[Nix-dev] Encrypted boot, encrypted root on zfs setup. Problem with root unlocking.

Bryan Gardiner bog at khumba.net
Sat Aug 29 19:23:47 CEST 2015 

On Sat, 29 Aug 2015 16:59:00 +0100
Tomasz Czyż <tomasz.czyz at gmail.com> wrote:

> Hi,
> 
> Yesterday I've set up nix for the first time. Awesome project!
> 
> I was struggling with ubuntu/debian to set up encrypted boot
> partition, but here worked with first boot! Nice stuff!
> 
> But I've problem with mounting root partition at this stage.
> 
> My setup
> 
> --------------------------------------------
> |   BOOT       |            ROOT           |
> --------------------------------------------
> |   ext4       |            zfs            |
> --------------------------------------------
> | enc_boot     | enc_root1, enc_root2, ... |
> --------------------------------------------
> |   md_boot    |  sda3, sdb3, sdc3, sdd3   |
> --------------------------------------------
> | sda2, sdb2...|
> ----------------
> 
> So, boot is on encrypted partition on top of RAID1 (mdadm). There is
> a file root.key to unlock 4 root partitions.
> 
> Root is a ZFS system, on top of 4 encrypted volumes, crypted with
> root.key (which is on boot partition).
> 
> Working part:
> During the boot, I'm asked about the password to boot partition, and
> boot partition is unlocked.
> 
> Not working part:
> After unlocking boot and loading initrd there is a problem, zfs
> defined in config (with UUID) cannot be found or mounted – because 4
> root partitions are not unlocked.
> 
> In configuration.nix I've added bootloader directive
> 
> boot.initrd.postMountCommands = "cryptsetup luksOpen --key-file
> /mnt-root/boot/root.key /dev/sda3 root1; cryptsetup luksOpen
> --key-file /mnt/root/boot/root.key /dev/sdb3 root2.......";
> 
> but this part is not working. I cannot access root.key, probably boot
> partition is not mounted there. I don't know how to activate shell
> there to investigate stuff.

Guessing here, but try calling

    /nix/store/*-extra-utils/bin/busybox sh

from postMountCommands?  You could also try finding the path to
busybox within your initrd and filling in the full path:

$ nix-store -qR /run/current-system | grep 'initrd$'
/nix/store/ig0y1a7d5153rb61m4hyfgzflqkx6kbj-initrd

$ gunzip -ck /nix/store/ig0y1a7d5153rb61m4hyfgzflqkx6kbj-initrd/initrd | cpio -it | grep 'extra-utils/bin/busybox$'
nix/store/hyjs4vanbas2z1lh6gawyrb3ngznw2v6-extra-utils/bin/busybox
39975 blocks

Hope that helps,
Bryan

> Do you know by any chance how I can automatically unlock other
> partitions from boot partitions and mount zfs after that?
> 
> Cheers,
> Tomasz Czyż
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150829/a5030024/attachment.bin

More information about the nix-dev mailing list