nixpkgs/nixos/doc/manual/configuration/luks-file-systems.xml

<section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-luks-file-systems">
 <title>LUKS-Encrypted File Systems</title>

 <para>
  NixOS supports file systems that are encrypted using
  <emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example, here is how
  you create an encrypted Ext4 file system on the device
  <filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:
<screen>
# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d

WARNING!
========
This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: ***
Verify passphrase: ***

# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***

# mkfs.ext4 /dev/mapper/crypted
</screen>
  To ensure that this file system is automatically mounted at boot time as
  <filename>/</filename>, add the following to
  <filename>configuration.nix</filename>:
<programlisting>
<link linkend="opt-boot.initrd.luks.devices._name_.device">boot.initrd.luks.devices.crypted.device</link> = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
<xref linkend="opt-fileSystems"/>."/".device = "/dev/mapper/crypted";
</programlisting>
  Should grub be used as bootloader, and <filename>/boot</filename> is located
  on an encrypted partition, it is necessary to add the following grub option:
<programlisting><xref linkend="opt-boot.loader.grub.enableCryptodisk"/> = true;</programlisting>
 </para>
  <section xml:id="sec-luks-file-systems-fido2">
  <title>FIDO2</title>

  <para>
   NixOS also supports unlocking your LUKS-Encrypted file system using a FIDO2 compatible token. In the following example, we will create a new FIDO2 credential
   and add it as a new key to our existing device <filename>/dev/sda2</filename>:

   <screen>
# export FIDO2_LABEL="/dev/sda2 @ $HOSTNAME"
# fido2luks credential "$FIDO2_LABEL"
f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7

# fido2luks -i add-key /dev/sda2 f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7
Password:
Password (again):
Old password:
Old password (again):
Added to key to device /dev/sda2, slot: 2
</screen>

  To ensure that this file system is decrypted using the FIDO2 compatible key, add the following to <filename>configuration.nix</filename>:
<programlisting>
<link linkend="opt-boot.initrd.luks.fido2Support">boot.initrd.luks.fido2Support</link> = true;
<link linkend="opt-boot.initrd.luks.devices._name_.fido2.credential">boot.initrd.luks.devices."/dev/sda2".fido2.credential</link> = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";
</programlisting>

  You can also use the FIDO2 passwordless setup, but for security reasons, you might want to enable it only when your device is PIN protected, such as <link xlink:href="https://trezor.io/">Trezor</link>.

<programlisting>
<link linkend="opt-boot.initrd.luks.devices._name_.fido2.passwordLess">boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess</link> = true;
</programlisting>
  </para>
 </section>

</section>
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`<section xmlns="http://docbook.org/ns/docbook"`
			`xmlns:xlink="http://www.w3.org/1999/xlink"`
			`xmlns:xi="http://www.w3.org/2001/XInclude"`
			`version="5.0"`
			`xml:id="sec-luks-file-systems">`
nixos docs: format =) 2018-05-02 00:57:09 +01:00			`<title>LUKS-Encrypted File Systems</title>`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00
nixos docs: format =) 2018-05-02 00:57:09 +01:00			`<para>`
Revert "nixos/doc: re-format" This reverts commit ea6e8775bd69e4676c623a85c39f1da540d29ad1. The new format is not an improvement. 2019-09-19 18:17:30 +01:00			`NixOS supports file systems that are encrypted using`
			`<emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example, here is how`
			`you create an encrypted Ext4 file system on the device`
			`<filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`<screen>`
Manual: Explicitly mark commands that require to be run as root (#15589) * manual: Mark commands that require root Mark every command that requires to be run as root by prefixing them with '#' instead of '$'. * manual: Add note about commands that require root 2016-06-01 15:23:32 +01:00			`# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00
			`WARNING!`
			`========`
boot.initrd.luks.devices: Change into an attribute set This allows setting options for the same LUKS device in different modules. For example, the auto-generated hardware-configuration.nix can contain boot.initrd.luks.devices.crypted.device = "/dev/disk/..."; while configuration.nix can add boot.initrd.luks.devices.crypted.allowDiscards = true; Also updated the examples/docs to use /disk/disk/by-uuid instead of /dev/sda, since we shouldn't promote the use of the latter. 2016-05-25 12:23:32 +01:00			`This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00
			`Are you sure? (Type uppercase yes): YES`
			`Enter LUKS passphrase: ***`
			`Verify passphrase: ***`

