New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Opening luks devices fails when all have keyfiles set #29142
Comments
I'm working on a PR for a test of this issue and a fix, but am open for help :) |
A PR would be great! We should fix this for 17.09. If you need help or are unsure how to fix this, please ping me. |
I'm still having issues on current master that my encrypted device is not mounting at boot. I will do some more investigation this week. |
The external encrypted disk is a USB disk and it seems it get detected to late in the process so it is not available when I think in the case where just an additional disk should be mounted encrypted, |
I added I will try to rewrite the encrypted-filesystem module to use @Moredread I think you have some more experience. Does this sound reasonable from your point of view? |
@bachp I'm actually quite new to NixOS and I guess it's mainly a question whether it fits the "NixOS style". At the moment it doesn't need external dependencies, and I'm not sure, if modules should strive for that. On the other hand I personally think that systemd-cryptsetup-generator seems to fit the usecase. Do you think it can replicate everything that the current module can do? |
I have a PoC that replaces the current manual command with a crypttab setup. It works for my case where I mount a disk late. I need to check if it also works for disks earlier in the boot, not the root disk which I think is special. I will push my WIP branch later. |
Fixed by #29344. |
I still fails sometimes for a luks on lvm setup. When I boot the machine without automatic luks unlocking, the corresponding lvm vg is not activated sometimes. I guess that causes the issue with unlocking the device during boot. |
Issue description
Opening a luks device with a keyfile via fileSystems.*.encrypted.enable fails at boot (and the corresponding systemd task hangs) when no non-keyfile luks devices are configured, as cryptsetup is missing from the initrd.
It seems that cryptsetup is only added to the initrd when boot.initrd.luks.devices has entries.
nixpkgs/nixos/modules/system/boot/luksroot.nix
Line 420 in 6b5150d
But when fileSystems.*.encrypted.keyFile is set, the device is unlocked "manually".
nixpkgs/nixos/modules/tasks/encrypted-devices.nix
Lines 65 to 67 in 75b3113
Steps to reproduce
Add a fileSystems entry with encrypted.keyFile set, and no other luks devices. E.g. something like (not actually tested)
Technical details
The text was updated successfully, but these errors were encountered: