| 10 May 2026 |
 trumee | this did not work,
luks = {
size = "100%";
content = {
type = "luks";
name = "enc";
enrollFido2 = true;
settings = {
allowDiscards = true;
};
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
| 20:59:27 |
 Albert Larsan | And you know what to change depending on whether your storage fills up (increase the number everywhere) or your CPU is hammered (decrease the number, even into the negatives if needed) | 20:59:32 |
| trumee | error: The option `disko.devices.disk.disk1.content.partitions.luks.content.enrollFido2' does not exist. Definition values: | 20:59:43 |
 sudoforge | you need to update the disko binary you're using, and the disko library you're using | 21:00:06 |
| trumee | i used sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount /tmp/disk-config.nix from https://github.com/nix-community/disko | 21:00:26 |
| sudoforge | yeah i just checked, it's not released | 21:00:42 |
| sudoforge | so change /latest to /master | 21:00:57 |
| Albert Larsan | That is what is does, asks me for a passphrase at format step. | 21:01:16 |
| sudoforge | i didn't see encryption configuration in the config you shared earlier. did i miss it? | 21:01:38 |
| sudoforge | oh, so i did | 21:01:51 |
| sudoforge | oops | 21:01:51 |
| Albert Larsan | There is luks, but with default-iish configs | 21:02:10 |
| sudoforge | yeah, which will just ask for a passphrase | 21:02:24 |
| sudoforge | i'm tracking now | 21:02:32 |
| sudoforge | trumee the fido2 support landed 3 weeks ago, and unfortunately a release hasn't been cut yet | 21:03:18 |
| sudoforge | which is why "latest" didn't work for you | 21:03:25 |
| Albert Larsan | Even the second disk is crypted. I would have loved to make a key file work, but despite trying for a week I couldn’t, so it also has a passphrase and unlocks from tpmk | 21:03:35 |
| sudoforge | in multi-disk systems i just use the same passphrase | 21:03:54 |
| sudoforge | cryptsetup caches it when unlocking, so, it's not too painful if i ever do need to manually enter it | 21:04:24 |
| sudoforge | * in multi-disk systems i just use the same passphrase for all of the disks | 21:04:44 |
| Albert Larsan | It is the same passphrase, but it must boot automatically, without passphrases. | 21:05:07 |
| sudoforge | yep | 21:05:24 |
| sudoforge | for that, i use clevis + tang | 21:05:29 |
| Albert Larsan | And I use not enough PCRs on my TPM. | 21:19:19 |
| sudoforge | :( | 21:24:56 |
| sudoforge | PCRs that are a little looser for a server make a certain sense, but | 21:27:27 |
| sudoforge | i would strongly encourage you to research clevis+tang and move to that | 21:27:39 |
| Albert Larsan | I am really unsure of which ones to use with lanzaboote | 21:27:46 |
| Albert Larsan | My servers are in multiple locations, with independant internet accesses | 21:28:08 |
| sudoforge | my servers are all onprem (in a rack in my home). my tang server is my laptop | 21:28:54 |
