nixos/doc/manual/configuration/luks-file-systems.section.md at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / doc / manual / configuration / luks-file-systems.section.md
at 25.11-pre 4.1 kB view raw view rendered
  1# LUKS-Encrypted File Systems {#sec-luks-file-systems}
  2
  3NixOS supports file systems that are encrypted using *LUKS* (Linux
  4Unified Key Setup). For example, here is how you create an encrypted
  5Ext4 file system on the device
  6`/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d`:
  7
  8```ShellSession
  9# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
 10
 11WARNING!
 12========
 13This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.
 14
 15Are you sure? (Type uppercase yes): YES
 16Enter LUKS passphrase: ***
 17Verify passphrase: ***
 18
 19# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
 20Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
 21
 22# mkfs.ext4 /dev/mapper/crypted
 23```
 24
 25The LUKS volume should be automatically picked up by
 26`nixos-generate-config`, but you might want to verify that your
 27`hardware-configuration.nix` looks correct. To manually ensure that the
 28system is automatically mounted at boot time as `/`, add the following
 29to `configuration.nix`:
 30
 31```nix
 32{
 33  boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
 34  fileSystems."/".device = "/dev/mapper/crypted";
 35}
 36```
 37
 38Should grub be used as bootloader, and `/boot` is located on an
 39encrypted partition, it is necessary to add the following grub option:
 40
 41```nix
 42{
 43  boot.loader.grub.enableCryptodisk = true;
 44}
 45```
 46
 47## FIDO2 {#sec-luks-file-systems-fido2}
 48
 49NixOS also supports unlocking your LUKS-Encrypted file system using a FIDO2
 50compatible token.
 51
 52### Without systemd in initrd {#sec-luks-file-systems-fido2-legacy}
 53
 54In the following example, we will create a new
 55FIDO2 credential and add it as a new key to our existing device
 56`/dev/sda2`:
 57
 58```ShellSession
 59# export FIDO2_LABEL="/dev/sda2 @ $HOSTNAME"
 60# fido2luks credential "$FIDO2_LABEL"
 61f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
 62
 63# fido2luks -i add-key /dev/sda2 f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
 64Password:
 65Password (again):
 66Old password:
 67Old password (again):
 68Added to key to device /dev/sda2, slot: 2
 69```
 70
 71To ensure that this file system is decrypted using the FIDO2 compatible
 72key, add the following to `configuration.nix`:
 73
 74```nix
 75{
 76  boot.initrd.luks.fido2Support = true;
 77  boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";
 78}
 79```
 80
 81You can also use the FIDO2 passwordless setup, but for security reasons,
 82you might want to enable it only when your device is PIN protected, such
 83as [Trezor](https://trezor.io/).
 84
 85```nix
 86{
 87  boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess = true;
 88}
 89```
 90
 91### systemd Stage 1 {#sec-luks-file-systems-fido2-systemd}
 92
 93If systemd stage 1 is enabled, it handles unlocking of LUKS-encrypted volumes
 94during boot. The following example enables systemd stage1 and adds support for
 95unlocking the existing LUKS2 volume `root` using any enrolled FIDO2 compatible
 96tokens.
 97
 98```nix
 99{
100  boot.initrd = {
101    luks.devices.root = {
102      crypttabExtraOpts = [ "fido2-device=auto" ];
103      device = "/dev/sda2";
104    };
105    systemd.enable = true;
106  };
107}
108```
109
110All tokens that should be used for unlocking the LUKS2-encrypted volume must
111first be enrolled using [systemd-cryptenroll](https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html).
112In the following example, a new key slot for the first discovered token is
113added to the LUKS volume.
114
115```ShellSession
116# systemd-cryptenroll --fido2-device=auto /dev/sda2
117```
118
119Existing key slots are left intact, unless `--wipe-slot=` is specified. It is
120recommended to add a recovery key that should be stored in a secure physical
121location and can be entered wherever a password would be entered.
122
123```ShellSession
124# systemd-cryptenroll --recovery-key /dev/sda2
125```