Title: Unlock a full disk encryption NixOS with usb memory stick | |
Author: Solène | |
Date: 06 October 2020 | |
Tags: nixos linux | |
Description: | |
Using NixOS on a laptop on which the keyboard isn't detected when | |
I need to type the password to decrypt disk, I had to find a solution. | |
This problem is hardware related, not Linux or NixOS related. | |
**I highly recommend using full disk encryption on every computer | |
following a thief threat model. Having your computer stolen is bad, | |
but if the thief has access to all your data, you will certainly | |
be in trouble.** | |
This was time to find how to use an usb memory stick to unlock the | |
full disk encryption in case I don't have my hands on an usb keyboard | |
to unlock the computer. | |
There are 4 steps to enable unlocking the luks volume using a device. | |
1. Create the key | |
2. Add the key on the luks volume | |
3. Write the key on the usb device | |
4. Configure NixOS | |
First step, creating the file. The easiest way is to the following: | |
# dd if=/dev/urandom of=/root/key.bin bs=4096 count=1 | |
This will create a 4096 bytes key. You can choose the size you want. | |
Second step is to register that key in the luks volume, you will | |
be prompted for luks password when doing so. | |
# cryptsetup luksAddKey /dev/sda1 /root/key.bin | |
Then, it's time to write the key to your usb device, I assume it | |
will be `/dev/sdb`. | |
# dd if=/root/key.bin of=/dev/sdb bs=4096 count=1 | |
And finally, you will need to configure NixOS to give the information | |
about the key. It's important to give the correct size of the key. | |
Don't forget to adapt `"crypted"` to your luks volume name. | |
boot.initrd.luks.devices."crypted".keyFileSize = 4096; | |
boot.initrd.luks.devices."crypted".keyFile = "/dev/sdb"; | |
Rebuild your system with `nixos-rebuild switch` and voilà! | |
### Going further | |
I recommend using the fallback to password feature so if you | |
lose or don't have your memory stick, you can type the password to | |
unlock the disk. Note that you need to not put anything looking | |
like a `/dev/sdb` because if it exists and no key are there, the | |
system won't ask for password, and you will need to reboot. | |
boot.initrd.luks.devices."crypted".fallbackToPassword = true; | |
It's also possible to write the key in a partition or at a specific | |
offset into your memory disk. For this, look at | |
`boot.initrd.luks.devices."volume".keyFileOffset` entry. |