pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-luks-file-systems">
6
7<title>LUKS-Encrypted File Systems</title>
8
9<para>NixOS supports file systems that are encrypted using
10<emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example,
11here is how you create an encrypted Ext4 file system on the device
12<filename>/dev/sda2</filename>:
13
14<screen>
15$ cryptsetup luksFormat /dev/sda2
16
17WARNING!
18========
19This will overwrite data on /dev/sda2 irrevocably.
20
21Are you sure? (Type uppercase yes): YES
22Enter LUKS passphrase: ***
23Verify passphrase: ***
24
25$ cryptsetup luksOpen /dev/sda2 crypted
26Enter passphrase for /dev/sda2: ***
27
28$ mkfs.ext4 /dev/mapper/crypted
29</screen>
30
31To ensure that this file system is automatically mounted at boot time
32as <filename>/</filename>, add the following to
33<filename>configuration.nix</filename>:
34
35<programlisting>
36boot.initrd.luks.devices = [ { device = "/dev/sda2"; name = "crypted"; } ];
37fileSystems."/".device = "/dev/mapper/crypted";
38</programlisting>
39
40</para>
41
42</section>