pyrox.dev
1<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-luks-file-systems">
2 <title>LUKS-Encrypted File Systems</title>
3 <para>
4 NixOS supports file systems that are encrypted using
5 <emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example,
6 here is how you create an encrypted Ext4 file system on the device
7 <literal>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</literal>:
8 </para>
9 <programlisting>
10# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
11
12WARNING!
13========
14This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.
15
16Are you sure? (Type uppercase yes): YES
17Enter LUKS passphrase: ***
18Verify passphrase: ***
19
20# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
21Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
22
23# mkfs.ext4 /dev/mapper/crypted
24</programlisting>
25 <para>
26 The LUKS volume should be automatically picked up by
27 <literal>nixos-generate-config</literal>, but you might want to
28 verify that your <literal>hardware-configuration.nix</literal> looks
29 correct. To manually ensure that the system is automatically mounted
30 at boot time as <literal>/</literal>, add the following to
31 <literal>configuration.nix</literal>:
32 </para>
33 <programlisting language="bash">
34boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
35fileSystems."/".device = "/dev/mapper/crypted";
36</programlisting>
37 <para>
38 Should grub be used as bootloader, and <literal>/boot</literal> is
39 located on an encrypted partition, it is necessary to add the
40 following grub option:
41 </para>
42 <programlisting language="bash">
43boot.loader.grub.enableCryptodisk = true;
44</programlisting>
45 <section xml:id="sec-luks-file-systems-fido2">
46 <title>FIDO2</title>
47 <para>
48 NixOS also supports unlocking your LUKS-Encrypted file system
49 using a FIDO2 compatible token. In the following example, we will
50 create a new FIDO2 credential and add it as a new key to our
51 existing device <literal>/dev/sda2</literal>:
52 </para>
53 <programlisting>
54# export FIDO2_LABEL="/dev/sda2 @ $HOSTNAME"
55# fido2luks credential "$FIDO2_LABEL"
56f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
57
58# fido2luks -i add-key /dev/sda2 f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
59Password:
60Password (again):
61Old password:
62Old password (again):
63Added to key to device /dev/sda2, slot: 2
64</programlisting>
65 <para>
66 To ensure that this file system is decrypted using the FIDO2
67 compatible key, add the following to
68 <literal>configuration.nix</literal>:
69 </para>
70 <programlisting language="bash">
71boot.initrd.luks.fido2Support = true;
72boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";
73</programlisting>
74 <para>
75 You can also use the FIDO2 passwordless setup, but for security
76 reasons, you might want to enable it only when your device is PIN
77 protected, such as
78 <link xlink:href="https://trezor.io/">Trezor</link>.
79 </para>
80 <programlisting language="bash">
81boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess = true;
82</programlisting>
83 </section>
84</section>