Logo

dev-resources.site

for different kinds of informations.

NixOS Full Disk Encryption with USB/SD-Card/Password Unlock

Published at
11/1/2024
Categories
linux
nixos
Author
jasper-clarke
Categories
2 categories in total
linux
open
nixos
open
Author
13 person written this
jasper-clarke
open
NixOS Full Disk Encryption with USB/SD-Card/Password Unlock

Not long ago I had some super secure data on my server and I wanted it to survive just about anything from a network attack to a physical theft.
Now the NixOS documentation is a bit lacking on this topic, but I've found a few resources that helped me to get this working.
Here you go guys, finally a single guide with all the steps.

References:

Note

This guide does expect that you are in the minimal ISO and have connected to your network via Ethernet or wpa_cli.
If you want to know how to setup NixOS from the very beginning, check out my NixOS Homelab Install Guide.

Partitioning

Note

In the following snippets I will refer to the drive we are encrypting as /dev/sda but yours might be /dev/nvme0n1.

If you haven't already, switch to the root user with sudo -i

# Open gdisk on the disk we're installing on
gdisk /dev/sda

# -----------------------
# BEGIN GDISK COMMANDS

# print the partitions on the disk
Command: p

# Delete a partition. Select the partition number when prompted.
# Repeat for all partitions.
Command: d

# Create the EFI boot partition
Command: n
Partition number: 1
First sector: <enter for default>
Last sector: +1G       # make a 1 gigabyte partition
Hex code or GUID: ef00 # this is the EFI System type

# Create the LVM partition
Command: n
Partition number: 2
First sector: <enter for default>
Last sector: <enter for default - rest of disk>
Hex code or GUID: 8e00 # Linux LVM type

# Write changes and quit
Command: w

# END GDISK COMMANDS
# ---------------------
Enter fullscreen mode Exit fullscreen mode

If you want more of an explanation on what these commands are doing please look at the Queensland FP Lab - Installing NixOS post as it is really good!

Formatting and Encryption

$LVM_PARTITION is /dev/nvme0n1p2 or /dev/sda2, this is the second partition we just created.

# You will be asked to enter your passphrase - DO NOT FORGET THIS
cryptsetup luksFormat $LVM_PARTITION
Enter fullscreen mode Exit fullscreen mode

If you want to decrypt the drive on boot without input you can write a decryption key to a USB or SD Card.
As an example if you only ever access this computer via SSH you will want the computer to be able to boot independantly without needing a password input.

Note this method will make the decryption drive unusuable for anything else.

# Create a random key
dd if=/dev/random of=hdd.key bs=4096 count=1
# Append the key to the list of secure keys that can unlock the drive.
cryptsetup luksAddKey $LVM_PARTITION ./hdd.key

# Now write the key to your USB or SD Card, find it from lsblk.
dd if=hdd.key of=/dev/REPLACE-HERE
Enter fullscreen mode Exit fullscreen mode

Continue here.

# SKIP TO HERE IF NOT USING USB UNLOCKING.
# Decrypt the encrypted partition and call it nixos-enc. The decrypted partition
# will get mounted at /dev/mapper/nixos-enc
cryptsetup luksOpen $LVM_PARTITION nixos-enc
Enter fullscreen mode Exit fullscreen mode
# Create the LVM physical volume using nixos-enc
pvcreate /dev/mapper/nixos-enc

# Create a volume group that will contain our root and swap partitions
vgcreate nixos-vg /dev/mapper/nixos-enc

# Create a swap partition that is 16G in size - the amount of RAM on this machine
# Volume is labeled "swap"'
lvcreate -L 16G -n swap nixos-vg

# Create a logical volume for our root filesystem from all remaining free space.
# Volume is labeled "root"
lvcreate -l 100%FREE -n root nixos-vg

