[Nix-dev] Encrypted boot, encrypted root on zfs setup. Problem with root unlocking.

James Cook james.cook at utoronto.ca
Sat Aug 29 19:39:27 CEST 2015 

I have a working configuration with a Luks-encrypted root filesystem
on two devices (btrfs). I do not use postBootCommands (except to set
up encrypted swap). I set

  boot.initrd.luks.devices = [{ device = "/dev/..."; name = (pick any
name);} {device = ...; name = ...;}];
  boot.initrd.supportedFilesystems = [ "btrfs" ];

I don't know if there's anything similar if you're not using Luks. Let
me know if this helps.

James


On 29 August 2015 at 10:23, Bryan Gardiner <bog at khumba.net> wrote:
> On Sat, 29 Aug 2015 16:59:00 +0100
> Tomasz Czyż <tomasz.czyz at gmail.com> wrote:
>
>> Hi,
>>
>> Yesterday I've set up nix for the first time. Awesome project!
>>
>> I was struggling with ubuntu/debian to set up encrypted boot
>> partition, but here worked with first boot! Nice stuff!
>>
>> But I've problem with mounting root partition at this stage.
>>
>> My setup
>>
>> --------------------------------------------
>> |   BOOT       |            ROOT           |
>> --------------------------------------------
>> |   ext4       |            zfs            |
>> --------------------------------------------
>> | enc_boot     | enc_root1, enc_root2, ... |
>> --------------------------------------------
>> |   md_boot    |  sda3, sdb3, sdc3, sdd3   |
>> --------------------------------------------
>> | sda2, sdb2...|
>> ----------------
>>
>> So, boot is on encrypted partition on top of RAID1 (mdadm). There is
>> a file root.key to unlock 4 root partitions.
>>
>> Root is a ZFS system, on top of 4 encrypted volumes, crypted with
>> root.key (which is on boot partition).
>>
>> Working part:
>> During the boot, I'm asked about the password to boot partition, and
>> boot partition is unlocked.
>>
>> Not working part:
>> After unlocking boot and loading initrd there is a problem, zfs
>> defined in config (with UUID) cannot be found or mounted – because 4
>> root partitions are not unlocked.
>>
>> In configuration.nix I've added bootloader directive
>>
>> boot.initrd.postMountCommands = "cryptsetup luksOpen --key-file
>> /mnt-root/boot/root.key /dev/sda3 root1; cryptsetup luksOpen
>> --key-file /mnt/root/boot/root.key /dev/sdb3 root2.......";
>>
>> but this part is not working. I cannot access root.key, probably boot
>> partition is not mounted there. I don't know how to activate shell
>> there to investigate stuff.
>
> Guessing here, but try calling
>
>     /nix/store/*-extra-utils/bin/busybox sh
>
> from postMountCommands?  You could also try finding the path to
> busybox within your initrd and filling in the full path:
>
> $ nix-store -qR /run/current-system | grep 'initrd$'
> /nix/store/ig0y1a7d5153rb61m4hyfgzflqkx6kbj-initrd
>
> $ gunzip -ck /nix/store/ig0y1a7d5153rb61m4hyfgzflqkx6kbj-initrd/initrd | cpio -it | grep 'extra-utils/bin/busybox$'
> nix/store/hyjs4vanbas2z1lh6gawyrb3ngznw2v6-extra-utils/bin/busybox
> 39975 blocks
>
> Hope that helps,
> Bryan
>
>> Do you know by any chance how I can automatically unlock other
>> partitions from boot partitions and mount zfs after that?
>>
>> Cheers,
>> Tomasz Czyż
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>

More information about the nix-dev mailing list