disko
disko copied to clipboard
Unclear how to use disko with LUKS + keyfile on usb stick configuration
Hi,
i have the following configuration:
# disko config
{ lib, ... }:
{
disko.devices.disk = (lib.genAttrs [ "/dev/sda" ] (disk: {
type = "disk";
device = disk;
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "0";
end = "1M";
part-type = "primary";
flags = [ "bios_grub" ];
}
{
name = "ESP";
start = "1M";
end = "1047MB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "root";
start = "1074MB";
end = "100%";
part-type = "primary";
bootable = true;
content = {
type = "luks";
name = "cryptedroot";
extraOpenArgs = [ "--allow-discards" ];
keyFile = "/key/hdd.key";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
}
];
};
}));
}
the /key
folder is mounted from a usb stick. in order to have that available at boot, i use:
{ config, lib, ... }:
# this snippet is motivated from https://nixos.wiki/wiki/Full_Disk_Encryption
{
boot.initrd.kernelModules = ["uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1"];
boot.initrd.postDeviceCommands = lib.mkBefore ''
mkdir -m 0755 -p /key
sleep 2 # To make sure the usb key has been loaded
mount -n -t vfat -o ro /dev/sdc1 /key
'';
}
After installation (using nixos-anywhere) and first boot, i immediately get to a password prompt for the disk, although there is no password. it seems like the snippet is setup for execution too late.
Even if i put an exit 1
into this script, i still arrive at the blocking password prompt.
How do i use this correctly with disko?