nixpkgs/nixos/doc/manual/configuration/luks-file-systems.xml

<section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-luks-file-systems">
 <title>LUKS-Encrypted File Systems</title>

 <para>
  NixOS supports file systems that are encrypted using <emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example, here is how you create an encrypted Ext4 file system on the device <filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:
<screen>
# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d

WARNING!
========
This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: ***
Verify passphrase: ***

# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***

# mkfs.ext4 /dev/mapper/crypted
</screen>
  To ensure that this file system is automatically mounted at boot time as <filename>/</filename>, add the following to <filename>configuration.nix</filename>:
<programlisting>
<link linkend="opt-boot.initrd.luks.devices._name__.device">boot.initrd.luks.devices.crypted.device</link> = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
<xref linkend="opt-fileSystems"/>."/".device = "/dev/mapper/crypted";
</programlisting>
  Should grub be used as bootloader, and <filename>/boot</filename> is located on an encrypted partition, it is necessary to add the following grub option:
<programlisting><xref linkend="opt-boot.loader.grub.enableCryptodisk"/> = true;</programlisting>
 </para>
</section>
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`<section xmlns="http://docbook.org/ns/docbook"`
			`xmlns:xlink="http://www.w3.org/1999/xlink"`
			`xmlns:xi="http://www.w3.org/2001/XInclude"`
			`version="5.0"`
			`xml:id="sec-luks-file-systems">`
nixos docs: format =) 2018-05-02 00:57:09 +01:00			`<title>LUKS-Encrypted File Systems</title>`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00
nixos docs: format =) 2018-05-02 00:57:09 +01:00			`<para>`
nixos/doc: re-format 2019-09-18 21:13:35 +01:00			`NixOS supports file systems that are encrypted using <emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example, here is how you create an encrypted Ext4 file system on the device <filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`<screen>`
Manual: Explicitly mark commands that require to be run as root (#15589) * manual: Mark commands that require root Mark every command that requires to be run as root by prefixing them with '#' instead of '$'. * manual: Add note about commands that require root 2016-06-01 15:23:32 +01:00			`# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00
			`WARNING!`
			`========`
boot.initrd.luks.devices: Change into an attribute set This allows setting options for the same LUKS device in different modules. For example, the auto-generated hardware-configuration.nix can contain boot.initrd.luks.devices.crypted.device = "/dev/disk/..."; while configuration.nix can add boot.initrd.luks.devices.crypted.allowDiscards = true; Also updated the examples/docs to use /disk/disk/by-uuid instead of /dev/sda, since we shouldn't promote the use of the latter. 2016-05-25 12:23:32 +01:00			`This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00
			`Are you sure? (Type uppercase yes): YES`
			`Enter LUKS passphrase: ***`
			`Verify passphrase: ***`

Manual: Explicitly mark commands that require to be run as root (#15589) * manual: Mark commands that require root Mark every command that requires to be run as root by prefixing them with '#' instead of '$'. * manual: Add note about commands that require root 2016-06-01 15:23:32 +01:00			`# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted`
boot.initrd.luks.devices: Change into an attribute set This allows setting options for the same LUKS device in different modules. For example, the auto-generated hardware-configuration.nix can contain boot.initrd.luks.devices.crypted.device = "/dev/disk/..."; while configuration.nix can add boot.initrd.luks.devices.crypted.allowDiscards = true; Also updated the examples/docs to use /disk/disk/by-uuid instead of /dev/sda, since we shouldn't promote the use of the latter. 2016-05-25 12:23:32 +01:00			`Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00
Manual: Explicitly mark commands that require to be run as root (#15589) * manual: Mark commands that require root Mark every command that requires to be run as root by prefixing them with '#' instead of '$'. * manual: Add note about commands that require root 2016-06-01 15:23:32 +01:00			`# mkfs.ext4 /dev/mapper/crypted`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`</screen>`
nixos/doc: re-format 2019-09-18 21:13:35 +01:00			`To ensure that this file system is automatically mounted at boot time as <filename>/</filename>, add the following to <filename>configuration.nix</filename>:`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`<programlisting>`
Added cross-references to NixOS manual 2018-04-05 09:43:56 +01:00			`<link linkend="opt-boot.initrd.luks.devices._name__.device">boot.initrd.luks.devices.crypted.device</link> = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";`
			`<xref linkend="opt-fileSystems"/>."/".device = "/dev/mapper/crypted";`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`</programlisting>`
nixos/doc: re-format 2019-09-18 21:13:35 +01:00			`Should grub be used as bootloader, and <filename>/boot</filename> is located on an encrypted partition, it is necessary to add the following grub option:`
Added cross-references to NixOS manual 2018-04-05 09:43:56 +01:00			`<programlisting><xref linkend="opt-boot.loader.grub.enableCryptodisk"/> = true;</programlisting>`
nixos docs: format =) 2018-05-02 00:57:09 +01:00			`</para>`
Chunk NixOS manual [Squashed commits to make git blame etc. more likely to work. -ED] 2014-08-24 18:18:18 +01:00			`</section>`