pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook"
2 xmlns:xlink="http://www.w3.org/1999/xlink"
3 xmlns:xi="http://www.w3.org/2001/XInclude"
4 version="5.0"
5 xml:id="sec-luks-file-systems">
6 <title>LUKS-Encrypted File Systems</title>
7
8 <para>
9 NixOS supports file systems that are encrypted using
10 <emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example, here is how
11 you create an encrypted Ext4 file system on the device
12 <filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:
13<screen>
14# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
15
16WARNING!
17========
18This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.
19
20Are you sure? (Type uppercase yes): YES
21Enter LUKS passphrase: ***
22Verify passphrase: ***
23
24# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
25Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
26
27# mkfs.ext4 /dev/mapper/crypted
28</screen>
29 To ensure that this file system is automatically mounted at boot time as
30 <filename>/</filename>, add the following to
31 <filename>configuration.nix</filename>:
32<programlisting>
33<link linkend="opt-boot.initrd.luks.devices._name__.device">boot.initrd.luks.devices.crypted.device</link> = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
34<xref linkend="opt-fileSystems"/>."/".device = "/dev/mapper/crypted";
35</programlisting>
36 Should grub be used as bootloader, and <filename>/boot</filename> is located
37 on an encrypted partition, it is necessary to add the following grub option:
38<programlisting><xref linkend="opt-boot.loader.grub.enableCryptodisk"/> = true;</programlisting>
39 </para>
40</section>