diff options
Diffstat (limited to 'nixos/doc/manual/configuration/luks-file-systems.section.md')
-rw-r--r-- | nixos/doc/manual/configuration/luks-file-systems.section.md | 34 |
1 files changed, 22 insertions, 12 deletions
diff --git a/nixos/doc/manual/configuration/luks-file-systems.section.md b/nixos/doc/manual/configuration/luks-file-systems.section.md index 7615b95aef42..4d2f625073d4 100644 --- a/nixos/doc/manual/configuration/luks-file-systems.section.md +++ b/nixos/doc/manual/configuration/luks-file-systems.section.md @@ -29,15 +29,19 @@ system is automatically mounted at boot time as `/`, add the following to `configuration.nix`: ```nix -boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d"; -fileSystems."/".device = "/dev/mapper/crypted"; +{ + boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d"; + fileSystems."/".device = "/dev/mapper/crypted"; +} ``` Should grub be used as bootloader, and `/boot` is located on an encrypted partition, it is necessary to add the following grub option: ```nix -boot.loader.grub.enableCryptodisk = true; +{ + boot.loader.grub.enableCryptodisk = true; +} ``` ## FIDO2 {#sec-luks-file-systems-fido2} @@ -68,8 +72,10 @@ To ensure that this file system is decrypted using the FIDO2 compatible key, add the following to `configuration.nix`: ```nix -boot.initrd.luks.fido2Support = true; -boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7"; +{ + boot.initrd.luks.fido2Support = true; + boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7"; +} ``` You can also use the FIDO2 passwordless setup, but for security reasons, @@ -77,7 +83,9 @@ you might want to enable it only when your device is PIN protected, such as [Trezor](https://trezor.io/). ```nix -boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess = true; +{ + boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess = true; +} ``` ### systemd Stage 1 {#sec-luks-file-systems-fido2-systemd} @@ -88,13 +96,15 @@ unlocking the existing LUKS2 volume `root` using any enrolled FIDO2 compatible tokens. ```nix -boot.initrd = { - luks.devices.root = { - crypttabExtraOpts = [ "fido2-device=auto" ]; - device = "/dev/sda2"; +{ + boot.initrd = { + luks.devices.root = { + crypttabExtraOpts = [ "fido2-device=auto" ]; + device = "/dev/sda2"; + }; + systemd.enable = true; }; - systemd.enable = true; -}; +} ``` All tokens that should be used for unlocking the LUKS2-encrypted volume must |