NixOS - Installation with LUKS Disk Encryption
I thought it would be a good idea to install NixOS on an encrypted disk. If something happens to the PC or server, at least all my data won’t be out on the street. By the way, that home-garden-kitchen data of mine is not really exciting, but it was also a good reason to try this out!
I’ve done a NixOS server installation before. This time I’m doing a client installation with LUKS disk encryption.
Actually, it’s quite simple. If you are using the graphical installer, you can choose “Encryption” in the “Partition” part and set a password.
If you want to install NixOS via the command line, you can follow the steps below which are based on this very good step-by-step plan with the commands that need to be executed, so I gratefully took advantage of that to make this note.
Preparation
I first downloaded the minimal ISO image and used Rufus to copy it onto a USB stick with my Windows pc. After opening the ISO with Rufus I kept all settings default but I did write with dd
.
In the UEFI BIOS menu I disabled Secure Boot
. According to this description, you also have to turn off USB Legacy Boot
and turn on Launch CSM
but I didn’t have to do that with my reasonable new Intel NUC. I also used a new SSD for the installation.
Now boot from the USB stick and when there are several boot options: choose the one that is explicitly labeled with “UEFI”.
Partitioning
- Identify the name of your disk with the command:
lsblk
In my case the name of the SSD is/dev/nvme0n1
. And that’s the name I use in the commands below. But it could be also/dev/sda
for example - Wipe the existing disk:
sudo wipefs -a /dev/nvme0n1
- Create a new partition table:
sudo parted /dev/nvme0n1 -- mklabel gpt
- Create the boot partition at the beginning of the disk:
sudo parted /dev/nvme0n1 -- mkpart ESP fat32 1MiB 512MiB
sudo parted /dev/nvme0n1 -- set 1 boot on
- Create the primary partition:
sudo parted /dev/nvme0n1 -- mkpart primary 512MiB 100%
Now
/dev/nvme0n1p1
is the boot partition, and/dev/nvme0n1p2
is the primary partition. You can check this withlsblk
- Setup LUKS encryption on the primary partition (
crypted
is the label). This will prompt for creating a password:sudo cryptsetup luksFormat /dev/nvme0n1p2
sudo cryptsetup luksOpen /dev/nvme0n1p2 crypted
- Map the physical, encrypted volume, then create a new volume group and logical volumes in that group for our NixOS root and our swap:
sudo pvcreate /dev/mapper/crypted
sudo vgcreate vg /dev/mapper/crypted
sudo lvcreate -L 8G -n swap vg
sudo lvcreate -l '100%FREE' -n nixos vg
- Format the boot volume to fat32 and the filesystem to ext4. Also create a swap:
sudo mkfs.fat -F 32 -n BOOT /dev/nvme0n1p1
sudo mkfs.ext4 -L nixos /dev/vg/nixos
sudo mkswap -L swap /dev/vg/swap
- Mount the target file system to /mnt:
sudo mount /dev/disk/by-label/nixos /mnt
- Mount the boot file system on /mnt/boot for UEFI boot:
sudo mkdir -p /mnt/boot
-
sudo mount /dev/disk/by-label/boot /mnt/boot
(orsudo mount -o umask=0077 /dev/disk/by-label/boot /mnt/boot
to avoid the world accessible warning - please see the comments)
- And activate the swap:
sudo swapon /dev/vg/swap
- Now check the results with:
lsblk --fs
. It should look something like this. Write down the UUID of the disk, in my case /dev/nvme0n1.
Installing
Now we can install NixOS. If you only have WiFi, you can read here how to activate it. I myself use a network cable.
- Generate the configuration:
sudo nixos-generate-config --root /mnt
- Open the configuration, e.g. with the Nano text editor:
sudo nano /mnt/etc/nixos/configuration.nix
- Modify the configuration and replace
<the uuid of /dev/nvme0n1>
with the UUID mentioned earlier:
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "nixos";
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support
networking.networkmanager.enable = true;
networking.firewall.enable = false;
# Set your time zone
time.timeZone = "Europe/Amsterdam";
console.keyMap = "uk";
# LUKS encryption
boot.initrd.luks.devices = {
crypted = {
device = "/dev/disk/by-uuid/<the uuid of /dev/nvme0n1>";
preLVM = true;
allowDiscards = true;
};
};
}
This is the basic configuration for me, I have already put the timezone and the keyboard layout in it and you can enable wireless networking.
Now save the configuration with CTRL-X
(and then Y
) and install NixOS: sudo nixos-install
.
Shutdown after the installation with: shutdown now
. Remove the USB stick.
Switching between configurations
Now we’re testing if everything works and adding a user so we don’t have to use root anymore.
- Power on your pc and if all goes well you will be asked for the LUKS password!
- Log in with
root
- Open the configuration, e.g. with the Nano text editor:
sudo nano /mnt/etc/nixos/configuration.nix
- Add the normal user and replace
<USERNAME>
with your username:
users.users.<USERNAME> = {
isNormalUser = true;
description = "";
extraGroups = [ "wheel" "networkmanager" ];
home = "/home/<USERNAME>";
createHome = true;
packages = with pkgs; [
];
};
Save the configuration with CTRL-X
(and then Y
).
After modifying the configuration.nix
you just need to run: sudo nixos-rebuild switch
to switch between configurations. If it doesn’t work the way you want, you can go back with sudo nixos-rebuild switch --rollback
. Here you can read more about updating and upgrading NixOS.
Now, the final step is to set the new user’s password: sudo passwd <USERNAME>
. Now you can logout
and log in with this user and further configure NixOS.
Read other notes
Tags
Notes mentioning this note
- NixOS - Server Configuration and Switch to Podman
For some time now I have been looking for an interesting lightweight linux distribution that could replace Ubuntu
Comments
No comments found for this note.
Join the discussion for this note on this ticket. Comments appear on this page instantly.