2015-09-10 9:19 GMT+01:00 Tomasz Czyż <[email protected]>: > > > 2015-09-09 7:03 GMT+01:00 Bryan Gardiner <[email protected]>: > >> On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote: >> > Hi, >> > >> > Continuation of this thread: >> > >> http://thread.gmane.org/gmane.linux.distributions.nixos/17879/focus=17880 >> > >> > I already successfully set up crypted partitions for mdadm and for zfs. >> The >> > system is mounting them properly with standard nixos configuration using >> > ``boot.initrd.luks`` configs. >> > >> > But for each mount I have to pass password/key. I thought I can put keys >> > for all partitions to initrd as initrd is on encrypted boot partition >> > (boot). The process would be like: >> > * enter password for grub >> > * grub loads initrd >> > * initrd unlocks all other partitions >> > >> > Currently it works for me in very strange way. >> > I am using preLVMCommands option with "echo 'mykey' > /key". >> > I don't like it because I cannot keep my configuration on git somewhere >> > cause it expose my passwords. >> >> How about doing something like: >> >> preLVMCommands = >> let key = builtins.readFile ./keyfile; in >> "echo '${key}' >/key" >> >> then putting keyfile in gitignore? >> > Thanks Bryan, > > looks like good trick :-) I'm new to nix, I didn't even thought about that > stuff, cheers! > > Tom > To sum up. This method works pretty well as long as you do "echo -n" so it won't add new line at the end of your key. But the method is not the best as if there any problem inside the script, the content of the file is printed on the screen (during the boot process). Not problem for me as I'm using boot partition encription, but it's kind of concert. Anyway thanks for sharing this tip!.
> >> - Bryan >> >> > Is there any way to add key files to initrd? (I found some "extra" >> options >> > for boot partition but not for initrd, maybe there are some hooks I'm >> not >> > aware of) >> >> _______________________________________________ >> nix-dev mailing list >> [email protected] >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> >> > > > -- > Tomasz Czyż > -- Tomasz Czyż
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
