DeterminateSystems
Default planner does not use macOS planner defaults when installing on macOS
Hi,
Thanks, I love your product! It makes it so much easier to get started on Nix!
When using the default planner with
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
on macOS, the planner defaults to encrypting the volume Nix Store, preventing it from simply being managed (i.e. encrypted) by FileVault (and by extension, other admin platforms like Sophos Endpoints). In contrast, the macOS planner with
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install macos
defaults to not encrypt the Nix Store volume (and FileVault, if activated, just encrypts it automatically).
Suggestion: The default planner on macOS should reflect the macOS planner for consistency and a more sensible default.
When I don't specify a planner, nix-installer outputs:
$ ./nix-installer-aarch64-darwin install
Planner: macos (with default settings)
Whereas explicitly specifying the macos planner, I get the following output:
$ ./nix-installer-aarch64-darwin install macos
Planner: macos
Configured settings:
* root_disk: null
* volume_encrypt: false
From the following code, it looks like encryption is meant to always be on if FileVault is on:
https://github.com/DeterminateSystems/nix-installer/blob/2fbb17ce4261f2e5876834ee6fc054994601a56c/src/planner/macos/mod.rs#L170-L218
However, if I use explicitly set the macos planner it overrides that logic which seems like a bug.
I'm currently running a machine with FileVault and installed by explicitly specifying the macos planner so in Disk Utility the Nix Store volume is listed as Is Encrypted No (Encrypted at Rest) and everything seems to work fine. One thing to note is inside VMs, if you have FileVault enabled and you create an unencrypted APFS volume, it won't be listed as Encrypted at Rest.
I wonder if we should switch the default now to not encrypt the volume if FileVault is going to do encryption at rest. It might be the better default as users won't ever run into the Unlock Nix Store prompt which we ended up having to workaround in nix-darwin, see: https://github.com/nix-darwin/nix-darwin/pull/1052
cc @abathur I skimmed your PR https://github.com/NixOS/nix/pull/4289 and wasn't able to find out the reason we want to encrypt our Nix Store by default if FileVault is enabled (I suspect the way FileVault and encryption at rest works has changed since that PR was merged)
Catalina was a long bleed, so the story is broken up over hundreds of comments in a handful of issues and PRs.
The shortish answer is that, iirc, there was decent community consensus at the time of the original catalina issue/pr that there are some real risks filevault mitigates and that it is "surprising" to leave the nix store with less protection than the primary volume (i.e., less security than existing nix+fv users were used to.
There were some sharp corners on making that actually happen initially, so until 4289 darwin installs were left with a big long scare flag.
If memory serves, from most to least nutrition-dense, you can review:
- https://github.com/lnl7/nix/issues/1
- https://github.com/NixOS/nix/issues/3212
- https://github.com/NixOS/nix/issues/2925
After thinking about it further, I think by default we should encrypt Nix Store if FileVault is enabled not just rely on encryption at rest.
Otherwise someone could just boot your machine and read potentially sensitive data in your Nix Store or manipulate some of the programs which would later get executed without needing to know your password.
I think the bug here that needs to be fixed is that the macos planner when explicitly set should not configure any settings