[Nix-dev] How to add file to initrd?

Tomasz Czyż tomasz.czyz at gmail.com
Thu Sep 10 22:20:01 CEST 2015 

2015-09-10 9:19 GMT+01:00 Tomasz Czyż <tomasz.czyz at gmail.com>:

>
>
> 2015-09-09 7:03 GMT+01:00 Bryan Gardiner <bog at khumba.net>:
>
>> On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
>> > Hi,
>> >
>> > Continuation of this thread:
>> >
>> http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880
>> >
>> > I already successfully set up crypted partitions for mdadm and for zfs.
>> The
>> > system is mounting them properly with standard nixos configuration using
>> > ``boot.initrd.luks`` configs.
>> >
>> > But for each mount I have to pass password/key. I thought I can put keys
>> > for all partitions to initrd as initrd is on encrypted boot partition
>> > (boot). The process would be like:
>> > * enter password for grub
>> > * grub loads initrd
>> > * initrd unlocks all other partitions
>> >
>> > Currently it works for me in very strange way.
>> > I am using preLVMCommands option with "echo 'mykey' > /key".
>> > I don't like it because I cannot keep my configuration on git somewhere
>> > cause it expose my passwords.
>>
>> How about doing something like:
>>
>>     preLVMCommands =
>>       let key = builtins.readFile ./keyfile; in
>>       "echo '${key}' >/key"
>>
>> then putting keyfile in gitignore?
>>
> Thanks Bryan,
>
> looks like good trick :-) I'm new to nix, I didn't even thought about that
> stuff, cheers!
>
> Tom
>
To sum up. This method works pretty well as long as you do "echo -n" so it
won't add new line at the end of your key. But the method is not the best
as if there any problem inside the script, the content of the file is
printed on the screen (during the boot process). Not problem for me as I'm
using boot partition encription, but it's kind of concert. Anyway thanks
for sharing this tip!.


>
>> - Bryan
>>
>> > Is there any way to add key files to initrd? (I found some "extra"
>> options
>> > for boot partition but not for initrd, maybe there are some hooks I'm
>> not
>> > aware of)
>>
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>>
>
>
> --
> Tomasz Czyż
>



-- 
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150910/5069e058/attachment.html

More information about the nix-dev mailing list