NixOS - Installation with LUKS Disk Encryption

I thought it would be a good idea to install NixOS on an encrypted disk. If something happens to the PC or server, at least all my data won’t be out on the street. By the way, that home-garden-kitchen data of mine is not really exciting, but it was also a good reason to try this out!

I’ve done a NixOS server installation before. This time I’m doing a client installation with LUKS disk encryption.

Actually, it’s quite simple. If you are using the graphical installer, you can choose “Encryption” in the “Partition” part and set a password. If you want to install NixOS via the command line, you can follow the steps below which are based on this very good step-by-step plan with the commands that need to be executed, so I gratefully took advantage of that to make this note.

Preparation

I first downloaded the minimal ISO image and used Rufus to copy it onto a USB stick with my Windows pc. After opening the ISO with Rufus I kept all settings default but I did write with dd.

In the UEFI BIOS menu I disabled Secure Boot. According to this description, you also have to turn off USB Legacy Boot and turn on Launch CSM but I didn’t have to do that with my reasonable new Intel NUC. I also used a new SSD for the installation.

Now boot from the USB stick and when there are several boot options: choose the one that is explicitly labeled with “UEFI”.

Partitioning

1. Identify the name of your disk with the command: lsblk
   In my case the name of the SSD is /dev/nvme0n1. And that’s the name I use in the commands below. But it could be also /dev/sda for example
2. Wipe the existing disk: sudo wipefs -a /dev/nvme0n1
3. Create a new partition table: sudo parted /dev/nvme0n1 -- mklabel gpt
4. Create the boot partition at the beginning of the disk:
   • sudo parted /dev/nvme0n1 -- mkpart ESP fat32 1MiB 512MiB
   • sudo parted /dev/nvme0n1 -- set 1 boot on
5. Create the primary partition: sudo parted /dev/nvme0n1 -- mkpart primary 512MiB 100%

Now /dev/nvme0n1p1 is the boot partition, and /dev/nvme0n1p2 is the primary partition. You can check this with lsblk

1. Setup LUKS encryption on the primary partition (crypted is the label). This will prompt for creating a password:
   • sudo cryptsetup luksFormat /dev/nvme0n1p2
   • sudo cryptsetup luksOpen /dev/nvme0n1p2 crypted
2. Map the physical, encrypted volume, then create a new volume group and logical volumes in that group for our NixOS root and our swap:
   • sudo pvcreate /dev/mapper/crypted
   • sudo vgcreate vg /dev/mapper/crypted
   • sudo lvcreate -L 8G -n swap vg
   • sudo lvcreate -l '100%FREE' -n nixos vg
3. Format the boot volume to fat32 and the filesystem to ext4. Also create a swap:
   • sudo mkfs.fat -F 32 -n BOOT /dev/nvme0n1p1
   • sudo mkfs.ext4 -L nixos /dev/vg/nixos
   • sudo mkswap -L swap /dev/vg/swap
4. Mount the target file system to /mnt: sudo mount /dev/disk/by-label/nixos /mnt
5. Mount the boot file system on /mnt/boot for UEFI boot:
   • sudo mkdir -p /mnt/boot
   • sudo mount /dev/disk/by-label/boot /mnt/boot (or sudo mount -o umask=0077 /dev/disk/by-label/boot /mnt/boot to avoid the world accessible warning - please see the comments)
6. And activate the swap: sudo swapon /dev/vg/swap
7. Now check the results with: lsblk --fs. It should look something like this. Write down the UUID of the disk, in my case /dev/nvme0n1.
   

Installing

Now we can install NixOS. If you only have WiFi, you can read here how to activate it. I myself use a network cable.

1. Generate the configuration: sudo nixos-generate-config --root /mnt
2. Open the configuration, e.g. with the Nano text editor: sudo nano /mnt/etc/nixos/configuration.nix
3. Modify the configuration and replace <the uuid of /dev/nvme0n1> with the UUID mentioned earlier:

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:

{
    imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

    # Use the systemd-boot EFI boot loader.
    boot.loader.systemd-boot.enable = true;
    boot.loader.efi.canTouchEfiVariables = true;

    networking.hostName = "nixos";
    # Pick only one of the below networking options.
    # networking.wireless.enable = true; # Enables wireless support
    networking.networkmanager.enable = true;
    networking.firewall.enable = false;

    # Set your time zone
    time.timeZone = "Europe/Amsterdam";

    console.keyMap = "uk";

    # LUKS encryption
    boot.initrd.luks.devices = {
      crypted = {
        device = "/dev/disk/by-uuid/<the uuid of /dev/nvme0n1>";
        preLVM = true;
        allowDiscards = true;
      };
    };
}

This is the basic configuration for me, I have already put the timezone and the keyboard layout in it and you can enable wireless networking. Now save the configuration with CTRL-X (and then Y) and install NixOS: sudo nixos-install. Shutdown after the installation with: shutdown now. Remove the USB stick.

Switching between configurations

Now we’re testing if everything works and adding a user so we don’t have to use root anymore.

1. Power on your pc and if all goes well you will be asked for the LUKS password!
2. Log in with root
3. Open the configuration, e.g. with the Nano text editor: sudo nano /mnt/etc/nixos/configuration.nix
4. Add the normal user and replace <USERNAME> with your username:

users.users.<USERNAME> = {
  isNormalUser = true;
  description = "";
  extraGroups = [ "wheel" "networkmanager" ];
  home = "/home/<USERNAME>";
  createHome = true;
  packages = with pkgs; [
  ];
};

Save the configuration with CTRL-X (and then Y).

After modifying the configuration.nix you just need to run: sudo nixos-rebuild switch to switch between configurations. If it doesn’t work the way you want, you can go back with sudo nixos-rebuild switch --rollback. Here you can read more about updating and upgrading NixOS.

Now, the final step is to set the new user’s password: sudo passwd <USERNAME>. Now you can logout and log in with this user and further configure NixOS.

Read other notes