Skip to content
Fiction Becomes Fact

How to install NixOS with LUKS disk encryption

Introduction

I’ve done a NixOS server installation before. This time, I’m doing a client installation with LUKS disk encryption.

Actually, it’s quite simple. If you are using the graphical installer, you can choose Encryption in the Partition section and set a password. If you want to install NixOS via the command line, you can follow the steps below. These steps are based on this excellent step-by-step guide with the necessary commands, which I found very helpful in making this note.

Requirements

I first downloaded the minimal ISO image and used Rufus to copy it onto a USB stick with my Windows PC. After opening the ISO with Rufus, I kept all settings default but opted to write with dd.

In the UEFI BIOS menu, I disabled Secure Boot. According to this description, you also need to turn off USB Legacy Boot and turn on Launch CSM. However, I didn’t have to do this with my relatively new Intel NUC. I also used a new SSD for the installation.

Now boot from the USB stick. If you see multiple boot options, choose the one explicitly labeled with UEFI.

How To

Partitioning

  1. Identify the name of your disk with the command:

    # Open your terminal application
    lsblk

    In my case, the name of the SSD is /dev/nvme0n1, which is the name I use in the commands below. However, it could also be something like /dev/sda, for example.

  2. Wipe the existing disk:

    # Open your terminal application
    sudo wipefs -a /dev/nvme0n1

  3. Create a new partition table:

    # Open your terminal application
    sudo parted /dev/nvme0n1 -- mklabel gpt

  4. Create the boot partition at the beginning of the disk:

    # Open your terminal application
    sudo parted /dev/nvme0n1 -- mkpart ESP fat32 1MiB 512MiB
    sudo parted /dev/nvme0n1 -- set 1 boot on

  5. Create the primary partition:

    # Open your terminal application
    sudo parted /dev/nvme0n1 -- mkpart primary 512MiB 100%

    Now /dev/nvme0n1p1 is the boot partition, and /dev/nvme0n1p2 is the primary partition. You can verify this with the command: lsblk.

  6. Setup LUKS encryption on the primary partition (crypted is the label). This will prompt for creating a password:

    # Open your terminal application
    sudo cryptsetup luksFormat /dev/nvme0n1p2
    sudo cryptsetup luksOpen /dev/nvme0n1p2 crypted

  7. Map the physical, encrypted volume, then create a new volume group and logical volumes in that group for our NixOS root and our swap:

    # Open your terminal application
    sudo pvcreate /dev/mapper/crypted
    sudo vgcreate vg /dev/mapper/crypted
    sudo lvcreate -L 8G -n swap vg
    sudo lvcreate -l '100%FREE' -n nixos vg

  8. Format the boot volume to FAT32 and the filesystem to EXT4 and also create a swap:

    # Open your terminal application
    sudo mkfs.fat -F 32 -n BOOT /dev/nvme0n1p1
    sudo mkfs.ext4 -L nixos /dev/vg/nixos
    sudo mkswap -L swap /dev/vg/swap

  9. Mount the target file system to /mnt:

    # Open your terminal application
    sudo mount /dev/disk/by-label/nixos /mnt

  10. Mount the boot file system on /mnt/boot for UEFI boot:

    # Open your terminal application
    sudo mkdir -p /mnt/boot
    sudo mount /dev/disk/by-label/boot /mnt/boot # Or `sudo mount -o umask=0077 /dev/disk/by-label/boot /mnt/boot` to avoid the world accessible warning - please see the comments

  11. And activate the swap:

    # Open your terminal application
    sudo swapon /dev/vg/swap

  12. Now check the results with:

    # Open your terminal application
    lsblk --fs

    It should look something like this. Write down the UUID of the disk, in my case: /dev/nvme0n1.

Installation

Now we can install NixOS. If you only have WiFi, you can read this on how to activate it. Personally, I use a network cable.

  1. Generate the configuration:

    # Open your terminal application
    sudo nixos-generate-config --root /mnt

  2. Modify /etc/nixos/configuration.nix:

    /etc/nixos/configuration.nix
    # To edit use your text editor application, for example Nano
    { config, pkgs, ... }:
    

    {
        imports =
        [ # Include the results of the hardware scan.
          ./hardware-configuration.nix
        ];
    

        # Use the systemd-boot EFI boot loader.
        boot.loader.systemd-boot.enable = true;
        boot.loader.efi.canTouchEfiVariables = true;
    

        networking.hostName = "nixos";
        # Pick only one of the below networking options.
        # networking.wireless.enable = true; # Enables wireless support
        networking.networkmanager.enable = true;
        networking.firewall.enable = false;
    

        # Set your time zone
        time.timeZone = "Europe/Amsterdam";
    

        console.keyMap = "uk";
    

        # LUKS encryption
        boot.initrd.luks.devices = {
          crypted = {
            device = "/dev/disk/by-uuid/<the uuid of /dev/nvme0n1>";
            preLVM = true;
            allowDiscards = true;
          };
        };
    }
    # IMPORTANT: Please read the instructions below
    Instructions:
    • Required Replace <the uuid of /dev/nvme0n1> with the UUID mentioned earlier
    • Required Replace Europe/Amsterdam with your own timezone
    • Required Replace uk with your own keyboard layout

    This is a basic configuration. I’ve already set the timezone and keyboard layout, and you can enable wireless networking.

  3. Install NixOS:

    # Open your terminal application
    sudo nixos-install
    # Shutdown after the installation
    sudo shutdown now
    # Remove the USB stick

Switching between configurations

Now, we’re testing to ensure everything works correctly and adding a user so we don’t have to use root anymore.

  1. Power on your PC and if all goes well you will be asked for the LUKS password!

  2. Log in with root

  3. Add the user to /etc/nixos/configuration.nix:

    /etc/nixos/configuration.nix
    # To edit use your text editor application, for example Nano
    users.users.<username> = {
      isNormalUser = true;
      description = "";
      extraGroups = [ "wheel" "networkmanager" ];
      home = "/home/<username>";
      createHome = true;
      packages = with pkgs; [
      ];
    };
    # IMPORTANT: Please read the instructions below
    Instructions:
    • Required Replace <username> with your username

  4. To apply the new NixOS configuration, run the following command:

    # Open your terminal application
    sudo nix-collect-garbage # Optional: clean up
    sudo nixos-rebuild switch

  5. The final step is to set the password of the new user

    # Open your terminal application
    sudo passwd <username>
    # IMPORTANT: Please read the instructions below
    Instructions:
    • Required Replace <username> with your username

    Now, you can logout and log in with this user to further configure NixOS.

Comments

    No comments found for this note.

    Join the discussion for this note on Github. Comments appear on this page instantly.

    Tags:
    Copyright 2021- Fiction Becomes Fact