Closed lutzgo closed 1 year ago
Hey @lutzgo! Your first approach is almost correct, we probably should improve documentation here.
There's a hook system in disko, so keep your --disk-encryption-keys /tmp/secret.key /tmp/secret.key
and try the following in your zpool config:
rpool = {
[...]
rootFsOptions = {
keylocation = "file:///tmp/secret.key";
keyformat = "passphrase";
[...]
};
postCreateHook = ''
zfs set keylocation="prompt" $name;
'';
(I implemented the hook system for exactly this use case ;))
Hey @phaer, thank you so much for the fast and explicit answer. Actually very obvious. 🤷🏼♀️ I am constantly learning.👨🎓
You are welcome :)
One thing to keep in mind is that the secret key file `/tmp/secret.key´ should not end in a newline, otherwise the prompt will fail as pressing the enter key there would submit your key, so it would end up comparing "top-secret" to "top-secret\n".
A quick check in code whether that's the case might even be a better solution than documentation here.
Thank you for the advice @phaer. I even got it in my code, so that I always remember it, when I am editing:
disko.nix
encryption = "aes-256-gcm";
keyformat = "passphrase";
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
keylocation = "file:///tmp/secret.key";
Dear numtide Team, first of all: I appreciate your great work and learn so much working with your tools.
Here comes the Question: As far as I know root on zfs only works with
keylocation=prompt
. But this did not work with nixos-anywhere. So I went withkeylocation = "file:///tmp/secret.key"
and pass the key to nixos-anywhere with:After installation/before I reboot I do
On reboot the key is not found and the system refuses therefore to boot.
What ma I missing? Is there a way to use nixos-anywhere with root on encrypted zfs.
For reference: here are the relevant nix-files.
configuration.nix
disko.nix
hardware-configuration.nix
zfs.nix
Thanks in advance.