Title : Unlock a full disk encryption NixOS with usb memory stick Author: Solène Date : 06 October 2020 Tags : nixos linux Using NixOS on a laptop on which the keyboard isn't detected when I need to type the password to decrypt disk, I had to find a solution. This problem is hardware related, not Linux or NixOS related. **I highly recommend using full disk encryption on every computer following a thief threat model. Having your computer stolen is bad, but if the thief has access to all your data, you will certainly be in trouble.** This was time to find how to use an usb memory stick to unlock the full disk encryption in case I don't have my hands on an usb keyboard to unlock the computer. There are 4 steps to enable unlocking the luks volume using a device. 1. Create the key 2. Add the key on the luks volume 3. Write the key on the usb device 4. Configure NixOS First step, creating the file. The easiest way is to the following: # dd if=/dev/urandom of=/root/key.bin bs=4096 count=1 This will create a 4096 bytes key. You can choose the size you want. Second step is to register that key in the luks volume, you will be prompted for luks password when doing so. # cryptsetup luksAddKey /dev/sda1 /root/key.bin Then, it's time to write the key to your usb device, I assume it will be `/dev/sdb`. # dd if=/root/key.bin of=/dev/sdb bs=4096 count=1 And finally, you will need to configure NixOS to give the information about the key. It's important to give the correct size of the key. Don't forget to adapt `"crypted"` to your luks volume name. boot.initrd.luks.devices."crypted".keyFileSize = 4096; boot.initrd.luks.devices."crypted".keyFile = "/dev/sdb"; Rebuild your system with `nixos-rebuild switch` and voilà! ### Going further I recommend using the fallback to password feature so if you lose or don't have your memory stick, you can type the password to unlock the disk. Note that you need to not put anything looking like a `/dev/sdb` because if it exists and no key are there, the system won't ask for password, and you will need to reboot. boot.initrd.luks.devices."crypted".fallbackToPassword = true; It's also possible to write the key in a partition or at a specific offset into your memory disk. For this, look at `boot.initrd.luks.devices."volume".keyFileOffset` entry.