| 10 May 2026 |
 sudoforge | then boot and manually enroll the tpm device | 20:50:16 |
| sudoforge | that's basically what i do anyway to add additional security keys | 20:50:31 |
 Albert Larsan | Disko sets up passphrase encryption when no options are given | 20:50:57 |
| sudoforge | by default, with no options specified, that is correct | 20:51:31 |
| sudoforge | but you can specify a key file | 20:51:35 |
| sudoforge | or content.enrollFido2 | 20:51:56 |
| Albert Larsan | But the key file needs to be available in the install env.
Also I’ve never got key files to work. | 20:52:46 |
| sudoforge | what's wrong with a passphrase, then? it seems like that needs to be present for you, as a backup option in case PCRs change | 20:53:35 |
| sudoforge | i'm not seeing the problem, unless you are avoiding a passphrase altogether and relying on the TPM never failing and PCRs never changing | 20:54:17 |
| sudoforge | but that has inherent risks IMO | 20:54:30 |
 trumee | Thanks, i used this now. And it built,
nvme1n1 259:1 0 1.8T 0 disk
├─nvme1n1p1 259:2 0 2G 0 part /mnt/boot
└─nvme1n1p2 259:3 0 1.8T 0 part
└─enc 254:3 0 1.8T 0 crypt
├─pool-swap 254:4 0 98G 0 lvm [SWAP]
└─pool-root 254:5 0 1.7T 0 lvm /mnt/var/log
/mnt/persist
/mnt/nix
/mnt
~```
| 20:54:35 |
| sudoforge | @trumee you also won't need the /persist subvol if you aren't using the impermanence module | 20:55:18 |
| trumee | right i dont need that. How can i enroll my yubikey with disko. I do something like systemd-cryptenroll --fido2-device=auto /dev/disk | 20:56:19 |
| Albert Larsan | Yes, I like the passphrases. (the PCR selection I have is lax enough that I was able to disable secure boot, boot clonezilla, clone from one disk to another, and reenable secureboot that the disk auto-unlocked)
I have both (poor) passphrases and (poor) pcr selections for the servers. | 20:56:38 |
| sudoforge | luks = {
size = "100%";
content.type = "luks";
content.name = "system";
content.settings.allowDiscards = true;
# use a fido2 key for unlocking
content.enrollFido2 = true;
# do not generate a recovery passphrase
content.enrollRecovery = false;
content.content = {
type = "btrfs";
...
};
| 20:56:54 |
| sudoforge | then i'm not seeing the problem with using disko :P | 20:57:34 |
| Albert Larsan | I do use disko, just that I don’t enroll the TPM using disko | 20:57:58 |
| sudoforge | well, i mean for setting up the initial encryption | 20:58:11 |
| sudoforge | passphrase, in your case | 20:58:18 |
| trumee | do i need compress=zstd:3 or simply compress=zstd ? | 20:58:20 |
| Albert Larsan | Both are currently equivalent | 20:58:33 |
| Albert Larsan | But setting 3 is more explicit | 20:58:41 |
| trumee | this did not work,
luks = {
size = "100%";
content = {
type = "luks";
name = "enc";
enrollFido2 = true;
settings = {
allowDiscards = true;
};
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
| 20:59:27 |
| Albert Larsan | And you know what to change depending on whether your storage fills up (increase the number everywhere) or your CPU is hammered (decrease the number, even into the negatives if needed) | 20:59:32 |
| trumee | error: The option `disko.devices.disk.disk1.content.partitions.luks.content.enrollFido2' does not exist. Definition values: | 20:59:43 |
| sudoforge | you need to update the disko binary you're using, and the disko library you're using | 21:00:06 |
| trumee | i used sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount /tmp/disk-config.nix from https://github.com/nix-community/disko | 21:00:26 |
| sudoforge | yeah i just checked, it's not released | 21:00:42 |
| sudoforge | so change /latest to /master | 21:00:57 |
| Albert Larsan | That is what is does, asks me for a passphrase at format step. | 21:01:16 |
