search

tpwrules / nixos-apple-silicon

Resources to install NixOS bare metal on Apple Silicon Macs
MIT License
894 stars 92 forks source link

Guide for LUKS encryption setup #108

Open cor opened 1 year ago

cor commented 1 year ago

Currently, the install guide says the following:

We will add a root partition to the remaining free space and format it as ext4. Alternative partition layouts and filesystems, including LUKS encryption, are possible, but not covered by this guide.

I would greatly appreciate it if the install guide could be extended to include instructions for LUKS encryption setup.

I did find this guide on how to do it for Fedora Asahi, but it's not 1:1 translatable

vilvo commented 1 year ago

I would greatly appreciate it if the install guide could be extended to include instructions for LUKS encryption setup.

This worked for me https://github.com/vilvo/mxdots#disk-encryption-with-systemd-boot

cor commented 1 year ago

I would greatly appreciate it if the install guide could be extended to include instructions for LUKS encryption setup.

This worked for me https://github.com/vilvo/mxdots#disk-encryption-with-systemd-boot

Thanks for sharing! Super excited to try this out tomorrow :)

cor commented 1 year ago

@vilvo I've followed your guide and after typing reboot the prompt to type the Passphrase shows up, but I am completely unable to use the keyboard. I'm also unable to use the keyboard in earlier stages of the boot process. Have you ran into this issue? Any idea whats going on here?

Screenshot 2023-10-16 at 01 15 44

(Device: 13" M2 Macbook Air with 16GB RAM and 512GB SSD)

EDIT: Plugging in an USB keyboard and typing in my passphrase does work! However, the errors persist and I cannot use my internal keyboard

n3oney commented 11 months ago

@cor I'd guess something's incorrect with your initrd kernel modules.

vilvo commented 11 months ago

@cor I'd guess something's incorrect with your initrd kernel modules.

This is probably the case with M2 though I do not know how the keyboard connection differs from M1. @cor - what have you got on these lines in your hardware-configuration.nix

boot.initrd.availableKernelModules = [ "usb_storage" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
tpwrules commented 11 months ago

I don't have an M2 so it would be hard for me to identify the necessary kernel modules.

If there are additional things to add to boot.initrd.kernelModules to make this work properly, please file a PR.

psanford commented 11 months ago

I have luks working with an m2 air. This is my initrd module config, if its helpful:

  boot.initrd.kernelModules = [
    "usb_storage"
    "usbhid"
    "dm-crypt"
    "xts"
    "encrypted_keys"
    "ext4"
    "dm-snapshot"
  ];
vilvo commented 11 months ago

I have luks working with an m2 air. This is my initrd module config, if its helpful:

  boot.initrd.kernelModules = [
    "usb_storage"
    "usbhid"
    "dm-crypt"
    "xts"
    "encrypted_keys"
    "ext4"
    "dm-snapshot"
  ];

It is, thank you. It’s the usbhid that does the keyboard magic.

shelvacu commented 1 month ago

FWIW anyone putting encryption keys on a thumb drive like I did, I have a mac mini m1 and needed the module uas for the thumb drive to be recognized.