search

nix-community / disko

Declarative disk partitioning and formatting using nix [maintainers=@Lassulus @Enzime @iFreilicht]
MIT License
1.78k stars 192 forks source link

`initrd` configuration to unlock existing LUKS device #756

Open solomon-b opened 1 month ago

solomon-b commented 1 month ago

I have an existing Nixos installation with LUKS full disk encryption and the disk partitions managed by Disko. The LUKS crypt was secured with fido2 (and a backup password) and initrd was set to use fido2 via:

  boot.initrd.luks.devices.CRYPT.crypttabExtraOpts = [ "fido2-device=auto" ];

I need to switch the system to boot via the backup password but am having trouble updating initrd. I'm using a nixos boot disk, manually unlocking the crypt, mounting everything in /mnt, and running nixos-install.

When I boot the machine it goes right to attempting to mount the partitions inside the encrypted LUKS device without decrypting the LUKS device.

I tried setting initrd.luks.devices.CRYPT.device as described here but this conflicts with Disko's generated config.

I noticed that the settings option should allow me to specify the device via the disko config. So I tried setting:

{
  name = "luks";
  start = "512MiB";
  end = "100%";
  content = {
    type = "luks";
    name = "CRYPT";
    settings = {
        device = "/dev/disk/by-uuid/my-actual-uuid";
    };
    content = {
      type = "zfs";
      pool = "tank";
    };
  };
};

Unfortunately, this didn't help when I rebooted.

I'm not sure if it matters but I'm still using the deprecated table type for my disko config. I'm hesitant to change that before getting the system to boot.

iFreilicht commented 4 weeks ago

I tried setting initrd.luks.devices.CRYPT.device as described here but this conflicts with Disko's generated config.

You can remove parts of disko's config temporarily. The other solution would be to use lib.mkForce to ensure your configuration takes precendence over what disko defined.