!coeAONBrWyDJnYMbMi:nixos.org

NixOS System Operations

658 Members
About system administration for running NixOS systems in production. Declaratively manage your operations. | Room recommendations: #networking:nixos.org179 Servers

Load older messages


SenderMessageTime
18 Apr 2026
@elvishjerricco:matrix.orgElvishJerriccoIf the latter, don't do it in initrd at all01:27:26
@sss:matrix.dark-alexandr.netsssit's partitions for lvm which contains root01:28:07
@sss:matrix.dark-alexandr.netssssounds weird, but it's legacy01:28:27
@sss:matrix.dark-alexandr.netsssfrom even before nixos )01:28:36
@elvishjerricco:matrix.orgElvishJerriccoso like, you have drive A with a keyfile on it, drive A is unencrypted, and that keyfile is used to decrypt drives B, C, D...?01:29:01
@elvishjerricco:matrix.orgElvishJerriccoand B, C, D constitute the LVM that has the root fs?01:29:12
@sss:matrix.dark-alexandr.netssslike i have drive a,b,c lvm for root with different keys on d,e,f01:29:52
@elvishjerricco:matrix.orgElvishJerriccook sure; but the basic idea of "root is on encrypted drives, the key is on these different unencrypted drives" is right, yea?01:30:37
@sss:matrix.dark-alexandr.netsssyes01:30:49
@elvishjerricco:matrix.orgElvishJerriccocool, just making sure I understand your use case right01:30:59
@sss:matrix.dark-alexandr.netsssand it is complicated yes, but to to a long history of data storage01:31:31
@sss:matrix.dark-alexandr.netsss* and it is complicated yes, but due to a long history of data storage01:31:42
@elvishjerricco:matrix.orgElvishJerricco Then yea, just specifying the three boot.initrd.luks.devices.{a,b,c} with keyFile = "/key-file:${otherDrive}"; should work, where otherDrive is anything you'd use as a device like UUID=asdf or /dev/mapper/blah 01:31:59
@sss:matrix.dark-alexandr.netsssprobably i will recreate it in a simple way, someday, maybe....01:32:08
@sss:matrix.dark-alexandr.netsssis here a way to wait for device to appear ?01:32:56
@elvishjerricco:matrix.orgElvishJerriccoIt will do that automatically01:33:10
@sss:matrix.dark-alexandr.netsssnice, thx for info01:33:23
@elvishjerricco:matrix.orgElvishJerriccohappy to help :)01:33:29
@sss:matrix.dark-alexandr.netsssis it possible to pass mount options for fs containing decryption key ?01:40:03
@sss:matrix.dark-alexandr.netsssi have keys on jfs wich is not mounting with defaults for some long time forgotten reason01:40:35
@elvishjerricco:matrix.orgElvishJerriccooh hm, maybe not01:41:03
@elvishjerricco:matrix.orgElvishJerriccouhhh01:41:13
@sss:matrix.dark-alexandr.netssswhich fs today is most apropriate to handle keys on small device (few mb) ?01:41:51
@elvishjerricco:matrix.orgElvishJerricco honestly when the FS is just for storing one key, I question if it should even be an FS; you could just use the partition itself as the key "file" 01:44:12
@sss:matrix.dark-alexandr.netsss* which fs today is most appropriate to handle keys on small device (few mb) ?01:42:56
@sss:matrix.dark-alexandr.netsss probably, but will keyFile understand it without custom script ? 01:46:31
@elvishjerricco:matrix.orgElvishJerriccoyes, at least with systemd initrd I know it will01:46:49
@sss:matrix.dark-alexandr.netssssounds interesting, where can i read about syntax ?01:47:47
@elvishjerricco:matrix.orgElvishJerricco well, basically the whole boot.initrd.luks.devices.<name> thing in NixOS is a frontend for /etc/crypttab, which has a man page 01:48:32
@elvishjerricco:matrix.orgElvishJerriccoer, in systemd initrd01:48:40

Show newer messages


Back to Room ListRoom Version: 10