[Nix-dev] Fwd: Encrypted boot, encrypted root on zfs setup. Problem with root unlocking.
Tomasz Czyż
tomasz.czyz at gmail.com
Sat Aug 29 20:36:17 CEST 2015
Hi Bryan,
thank, I'll try this, and first I'll try do it with /bin/sh (didn't try
yet).
2015-08-29 18:23 GMT+01:00 Bryan Gardiner <bog at khumba.net>:
> On Sat, 29 Aug 2015 16:59:00 +0100
> Tomasz Czyż <tomasz.czyz at gmail.com> wrote:
>
> > Hi,
> >
> > Yesterday I've set up nix for the first time. Awesome project!
> >
> > I was struggling with ubuntu/debian to set up encrypted boot
> > partition, but here worked with first boot! Nice stuff!
> >
> > But I've problem with mounting root partition at this stage.
> >
> > My setup
> >
> > --------------------------------------------
> > | BOOT | ROOT |
> > --------------------------------------------
> > | ext4 | zfs |
> > --------------------------------------------
> > | enc_boot | enc_root1, enc_root2, ... |
> > --------------------------------------------
> > | md_boot | sda3, sdb3, sdc3, sdd3 |
> > --------------------------------------------
> > | sda2, sdb2...|
> > ----------------
> >
> > So, boot is on encrypted partition on top of RAID1 (mdadm). There is
> > a file root.key to unlock 4 root partitions.
> >
> > Root is a ZFS system, on top of 4 encrypted volumes, crypted with
> > root.key (which is on boot partition).
> >
> > Working part:
> > During the boot, I'm asked about the password to boot partition, and
> > boot partition is unlocked.
> >
> > Not working part:
> > After unlocking boot and loading initrd there is a problem, zfs
> > defined in config (with UUID) cannot be found or mounted – because 4
> > root partitions are not unlocked.
> >
> > In configuration.nix I've added bootloader directive
> >
> > boot.initrd.postMountCommands = "cryptsetup luksOpen --key-file
> > /mnt-root/boot/root.key /dev/sda3 root1; cryptsetup luksOpen
> > --key-file /mnt/root/boot/root.key /dev/sdb3 root2.......";
> >
> > but this part is not working. I cannot access root.key, probably boot
> > partition is not mounted there. I don't know how to activate shell
> > there to investigate stuff.
>
> Guessing here, but try calling
>
> /nix/store/*-extra-utils/bin/busybox sh
>
> from postMountCommands? You could also try finding the path to
> busybox within your initrd and filling in the full path:
>
> $ nix-store -qR /run/current-system | grep 'initrd$'
> /nix/store/ig0y1a7d5153rb61m4hyfgzflqkx6kbj-initrd
>
> $ gunzip -ck /nix/store/ig0y1a7d5153rb61m4hyfgzflqkx6kbj-initrd/initrd |
> cpio -it | grep 'extra-utils/bin/busybox$'
> nix/store/hyjs4vanbas2z1lh6gawyrb3ngznw2v6-extra-utils/bin/busybox
> 39975 blocks
>
> Hope that helps,
> Bryan
>
> > Do you know by any chance how I can automatically unlock other
> > partitions from boot partitions and mount zfs after that?
> >
> > Cheers,
> > Tomasz Czyż
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
--
Tomasz Czyż
--
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150829/5af4db04/attachment-0001.html
More information about the nix-dev
mailing list