Title : Unlock a full disk encryption NixOS with usb memory stick
Author: Solène
Date : 06 October 2020
Tags : nixos linux
Using NixOS on a laptop on which the keyboard isn't detected when
I need to type the password to decrypt disk, I had to find a solution.
This problem is hardware related, not Linux or NixOS related.
**I highly recommend using full disk encryption on every computer
following a thief threat model. Having your computer stolen is bad,
but if the thief has access to all your data, you will certainly
be in trouble.**
This was time to find how to use an usb memory stick to unlock the
full disk encryption in case I don't have my hands on an usb keyboard
to unlock the computer.
There are 4 steps to enable unlocking the luks volume using a device.
1. Create the key
2. Add the key on the luks volume
3. Write the key on the usb device
4. Configure NixOS
First step, creating the file. The easiest way is to the following:
# dd if=/dev/urandom of=/root/key.bin bs=4096 count=1
This will create a 4096 bytes key. You can choose the size you want.
Second step is to register that key in the luks volume, you will
be prompted for luks password when doing so.
# cryptsetup luksAddKey /dev/sda1 /root/key.bin
Then, it's time to write the key to your usb device, I assume it
will be `/dev/sdb`.
# dd if=/root/key.bin of=/dev/sdb bs=4096 count=1
And finally, you will need to configure NixOS to give the information
about the key. It's important to give the correct size of the key.
Don't forget to adapt `"crypted"` to your luks volume name.
boot.initrd.luks.devices."crypted".keyFileSize = 4096;
boot.initrd.luks.devices."crypted".keyFile = "/dev/sdb";
Rebuild your system with `nixos-rebuild switch` and voilà!
### Going further
I recommend using the fallback to password feature so if you
lose or don't have your memory stick, you can type the password to
unlock the disk. Note that you need to not put anything looking
like a `/dev/sdb` because if it exists and no key are there, the
system won't ask for password, and you will need to reboot.
boot.initrd.luks.devices."crypted".fallbackToPassword = true;
It's also possible to write the key in a partition or at a specific
offset into your memory disk. For this, look at
`boot.initrd.luks.devices."volume".keyFileOffset` entry.