Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clear up confusion about passwordFile, settings.keyFile and additionalKeyFiles #956

Open
Libadoxon opened this issue Feb 1, 2025 · 3 comments
Open

clear up confusion about passwordFile, settings.keyFile and additionalKeyFiles #956

Libadoxon opened this issue Feb 1, 2025 · 3 comments

Comments

@Libadoxon
Copy link

I want to configure my system so that the luks root disk has a password and a key file, the key file is on a usb stick, when the usb isn't present it should fallback to password.

I can't set passwordFile and settings.keyFile because settings.keyFile overrides passwordFile. I can't use passwordFile and place my key file in additionalKeyFiles because than it doesn't gets added to config.boot.initrd.luks.devices.<name>.keyFile and so doesn't gets searched for.

The only thing I think I can do (tho not tested) is something like this:

{
  type = "luks";
  name = "cryptroot";
  additionalKeyFiles = [ "<(set +x; echo -n \"$(cat /path/to/passwordFile)\"; set -x)" ];
  settings = {
    fallbackToPassword = true;
    keyFile = "/path/to/keyFile";
  };
  ...
}

I understand the limitation of nixos only allowing for one key file, but this is really awkward should be fixed in some way
@sedlund
Copy link

sedlund commented Feb 1, 2025

i would keep the password in a management program and pass it like this:

https://nix-community.github.io/nixos-anywhere/howtos/secrets.html#example-uploading-disk-encryption-secrets

or create a file as explained here:

disko/example/luks-lvm.nix

Lines 27 to 32 in 18d0a98

# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
keyFile = "/tmp/secret.key";
allowDiscards = true;
};
additionalKeyFiles = [ "/tmp/additionalSecret.key" ];

just apply it to additionalKeyFiles instead.

@Libadoxon
Copy link
Author

Libadoxon commented Feb 1, 2025
edited
Loading

I don't think I understand, I know how to use nixos-anywhere with disk secrets, I setup my systems with it. The problem is that it's very annoying to figure out how to both have a password and a key file.
As far as I can understand you explain the workaround I talked about in my original post. I know that there is probably some way to achieve having both a password and a key file but it is very unclear how to achieve this.

I would suggest a restructuring of these modules, eg. having the passwordFile option not being overwritten by settings.keyFile. And make it clear that additionalKeyFiles will not be searched if the location is different from settings.keyFile or settings.keyFile isn't set at all.
For example by renaming to additionalPasswordFiles.

@Libadoxon Libadoxon changed the title Cannot use a key file and a password at the same time when wanting usb unlocking clear up confusion about passwordFile, settings.keyFile and additionalKeyFiles Feb 1, 2025
@Libadoxon
Copy link
Author

I admit that the title was probably misleading, I updated it to, I hope, something which makes my problem(s) more clear

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sedlund @Libadoxon