Manual: Explicitly mark commands that require to be run as root (#15589) * manual: Mark commands that require root Mark every command that requires to be run as root by prefixing them with '#' instead of '$'. * manual: Add note about commands that require root 2016-06-01 15:23:32 +01:00			`# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted`
boot.initrd.luks.devices: Change into an attribute set This allows setting options for the same LUKS device in different modules. For example, the auto-generated hardware-configuration.nix can contain boot.initrd.luks.devices.crypted.device = "/dev/disk/..."; while configuration.nix can add boot.initrd.luks.devices.crypted.allowDiscards = true; Also updated the examples/docs to use /disk/disk/by-uuid instead of /dev/sda, since we shouldn't promote the use of the latter. 2016-05-25 12:23:32 +01:00			`Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00
Manual: Explicitly mark commands that require to be run as root (#15589) * manual: Mark commands that require root Mark every command that requires to be run as root by prefixing them with '#' instead of '$'. * manual: Add note about commands that require root 2016-06-01 15:23:32 +01:00			`# mkfs.ext4 /dev/mapper/crypted`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`</screen>`
Revert "nixos/doc: re-format" This reverts commit ea6e8775bd69e4676c623a85c39f1da540d29ad1. The new format is not an improvement. 2019-09-19 18:17:30 +01:00			`To ensure that this file system is automatically mounted at boot time as`
			`<filename>/</filename>, add the following to`
			`<filename>configuration.nix</filename>:`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`<programlisting>`
nixos/doc: convert loaOf options refs to attrsOf 2020-08-23 18:11:40 +01:00			`<link linkend="opt-boot.initrd.luks.devices._name_.device">boot.initrd.luks.devices.crypted.device</link> = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";`
Added cross-references to NixOS manual 2018-04-05 09:43:56 +01:00			`<xref linkend="opt-fileSystems"/>."/".device = "/dev/mapper/crypted";`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`</programlisting>`
Revert "nixos/doc: re-format" This reverts commit ea6e8775bd69e4676c623a85c39f1da540d29ad1. The new format is not an improvement. 2019-09-19 18:17:30 +01:00			`Should grub be used as bootloader, and <filename>/boot</filename> is located`
			`on an encrypted partition, it is necessary to add the following grub option:`
Added cross-references to NixOS manual 2018-04-05 09:43:56 +01:00			`<programlisting><xref linkend="opt-boot.loader.grub.enableCryptodisk"/> = true;</programlisting>`
nixos docs: format =) 2018-05-02 00:57:09 +01:00			`</para>`
doc: FIDO2 luks file system 2020-01-16 13:36:35 +00:00			`<section xml:id="sec-luks-file-systems-fido2">`
			`<title>FIDO2</title>`

			`<para>`
			`NixOS also supports unlocking your LUKS-Encrypted file system using a FIDO2 compatible token. In the following example, we will create a new FIDO2 credential`
			`and add it as a new key to our existing device <filename>/dev/sda2</filename>:`

			`<screen>`
			`# export FIDO2_LABEL="/dev/sda2 @ $HOSTNAME"`
			`# fido2luks credential "$FIDO2_LABEL"`
			`f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7`

			`# fido2luks -i add-key /dev/sda2 f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7`
			`Password:`
			`Password (again):`
			`Old password:`
			`Old password (again):`
			`Added to key to device /dev/sda2, slot: 2`
			`</screen>`

			`To ensure that this file system is decrypted using the FIDO2 compatible key, add the following to <filename>configuration.nix</filename>:`
			`<programlisting>`
			`<link linkend="opt-boot.initrd.luks.fido2Support">boot.initrd.luks.fido2Support</link> = true;`
nixos/doc: convert loaOf options refs to attrsOf 2020-08-23 18:11:40 +01:00			`<link linkend="opt-boot.initrd.luks.devices._name_.fido2.credential">boot.initrd.luks.devices."/dev/sda2".fido2.credential</link> = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";`
doc: FIDO2 luks file system 2020-01-16 13:36:35 +00:00			`</programlisting>`

			`You can also use the FIDO2 passwordless setup, but for security reasons, you might want to enable it only when your device is PIN protected, such as <link xlink:href="https://trezor.io/">Trezor</link>.`

			`<programlisting>`
nixos/doc: convert loaOf options refs to attrsOf 2020-08-23 18:11:40 +01:00			`<link linkend="opt-boot.initrd.luks.devices._name_.fido2.passwordLess">boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess</link> = true;`
doc: FIDO2 luks file system 2020-01-16 13:36:35 +00:00			`</programlisting>`
			`</para>`
			`</section>`

Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`</section>`