Full Disk Encryption: Difference between revisions
imported>Fadenb m Syntax highlighting |
imported>Zimbatm No edit summary |
||
Line 2: | Line 2: | ||
* [https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134 Installation of NixOS with encrypted root] | * [https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134 Installation of NixOS with encrypted root] | ||
* Have a look at https://wiki.archlinux.org/index.php/Disk_encryption to see all the possible options. This wiki page is not complete. | |||
= Unattended Boot via USB = | = Unattended Boot via USB = | ||
Line 61: | Line 62: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
'' | = zimbatm's laptop recommendation | ||
Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this: | |||
``` | |||
8 0 500107608 sda | |||
8 1 266240 sda1 - the EFI partition | |||
8 2 16384 sda2 | |||
8 3 127388672 sda3 | |||
8 4 371409920 sda4 - the NixOS root partition | |||
8 5 1024000 sda5 | |||
``` | |||
Boot the NixOS installer and partition things according to your taste. What we are then going to do is prepare sda4 with a luks encryption layer: | |||
``` | |||
# format the disk with the luks structure | |||
$ cryptsetup luksFormat /dev/sda4 | |||
# open the encrypted partition and map it to /dev/mapper/cryptroot | |||
$ cryptsetup luksOpen /dev/sda4 cryptroot | |||
# format as usual | |||
$ mkfs.ext4 -L nixos /dev/mapper/cryptroot | |||
# mount | |||
$ mount /dev/disk/by-label/nixos /mnt | |||
$ mount /dev/sda1 /mnt/boot | |||
``` | |||
Create a swapfile of the size you want | |||
``` | |||
$ fallocate -l 512M /mnt/swapfile | |||
$ chmod 600 /mnt/swapfile | |||
$ mkswap -L swap /mnt/swapfile | |||
$ swapon /mnt/swapfile | |||
``` | |||
Now keep installing as usual, nixos-generate-config should detect the right partitioning (maybe not the swap file). |