/ mobile-nixos Public
stage-1: Add interactive LUKS decrypting #234
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge.
This builds upon #233, soon-to-be merged.
This adds the required facilities for asking for the passphrase during the boot progress tracking
In addition to a test system made specifically to test that the unlocking works.
Note that there is no automatic way to get encryption going on your device yet. This is for something further along. For the time being, you will have to manually configure your stage-1 to know about the cryptsetup setup for your device. In addition, you will have to handle
cryptsetup reencryptyourself on your device. (Check the testing system, there may be clues, e.g. using 32MB for resize.)
I will, at some point, add documentation about manually encrypting a device, but that will happen once I have done it and tested it. Though the steps are quite obvious: (1) somehow get
cryptsetup reencryptgoing on your rootfs (2) update stage-1 with a build that knows about the encryption.
The plan is to, instead, make a specialized "installer"
boot.img(stage-1 only system) that would know about that, but this is strictly for the future.