Last active
March 5, 2021 15:17
-
-
Save jralvarezc/e91b7b512691128c89784a6569c7f85b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ cryptsetup luksDump /dev/nvme0n1p1 | |
| (only one slot used) | |
| $ dd if=/dev/urandom of=./keyfile.bin bs=1024 count=4 | |
| $ cryptsetup luksAddKey /dev/nvme0n1p1 ./keyfile.bin | |
| (two slots used, 0 for passphrase, 1 for keyfile) | |
| $ cryptsetup luksDump /dev/nvme0n1p1 | |
| $ sudo su - | |
| # echo ./keyfile.bin | cpio -o -H newc -R +0:+0 --reproducible | gzip -9 > /boot/initrd.keys.gz | |
| ## Edit configuration.nix | |
| boot.loader.grub = { | |
| ... | |
| extraInitrd = "/boot/initrd.keys.gz"; | |
| ... | |
| }; | |
| boot.loader.grub = { | |
| enable = true; | |
| version = 2; | |
| enableCryptodisk = true; | |
| extraInitrd = "/boot/initrd.keys.gz"; | |
| device = "/dev/nvme0n1"; | |
| }; | |
| boot.initrd.luks = { | |
| devices = [ { | |
| name = "root"; | |
| preLVM = true; | |
| keyFile = "/keyfile.bin"; | |
| device = "/dev/nvme0n1p1"; | |
| } ]; | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment