NixOS + Framework

Sender	Message	Time
10 May 2026
sudoforge	so... you're creating a random key within a luks container to unlock your zfs pool	15:42:00
sudoforge	i guess you could enroll that as a keyfile for your swap partition too	15:42:34
sudoforge	since, once again, it has nothing to do with zfs at all	15:42:58
trumee	yes, that seems a good way forward	15:59:01
sudoforge	it's a rather strange way forward	16:05:50
sudoforge	but, yes, it should get you there	16:06:13
sudoforge	i'm not really sure how `boot.resumeDevice` is going to play with that	16:06:48
sudoforge	what you could do instead, is encrypt the entire disk (except your ESP partition if using systemd-boot) and within the unlocked container, set up your different filesystems	16:07:42
sudoforge	that's what i'd call far more typical on single-disk installations	16:08:09
trumee	why do you think this is strange?	16:09:46
sudoforge	well, what does it accomplish?	16:10:35
sudoforge	you increase complexity and gain, what?	16:10:42
sudoforge	well, and we should probably clarify: are you using a framework laptop with a single disk for your system, or are you using multiple disks?	16:11:56
trumee	yes, i have a single disk.	16:12:07
sudoforge	okay, yeah, i'm going to call it strange then	16:12:22
trumee	My goal is to use Yubikey to decrypt the disk.	16:12:24
sudoforge	you can just do that, directly, on the single luks container that is your entire disk (sans your ESP partition if using systemd-boot)	16:12:50
sudoforge	i do this on my FW13	16:13:07
trumee	i was using ZFS encryption instead of using Luks.	16:13:19
sudoforge	no, you're using luks for your keyfile and then using that for zfs	16:13:53
sudoforge	based on: https://discourse.nixos.org/t/yubikey-fido2-and-boot-initrd-systemd/60051/18?u=trumee	16:14:10
sudoforge	anyway, what i've described is far simpler	16:15:09
sudoforge	you are welcome to continue doing what you're doing, of course	16:15:21
sudoforge	`➜ lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1.8T 0 part │ └─disk 254:0 0 1.8T 0 crypt /swap │ /home │ /persist │ /nix/store │ /nix │ /var/log │ / └─nvme0n1p2 259:2 0 488M 0 part /boot` this is what a single luks container containing various partitions (which in this case all happen to be btrfs, but could be a disparate `ext4 on /swap`, `zfs pool on /`, etc	16:16:31
sudoforge	* `➜ lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1.8T 0 part │ └─disk 254:0 0 1.8T 0 crypt /swap │ /home │ /persist │ /nix/store │ /nix │ /var/log │ / └─nvme0n1p2 259:2 0 488M 0 part /boot` this is what a single luks container containing various partitions (which in this case all happen to be btrfs, but could be a disparate `ext4 on /swap`, `zfs pool on /`, etc)	16:16:34
trumee	that is more accurate, my goal was to use native zfs encryption when i set the system up.	16:16:52
sudoforge	* `➜ lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1.8T 0 part │ └─disk 254:0 0 1.8T 0 crypt /swap │ /home │ /persist │ /nix/store │ /nix │ /var/log │ / └─nvme0n1p2 259:2 0 488M 0 part /boot` this is what a single luks container containing various partitions looks like (which in this case all happen to be btrfs, but could be a disparate `ext4 on /swap`, `zfs pool on /`, etc)	16:16:54
sudoforge	* `➜ lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1.8T 0 part │ └─disk 254:0 0 1.8T 0 crypt /swap │ /home │ /persist │ /nix/store │ /nix │ /var/log │ / └─nvme0n1p2 259:2 0 488M 0 part /boot` this is what a single luks container containing various partitions looks like (which in this case all happen to be btrfs, but could be a disparate `ext4 on /swap`, `zfs pool on /`, etc). my single luks container is unlocked with my security key's PIN and presence.	16:17:33
trumee	this is what i have currently, `root@lappy ~# lsblk /dev/nvme0n1 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS nvme0n1 259:0 0 1.8T 0 disk ├─nvme0n1p1 259:1 0 1G 0 part /boot ├─nvme0n1p2 259:2 0 32M 0 part ├─nvme0n1p3 259:3 0 86G 0 part │ └─dev-disk-byx2did-nvmex2dSHPP41x2dpart 254:0 0 86G 0 crypt [SWAP] └─nvme0n1p4 259:4 0 1.7T 0 part`	16:18:38
sudoforge	do you see and understand the difference?	16:20:41

sudoforge

so... you're creating a random key within a luks container to unlock your zfs pool

15:42:00

sudoforge

i guess you could enroll that as a keyfile for your swap partition too

15:42:34

sudoforge

since, once again, it has nothing to do with zfs at all

15:42:58

trumee

yes, that seems a good way forward

15:59:01

sudoforge

it's a rather strange way forward

16:05:50

sudoforge

but, yes, it should get you there

16:06:13

sudoforge

i'm not really sure how boot.resumeDevice is going to play with that

16:06:48

sudoforge

what you could do instead, is encrypt the entire disk (except your ESP partition if using systemd-boot) and within the unlocked container, set up your different filesystems

16:07:42

sudoforge

that's what i'd call far more typical on single-disk installations

16:08:09

trumee

why do you think this is strange?