# $BOOT_PARTITION is your first partition, so `/dev/nvme0n1p1` or `/dev/sda1`

# Create a FAT32 filesystem on our boot partition
mkfs.vfat -n boot $BOOT_PARTITION

# Create an ext4 filesystem for our root partition
mkfs.ext4 -L nixos /dev/nixos-vg/root

# Tell our swap partition to be a swap
mkswap -L swap /dev/nixos-vg/swap

# Turn the swap on before install
swapon /dev/nixos-vg/swap
Enter fullscreen mode Exit fullscreen mode

Now let's mount the file system.

mount /dev/nixos-vg/root /mnt
mkdir /mnt/boot
# $BOOT_PARTITION is your first partition, so `/dev/nvme0n1p1` or `/dev/sda1`
mount $BOOT_PARTITION /mnt/boot
Enter fullscreen mode Exit fullscreen mode

From here just generate a new configuration and replace the existing boot options with the following.

boot = {
  loader = {
    efi.canTouchEfiVariables = true;
    grub = {
      enable = true;
      efiSupport = true;
      device = "nodev";
    };
  };
  initrd = {
    kernelModules = ["usb_storage"];
    luks.devices.cryptroot = {
      device = "/dev/second-partition-of-your-drive";
      preLVM = true;

      # If using a USB or SD Card for decryption include the following.
      allowDiscards = true;
      keyFileSize = 4096;
      # This is the disk id of your USB or SD Card.
      # Get this by running `ls -l /dev/disk/by-id`,
      # and copy the long string into the spot below.
      keyFile = "/dev/disk/by-id/REPLACE-HERE";

      # Use this if you want to fallback to the encryption password
      # when the drive can't be found. HIGHLY RECCOMENDED!!!!
      fallbackToPassword = true;
    };
  };
};
Enter fullscreen mode Exit fullscreen mode

Now just setup your configuration and run nixos-install

And that is it! Full Disk Encryption and remote unlocking with a flash drive.
Again if your looking for more info or run into any issue check the two links at the top of this guide.

This has been Jasper, until next time 👋

nixos Article's
30 articles in total
Favicon
How to Set Up Kanata on NixOS: A Step-by-Step Guide
Favicon
NixOS - A Unique Linux Distribution
Favicon
NixOS Full Disk Encryption with USB/SD-Card/Password Unlock
Favicon
Choosing my distro: Ubuntu, NixOS, Elementary OS or Pop!_OS
Favicon
Nix first steps
Favicon
OpenResty on NixOS for an API Gateway
Favicon
Why Consider NixOS for Your Environment?
Favicon
Managing NixOS on DigitalOcean with Colmena
Favicon
I Changed My Mind - NixOS is NOT the Best Linux
Favicon
Backup GitHub Repositories with gidek
Favicon
Packing Custom Fonts for NixOS
Favicon
Managing NixOS Secrets via SOPS, sops-nix and opsops
Favicon
Running NixOS Guests on QEMU
Favicon
Archiving PostgreSQL Backups on NixOS
Favicon
The Ultimate NixOS Homelab Guide - Flakes, Modules and Fail2Ban w/ Cloudflare
Favicon
The radical concept of NixOS and why I love it!
Favicon
The Ultimate NixOS Homelab Guide - The Install
Favicon
The One Man Stack
Favicon
I use NixOS for my home-server, and you should too!
Favicon
This distro finally fixes Linux
Favicon
Running a Terraria Dedicated Server on NixOS
Favicon
NixOS on Raspberry Pi 4 with Encrypted Filesystem
Favicon
Day 7: Uninstalling NixOS from my Macbook Pro
Favicon
Nixpkgs: A community-maintained package lock file for all of Unix
Favicon
Writing a (Nix-Friendly) Hello World Web App in Haskell with Scotty
Favicon
Kick the Mix-ups to the Curb: Nix the Tricks and Juggle Go Projects like a Pro
Favicon
Day 6: Making rEFInd Look Good
Favicon
Day 5: NixOS & Git - version control for config.nix
Favicon
Day 4: (Re)Installing NixOS on my Macbook Pro
Favicon
Day 3: Fighting with network interfaces

Featured ones: