Full Disk Encryption: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Fadenb
m Syntax highlighting
imported>Zimbatm
No edit summary
Line 2: Line 2:


* [https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134 Installation of NixOS with encrypted root]
* [https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134 Installation of NixOS with encrypted root]
* Have a look at https://wiki.archlinux.org/index.php/Disk_encryption to see all the possible options. This wiki page is not complete.


= Unattended Boot via USB =
= Unattended Boot via USB =
Line 61: Line 62:
}
}
</syntaxhighlight>
</syntaxhighlight>
== Option 3: Decryption via YubiKey ==


''TODO'', it works but needs to be described.
= zimbatm's laptop recommendation
 
Let's say that you have a GPT partition with EFI enabled. You might be booting on other OSes with it. Let's say that your disk layout looks something like this:
 
```
  8        0  500107608 sda
  8        1    266240 sda1      - the EFI partition
  8        2      16384 sda2
  8        3  127388672 sda3
  8        4  371409920 sda4    - the NixOS root partition
  8        5    1024000 sda5
```
 
Boot the NixOS installer and partition things according to your taste. What we are then going to do is prepare sda4 with a luks encryption layer:
 
```
# format the disk with the luks structure
$ cryptsetup luksFormat /dev/sda4
# open the encrypted partition and map it to /dev/mapper/cryptroot
$ cryptsetup luksOpen /dev/sda4 cryptroot
# format as usual
$ mkfs.ext4 -L nixos /dev/mapper/cryptroot
# mount
$ mount /dev/disk/by-label/nixos /mnt
$ mount /dev/sda1 /mnt/boot
```
 
Create a swapfile of the size you want
```
$ fallocate -l 512M /mnt/swapfile
$ chmod 600 /mnt/swapfile
$ mkswap -L swap /mnt/swapfile
$ swapon /mnt/swapfile
```
 
Now keep installing as usual, nixos-generate-config should detect the right partitioning (maybe not the swap file).
Retrieved from "https://wiki.nixos.org/wiki/Full_Disk_Encryption"