Skip to content

Instantly share code, notes, and snippets.

@aniketd

aniketd/encryptedNixos.md

Forked from whoizit/encryptedNixos.md
Created August 28, 2020 18:21
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save aniketd/cbb296505cc26e0b428b1a3b13ca8acf to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save aniketd/cbb296505cc26e0b428b1a3b13ca8acf to your computer and use it in GitHub Desktop.
Download ZIP
NixOS install with encrypted /boot /root with single password unlock
Raw
encryptedNixos.md

Requirements

  1. Encrypt everthing including /boot and /root
  2. Enter password once

Installation media setup

Download unstable NixOS graphical live iso (cause vim on graphical live iso and easier to read this guide in browser) and write to USB stick.

lsblk
umount /dev/sdX1
dd if=path/to/nixos-graphical-unstable-x86_64-linux.iso of=/dev/sdX bs=10M oflag=direct status=progress

NixOS install

Boot from the USB stick and setup networking. (optionally setup SSH if you want to complete the install from another computer)

wpa_passhrase SSID PASSWORD > /etc/wpa_supplicant.conf
systemctl start wpa_supplicant
systemctl start sshd
passwd # So we can login via SSH

Partitioning

Use fdisk to partition the drives

fdisk /dev/sdX
  • g Create a new empty GPT partition table
  • n Create new partition of size 2M and of type BIOS boot
  • t Change a partition type
  • n Create another partition of type Linux filesystem and use remainig space
  • p Show what fdisk will write
  • w Write to disk an exit

Generate keys for single password unlock

dd if=/dev/urandom of=keyfile_root.bin bs=1024 count=4

Setup LUKS and add the keys

# grub-2.02 don't know how to load from luks2 which is used by default in cryptsetup
cryptsetup luksFormat --type luks1 -h sha512 /dev/sdX2
cryptsetup luksAddKey /dev/sdX2 keyfile_root.bin
cryptsetup luksOpen /dev/sdX2 crypted-nixos

# you should backup LUKS Headers always after creating LUKS partition and save it to safe place
cryptsetup luksHeaderBackup /dev/sdX2 --header-backup-file dev_sdX2_headers.backup

Setup LVM

you can skip these steps if you don't need it

pvcreate /dev/mapper/crypted-nixos
vgcreate vg /dev/mapper/crypted-nixos
lvcreate -L {RAM_SIZE}G -n swap vg
lvcreate -l '100%FREE' -n root vg

# you should backup LVM configs in safe place after LVM setup
man vgcfgbackup

Format the partitions and mount

mkswap -L swap /dev/vg/swap
mkfs.ext4 -L root /dev/vg/root

mount /dev/vg/root /mnt
swapon /dev/vg/swap

Create an initrd which only contain the key files

mkdir /mnt/boot
find keyfile*.bin -print0 | sort -z | cpio -o -H newc -R +0:+0 --reproducible --null | gzip -9 > /mnt/boot/extra_initramfs_keys.gz
chmod 000 /mnt/boot/extra_initramfs_keys.gz

Generate and edit configuration

nixos-generate-config --root /mnt

Add the following to /etc/nixos/configuration.nix

  boot.loader.grub.device = "/dev/sdX"; # or "nodev" for efi only
  boot.loader.grub.enableCryptodisk = true;
  boot.loader.grub.extraInitrd = "/boot/extra_initramfs_keys.gz"
  
  boot.initrd.luks.devices = [{
    name = "crypted-nixos";
    keyFile = "/keyfile_root.bin";
    allowDiscards = true;
  }];

You can get the UUIDs by running

blkid

Install NixOS and reboot

nixos-install
reboot

Thats it! Once you reboot, GRUB will ask for the password. If password is correct, GRUB will show you the NixOS system profiles menu. After that, your system will boot without asking for the disk password.

Notes

  • You should not do LVM-on-LUKS for additional /data disks array, cause you can extend your /data disks array with another disks (LVM spanning disks) only with LUKS-on-LVM. But it's fine to use LVM-on-LUKS for /root or do not use LVM at all for /root, only LUKS.
  • No need to reboot if you entered the GRUB password incorrectly
cryptomount hd0,gpt2    # Device to mount: drive X, GPT partition Y, this forces the re-prompt.
insmod normal           # Load the normal mode boot module.
normal                  # Enter normal mode and display the GRUB menu.

Credits

@daniugbede
Copy link

daniugbede commented Aug 28, 2020

Greetings

I am an account Auditor with the management of Bank Of Africa (BOA) I have the opportunity to meet unclaimed funds valued at the total sum of Twenty One Million Three Hundred Thousand United State Dollars Only (USD$21,300.000.00) that belongs to our deceased customer who died in ghastly accident with his wife and children. He made a number of months deposit before his untimely death with the entire member of his family and since then none of his relatives has been able to come for the fund because
no other person knows about the money.

I want the bank to release the money to you as the next of kin to the deceased client . I am in the position to guide you towards this transaction and all I need from you is to stand as the benefactor of this fund, so that upon your request for immediate transfer of the money the bank will not hesitate to transfer the fund to your designated bank account. After the transaction, the money will be shared between us at the rate of 50% shares respectively.

If you find this proposal suitable for you do reply back to me through my below private email let’s discuss in details, upon the receive of your reply I will also forward to you the procedure and Please I would like you to keep this proposal as a top secret and don't tell another soul about it.

Kindly contact me through my private email address: danielugbede490@gmail.com

Thanks,

Mr Daniel Ugbede

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment