Opening luks devices fails when all have keyfiles set

[Moredread]

Issue description

Opening a luks device with a keyfile via fileSystems.*.encrypted.enable fails at boot (and the corresponding systemd task hangs) when no non-keyfile luks devices are configured, as cryptsetup is missing from the initrd.

It seems that cryptsetup is only added to the initrd when boot.initrd.luks.devices has entries.

nixpkgs/nixos/modules/system/boot/luksroot.nix

Line 420 in 6b5150d

config = mkIf (luks.devices != {}) {

But when fileSystems.*.encrypted.keyFile is set, the device is unlocked "manually".

nixpkgs/nixos/modules/tasks/encrypted-devices.nix

Lines 65 to 67 in 75b3113

	postMountCommands =
	concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;
	};

Steps to reproduce

Add a fileSystems entry with encrypted.keyFile set, and no other luks devices. E.g. something like (not actually tested)

fileSystems."/foo" = {
  device = "/dev/foo";
  fsType = "ext4";
  encrypted.enable = true;
  encrypted.blkDev = "/dev/bar";
  encrypted.label = "luks";
  encrypted.keyFile = "/keyfile";
};

Technical details

• System: 17.03.1814.46fc14b6b2 (Gorilla)
• Nix version: nix-env (Nix) 1.11.14
• Nixpkgs version: "17.03.1814.46fc14b6b2"
• Sandboxing enabled: no

[Moredread]

I'm working on a PR for a test of this issue and a fix, but am open for help :)

[fpletz]

A PR would be great! We should fix this for 17.09. If you need help or are unsure how to fix this, please ping me.

[bachp]

I'm still having issues on current master that my encrypted device is not mounting at boot. I will do some more investigation this week.

[bachp]

The external encrypted disk is a USB disk and it seems it get detected to late in the process so it is not available when cryptsetup runs.

I think in the case where just an additional disk should be mounted encrypted, systemd-cryptsetup-generator might be useful. I'm currently looking into it.

[bachp]

I added systemd.generator-packages = [ pkgs.systemd-cryptsetup-generator ]; and then manually added the file /etc/crytptab and now everything works.

I will try to rewrite the encrypted-filesystem module to use systemd-cryptsetup-generator. With an /etc/crypttab for non root devices. I think it should even work for for encrypted rootfs if use the kernel
parameters are used.

@Moredread I think you have some more experience. Does this sound reasonable from your point of view?

[Moredread]

@bachp I'm actually quite new to NixOS and I guess it's mainly a question whether it fits the "NixOS style". At the moment it doesn't need external dependencies, and I'm not sure, if modules should strive for that. On the other hand I personally think that systemd-cryptsetup-generator seems to fit the usecase. Do you think it can replicate everything that the current module can do?

[bachp]

I have a PoC that replaces the current manual command with a crypttab setup. It works for my case where I mount a disk late. I need to check if it also works for disks earlier in the boot, not the root disk which I think is special.

I will push my WIP branch later.

[Moredread]

@bachp you might want to have a look at PR #29269 which adds a test that might be interesting for you.

[fpletz]

Fixed by #29344.

[Moredread]

I still fails sometimes for a luks on lvm setup.

When I boot the machine without automatic luks unlocking, the corresponding lvm vg is not activated sometimes. I guess that causes the issue with unlocking the device during boot.