Here you go guys, finally a single guide with all the steps.
References:
INFO
This guide does expect that you are in the minimal ISO and have connected to your network via Ethernet or wpa_cli
.
Partitioning
INFO
In the following snippets I will refer to the drive we are encrypting as /dev/sda
but yours might be /dev/nvme0n1
.
If you haven't already, switch to the root user with sudo -i
# Open gdisk on the disk we're installing on
gdisk /dev/sda
# -----------------------
# BEGIN GDISK COMMANDS
# print the partitions on the disk
Command: p
# Delete a partition. Select the partition number when prompted.
# Repeat for all partitions.
Command: d
# Create the EFI boot partition
Command: n
Partition number: 1
First sector: <enter for default>
Last sector: +1G # make a 1 gigabyte partition
Hex code or GUID: ef00 # this is the EFI System type
# Create the LVM partition
Command: n
Partition number: 2
First sector: <enter for default>
Last sector: <enter for default - rest of disk>
Hex code or GUID: 8e00 # Linux LVM type
# Write changes and quit
Command: w
# END GDISK COMMANDS
# ---------------------
If you want more of an explanation on what these commands are doing please look at the Queensland FP Lab - Installing NixOS post as it is really good!
Formatting and Encryption
$LVM_PARTITION
is /dev/nvme0n1p2
or /dev/sda2
, this is the second partition we just created.
# You will be asked to enter your passphrase - DO NOT FORGET THIS
cryptsetup luksFormat $LVM_PARTITION
If you want to decrypt the drive on boot without input you can write a decryption key to a USB or SD Card. As an example if you only ever access this computer via SSH you will want the computer to be able to boot independantly without needing a password input.
Note this method will make the decryption drive unusuable for anything else.
# Create a random key
dd if=/dev/random of=hdd.key bs=4096 count=1
# Append the key to the list of secure keys that can unlock the drive.
cryptsetup luksAddKey $LVM_PARTITION ./hdd.key
# Now write the key to your USB or SD Card, find it from lsblk.
dd if=hdd.key of=/dev/REPLACE-HERE
Continue here.
# SKIP TO HERE IF NOT USING USB UNLOCKING.
# Decrypt the encrypted partition and call it nixos-enc. The decrypted partition
# will get mounted at /dev/mapper/nixos-enc
cryptsetup luksOpen $LVM_PARTITION nixos-enc
# Create the LVM physical volume using nixos-enc
pvcreate /dev/mapper/nixos-enc
# Create a volume group that will contain our root and swap partitions
vgcreate nixos-vg /dev/mapper/nixos-enc
# Create a swap partition that is 16G in size - the amount of RAM on this machine
# Volume is labeled "swap"'
lvcreate -L 16G -n swap nixos-vg
# Create a logical volume for our root filesystem from all remaining free space.
# Volume is labeled "root"
lvcreate -l 100%FREE -n root nixos-vg
# $BOOT_PARTITION is your first partition, so `/dev/nvme0n1p1` or `/dev/sda1`
# Create a FAT32 filesystem on our boot partition
mkfs.vfat -n boot $BOOT_PARTITION
# Create an ext4 filesystem for our root partition
mkfs.ext4 -L nixos /dev/nixos-vg/root
# Tell our swap partition to be a swap
mkswap -L swap /dev/nixos-vg/swap
# Turn the swap on before install
swapon /dev/nixos-vg/swap
Now let's mount the file system.
mount /dev/nixos-vg/root /mnt
mkdir /mnt/boot
# $BOOT_PARTITION is your first partition, so `/dev/nvme0n1p1` or `/dev/sda1`
mount $BOOT_PARTITION /mnt/boot
From here just generate a new configuration and replace the existing boot
options with the following.
boot = {
loader = {
efi.canTouchEfiVariables = true;
grub = {
enable = true;
efiSupport = true;
device = "nodev";
};
};
initrd = {
kernelModules = ["usb_storage"];
luks.devices.cryptroot = {
device = "/dev/second-partition-of-your-drive";
preLVM = true;
# If using a USB or SD Card for decryption include the following.
allowDiscards = true;
keyFileSize = 4096;
# This is the disk id of your USB or SD Card.
# Get this by running `ls -l /dev/disk/by-id`,
# and copy the long string into the spot below.
keyFile = "/dev/disk/by-id/REPLACE-HERE";
# Use this if you want to fallback to the encryption password when the drive can't be found. HIGHLY RECCOMENDED!!!!
fallbackToPassword = true;
};
};
};
Now just setup your configuration and run nixos-install
And that is it! Full Disk Encryption and remote unlocking with a flash drive. Again if your looking for more info or run into and issue check the two links at the top of this guide.