16:09:46

sudoforge

well, what does it accomplish?

16:10:35

sudoforge

you increase complexity and gain, what?

16:10:42

sudoforge

well, and we should probably clarify: are you using a framework laptop with a single disk for your system, or are you using multiple disks?

16:11:56

trumee

yes, i have a single disk.

16:12:07

sudoforge

okay, yeah, i'm going to call it strange then

16:12:22

trumee

My goal is to use Yubikey to decrypt the disk.

16:12:24

sudoforge

you can just do that, directly, on the single luks container that is your entire disk (sans your ESP partition if using systemd-boot)

i do this on my FW13

i was using ZFS encryption instead of using Luks.

16:13:19

sudoforge

no, you're using luks for your keyfile and then using that for zfs

16:13:53

sudoforge

based on: https://discourse.nixos.org/t/yubikey-fido2-and-boot-initrd-systemd/60051/18?u=trumee

16:14:10

sudoforge

anyway, what i've described is far simpler

16:15:09

sudoforge

you are welcome to continue doing what you're doing, of course

16:15:21

sudoforge

➜ lsblk /dev/nvme0n1
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0  1.8T  0 disk  
├─nvme0n1p1 259:1    0  1.8T  0 part  
│ └─disk    254:0    0  1.8T  0 crypt /swap
│                                     /home
│                                     /persist
│                                     /nix/store
│                                     /nix
│                                     /var/log
│                                     /
└─nvme0n1p2 259:2    0  488M  0 part  /boot

this is what a single luks container containing various partitions (which in this case all happen to be btrfs, but could be a disparate ext4 on /swap, zfs pool on /, etc

16:16:31

sudoforge

*

➜ lsblk /dev/nvme0n1
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0  1.8T  0 disk  
├─nvme0n1p1 259:1    0  1.8T  0 part  
│ └─disk    254:0    0  1.8T  0 crypt /swap
│                                     /home
│                                     /persist
│                                     /nix/store
│                                     /nix
│                                     /var/log
│                                     /
└─nvme0n1p2 259:2    0  488M  0 part  /boot

this is what a single luks container containing various partitions (which in this case all happen to be btrfs, but could be a disparate ext4 on /swap, zfs pool on /, etc)

16:16:34

trumee

that is more accurate, my goal was to use native zfs encryption when i set the system up.

16:16:52

sudoforge

*

➜ lsblk /dev/nvme0n1
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0  1.8T  0 disk  
├─nvme0n1p1 259:1    0  1.8T  0 part  
│ └─disk    254:0    0  1.8T  0 crypt /swap
│                                     /home
│                                     /persist
│                                     /nix/store
│                                     /nix
│                                     /var/log
│                                     /
└─nvme0n1p2 259:2    0  488M  0 part  /boot

this is what a single luks container containing various partitions looks like (which in this case all happen to be btrfs, but could be a disparate ext4 on /swap, zfs pool on /, etc)

16:16:54

sudoforge

*

➜ lsblk /dev/nvme0n1
NAME        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0  1.8T  0 disk  
├─nvme0n1p1 259:1    0  1.8T  0 part  
│ └─disk    254:0    0  1.8T  0 crypt /swap
│                                     /home
│                                     /persist
│                                     /nix/store
│                                     /nix
│                                     /var/log
│                                     /
└─nvme0n1p2 259:2    0  488M  0 part  /boot

this is what a single luks container containing various partitions looks like (which in this case all happen to be btrfs, but could be a disparate ext4 on /swap, zfs pool on /, etc). my single luks container is unlocked with my security key's PIN and presence.

16:17:33

trumee

this is what i have currently,

root@lappy ~# lsblk /dev/nvme0n1
NAME                                                                  MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
nvme0n1                                                               259:0    0  1.8T  0 disk  
├─nvme0n1p1                                                           259:1    0    1G  0 part  /boot
├─nvme0n1p2                                                           259:2    0   32M  0 part  
├─nvme0n1p3                                                           259:3    0   86G  0 part  
│ └─dev-disk-byx2did-nvmex2dSHPP41x2dpart 254:0    0   86G  0 crypt [SWAP]
└─nvme0n1p4                                                           259:4    0  1.7T  0 part

16:18:38

sudoforge

do you see and understand the difference?

16:20:41

Load older messages

Show newer messages