diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix
index 8b5dd22fd380..331531cee151 100644
--- a/nixos/modules/tasks/encrypted-devices.nix
+++ b/nixos/modules/tasks/encrypted-devices.nix
@@ -6,6 +6,7 @@ let
fileSystems = attrValues config.fileSystems ++ config.swapDevices;
encDevs = filter (dev: dev.encrypted.enable) fileSystems;
keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs;
+ keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs;
isIn = needle: haystack: filter (p: p == needle) haystack != [];
anyEncrypted =
fold (j: v: v || j.encrypted.enable) false encDevs;
@@ -29,15 +30,15 @@ let
label = mkOption {
default = null;
example = "rootfs";
- type = types.nullOr types.str;
- description = "Label of the backing encrypted device.";
+ type = types.uniq (types.nullOr types.str);
+ description = "Label of the unlocked encrypted device. Set fileSystems.<name?>.device to /dev/mapper/<label> to mount the unlocked device.";
};
keyFile = mkOption {
default = null;
example = "/root/.swapkey";
type = types.nullOr types.str;
- description = "File system location of keyfile.";
+ description = "File system location of keyfile. This unlocks the drive after the root has been mounted to /mnt-root.";
};
};
};
@@ -58,11 +59,11 @@ in
boot.initrd = {
luks = {
devices =
- map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) encDevs;
+ map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs;
cryptoModules = [ "aes" "sha256" "sha1" "xts" ];
};
postMountCommands =
- concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.label};\n") keyedEncDevs;
+ concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;
};
};
}