pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-luks-file-systems">
6
7<title>LUKS-Encrypted File Systems</title>
8
9<para>NixOS supports file systems that are encrypted using
10<emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example,
11here is how you create an encrypted Ext4 file system on the device
12<filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:
13
14<screen>
15# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
16
17WARNING!
18========
19This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.
20
21Are you sure? (Type uppercase yes): YES
22Enter LUKS passphrase: ***
23Verify passphrase: ***
24
25# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
26Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
27
28# mkfs.ext4 /dev/mapper/crypted
29</screen>
30
31To ensure that this file system is automatically mounted at boot time
32as <filename>/</filename>, add the following to
33<filename>configuration.nix</filename>:
34
35<programlisting>
36boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
37fileSystems."/".device = "/dev/mapper/crypted";
38</programlisting>
39
40</para>
41
42</section>