How to install NixOS with LUKS disk encryption
Introduction
I’ve done a NixOS server installation before. This time, I’m doing a client installation with LUKS disk encryption.
Actually, it’s quite simple. If you are using the graphical installer, you can choose Encryption
in the Partition
section and set a password.
If you want to install NixOS via the command line, you can follow the steps below. These steps are based on this excellent step-by-step guide with the necessary commands, which I found very helpful in making this note.
Requirements
I first downloaded the minimal ISO image and used Rufus to copy it onto a USB stick with my Windows PC. After opening the ISO with Rufus, I kept all settings default but opted to write with dd
.
In the UEFI BIOS menu, I disabled Secure Boot
. According to this description, you also need to turn off USB Legacy Boot
and turn on Launch CSM
. However, I didn’t have to do this with my relatively new Intel NUC. I also used a new SSD for the installation.
Now boot from the USB stick. If you see multiple boot options, choose the one explicitly labeled with UEFI
.
How To
Partitioning
-
Identify the name of your disk with the command:
# Open your terminal applicationlsblkIn my case, the name of the SSD is
/dev/nvme0n1
, which is the name I use in the commands below. However, it could also be something like/dev/sda
, for example. -
Wipe the existing disk:
# Open your terminal applicationsudo wipefs -a /dev/nvme0n1 -
Create a new partition table:
# Open your terminal applicationsudo parted /dev/nvme0n1 -- mklabel gpt -
Create the boot partition at the beginning of the disk:
# Open your terminal applicationsudo parted /dev/nvme0n1 -- mkpart ESP fat32 1MiB 512MiBsudo parted /dev/nvme0n1 -- set 1 boot on -
Create the primary partition:
# Open your terminal applicationsudo parted /dev/nvme0n1 -- mkpart primary 512MiB 100%Now
/dev/nvme0n1p1
is the boot partition, and/dev/nvme0n1p2
is the primary partition. You can verify this with the command:lsblk
. -
Setup LUKS encryption on the primary partition (
crypted
is the label). This will prompt for creating a password:# Open your terminal applicationsudo cryptsetup luksFormat /dev/nvme0n1p2sudo cryptsetup luksOpen /dev/nvme0n1p2 crypted -
Map the physical, encrypted volume, then create a new volume group and logical volumes in that group for our NixOS root and our swap:
# Open your terminal applicationsudo pvcreate /dev/mapper/cryptedsudo vgcreate vg /dev/mapper/cryptedsudo lvcreate -L 8G -n swap vgsudo lvcreate -l '100%FREE' -n nixos vg -
Format the boot volume to
FAT32
and the filesystem toEXT4
and also create a swap:# Open your terminal applicationsudo mkfs.fat -F 32 -n BOOT /dev/nvme0n1p1sudo mkfs.ext4 -L nixos /dev/vg/nixossudo mkswap -L swap /dev/vg/swap -
Mount the target file system to
/mnt
:# Open your terminal applicationsudo mount /dev/disk/by-label/nixos /mnt -
Mount the boot file system on
/mnt/boot
for UEFI boot:# Open your terminal applicationsudo mkdir -p /mnt/bootsudo mount /dev/disk/by-label/boot /mnt/boot # Or `sudo mount -o umask=0077 /dev/disk/by-label/boot /mnt/boot` to avoid the world accessible warning - please see the comments -
And activate the swap:
# Open your terminal applicationsudo swapon /dev/vg/swap -
Now check the results with:
# Open your terminal applicationlsblk --fsIt should look something like this. Write down the UUID of the disk, in my case:
/dev/nvme0n1
.
Installation
Now we can install NixOS. If you only have WiFi, you can read this on how to activate it. Personally, I use a network cable.
-
Generate the configuration:
# Open your terminal applicationsudo nixos-generate-config --root /mnt -
Modify
/etc/nixos/configuration.nix
:/etc/nixos/configuration.nix # To edit use your text editor application, for example Nano{ config, pkgs, ... }:{imports =[ # Include the results of the hardware scan../hardware-configuration.nix];# Use the systemd-boot EFI boot loader.boot.loader.systemd-boot.enable = true;boot.loader.efi.canTouchEfiVariables = true;networking.hostName = "nixos";# Pick only one of the below networking options.# networking.wireless.enable = true; # Enables wireless supportnetworking.networkmanager.enable = true;networking.firewall.enable = false;# Set your time zonetime.timeZone = "Europe/Amsterdam";console.keyMap = "uk";# LUKS encryptionboot.initrd.luks.devices = {crypted = {device = "/dev/disk/by-uuid/<the uuid of /dev/nvme0n1>";preLVM = true;allowDiscards = true;};};}# IMPORTANT: Please read the instructions belowInstructions:
- Required Replace
<the uuid of /dev/nvme0n1>
with the UUID mentioned earlier - Required Replace
Europe/Amsterdam
with your own timezone - Required Replace
uk
with your own keyboard layout
This is a basic configuration. I’ve already set the timezone and keyboard layout, and you can enable wireless networking.
- Required Replace
-
Install NixOS:
# Open your terminal applicationsudo nixos-install# Shutdown after the installationsudo shutdown now# Remove the USB stick
Switching between configurations
Now, we’re testing to ensure everything works correctly and adding a user so we don’t have to use root anymore.
-
Power on your PC and if all goes well you will be asked for the LUKS password!
-
Log in with
root
-
Add the user to
/etc/nixos/configuration.nix
:/etc/nixos/configuration.nix # To edit use your text editor application, for example Nanousers.users.<username> = {isNormalUser = true;description = "";extraGroups = [ "wheel" "networkmanager" ];home = "/home/<username>";createHome = true;packages = with pkgs; [];};# IMPORTANT: Please read the instructions belowInstructions:
- Required Replace
<username>
with your username
- Required Replace
-
To apply the new NixOS configuration, run the following command:
# Open your terminal applicationsudo nix-collect-garbage # Optional: clean upsudo nixos-rebuild switch -
The final step is to set the password of the new user
# Open your terminal applicationsudo passwd <username># IMPORTANT: Please read the instructions belowInstructions:
- Required Replace
<username>
with your username
Now, you can
logout
and log in with this user to further configure NixOS. - Required Replace
No comments found for this note.
Join the discussion for this note on Github. Comments appear on this page instantly.