LUKS on Giovanni Bassihttps://giggio.net/en/blog/tags/luks/https://giggio.net/images/base/logo-small.pngLUKS on Giovanni Bassihttps://giggio.net/en/blog/tags/luks/LUKS no site do Giovanni BassiHugoengiggio@giggio.net (Giovanni Bassi)giggio@giggio.net (Giovanni Bassi)© 2025 Giovanni BassiWed, 06 May 2026 11:00:00 -0300NixOS: Installation Guide with RAID 1, encryption, and TPM unlock (part 2 - Disko, LUKS, and btrfs)https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-2-disko-luks-e-btrfs/Wed, 06 May 2026 11:00:00 -0300giggio@giggio.net (Giovanni Bassi)https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-2-disko-luks-e-btrfs/infra<p>In this post I keep on building a NixOS setup with secure storage, now going deeper into Disko, LUKS, and btrfs.</p> <p>This is the second post in the series. <a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-1/">Read the first one</a>.</p> <p>In the previous post I showed how to create the virtual machine and partition the disks using <a href="https://github.com/nix-community/disko/">Disko</a>. The main command was:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo nix --experimental-features <span class="s2">&#34;nix-command flakes&#34;</span> run github:nix-community/disko/latest -- <span class="se">\ </span></span></span><span class="line"><span class="cl"> --mode destroy,format,mount ~/nixos/disko.nix </span></span></code></pre></div><p>Although the file <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm/src/branch/main/disko.nix">disko.nix</a> is part of a <a href="https://nixos.wiki/wiki/flakes">flake</a> (a versioned Nix configuration), in this case I ran only the file on its own with <code>nix run</code>.</p> <p>It is also possible to run only the <code>mount</code> step, after the disk has already been partitioned and formatted, with <code>--mode mount</code>.</p> <h3 id="what-disko-is"> <a href="#what-disko-is" class="site-blog-post-header"> <span class="site-blog-post-header-text">What Disko is</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>Disko is a project that brings Nix a declarative way to partition and format disks. In Nix, everything is done declaratively, except disk partitioning and formatting. Disko solves that. Partitioning and formatting disks is done only at the start of an installation, and that is exactly where the project is useful.</p> <p>In addition, Disko provides a NixOS module that lets you use what was declared to define NixOS file systems, which are normally declared in the file <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm/src/branch/main/hardware-configuration.nix">hardware-configuration.nix</a>. I will talk more about that at the end.</p> <p>Disko can also be used in the installation process imperatively, through the command line. That is what I did when installing <a href="https://codeberg.org/giggio/nixos_serverbase/src/commit/8e8a356183698c248daa22c1a7be66e900996d7c/modules/lib.nix#L282">my servers</a>.</p> <h3 id="configuring-the-disk-and-its-first-partition"> <a href="#configuring-the-disk-and-its-first-partition" class="site-blog-post-header"> <span class="site-blog-post-header-text">Configuring the disk and its first partition</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>I am working with two disks. The second disk is where all the file system declarations live, so I will focus on it. The first disk ends up being a bit simpler, since it will be mirrored from the first one (I will talk about that below, in the <a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-2-disko-luks-e-btrfs/#raid-1-on-btrfs">RAID section</a>).</p> <p>At the beginning I declare the disk, the device I am referring to (<code>/dev/vdb</code> — that is, the second virtual disk), and the first partition, which will be the EFI system partition, or <code>ESP</code> (<a href="https://en.wikipedia.org/wiki/EFI_system_partition">EFI System Partition</a>):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disko</span><span class="o">.</span><span class="n">devices</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disk</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># disk1 omitted</span> </span></span><span class="line"><span class="cl"> <span class="n">disk2</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;disk&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/vdb&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;gpt&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">partitions</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">ESP</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="s2">&#34;1G&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;EF00&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">label</span> <span class="o">=</span> <span class="s2">&#34;EFI2&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;filesystem&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">extraArgs</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;-n&#34;</span> <span class="s2">&#34;EFI2&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">format</span> <span class="o">=</span> <span class="s2">&#34;vfat&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/boot&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">mountOptions</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;umask=0077&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="c1"># crypt_disk2 partition omitted</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Note that the mount options are included, and are used both by Disko&rsquo;s <code>mount</code> command and by the Disko module when defining file systems.</p> <p>In this case, an ESP partition needs to have type <code>EF00</code> and be formatted as <code>vfat</code>. I also set the label of the partition to <code>EFI2</code>, and the file system label to the same value (with <code>-n EFI</code>, an argument passed to <code>mkfs.vfat</code>).</p> <p>This part will generate something roughly like these commands:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">parted /dev/vdb mklabel gpt </span></span><span class="line"><span class="cl">parted /dev/vdb mkpart primary 1MiB 1025MiB </span></span><span class="line"><span class="cl">parted /dev/vdb <span class="nb">set</span> <span class="m">1</span> esp on </span></span><span class="line"><span class="cl">mkfs.fat -F <span class="m">32</span> -n EFI2 /dev/vdb1 </span></span><span class="line"><span class="cl"><span class="c1"># and, for mount:</span> </span></span><span class="line"><span class="cl">mount /dev/disk/by-label/EFI2 /boot </span></span></code></pre></div><h3 id="second-partition-luks--btrfs"> <a href="#second-partition-luks--btrfs" class="site-blog-post-header"> <span class="site-blog-post-header-text">Second partition: LUKS + btrfs</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>Next, I need to create the Linux partition, which I want to be encrypted. The encryption will be handled by <a href="https://gitlab.com/cryptsetup/cryptsetup/">LUKS</a>, so the <code>type</code> is defined as <code>luks</code> (in the ESP it was defined as <code>filesystem</code>). That means the command used to set up the partition will be <code>cryptsetup luksFormat</code>, and it is what receives the partition label parameter <code>--label NIXLUKS2</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disko</span><span class="o">.</span><span class="n">devices</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disk</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">disk2</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">partitions</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># ESP partition omitted</span> </span></span><span class="line"><span class="cl"> <span class="n">crypt_disk2</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">size</span> <span class="o">=</span> <span class="s2">&#34;100%&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">label</span> <span class="o">=</span> <span class="s2">&#34;NIXLUKS2&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;luks&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">name</span> <span class="o">=</span> <span class="s2">&#34;crypt_disk2&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">extraFormatArgs</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;--label&#34;</span> <span class="s2">&#34;NIXLUKS2&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">passwordFile</span> <span class="o">=</span> <span class="s2">&#34;</span><span class="si">${</span><span class="sr">./luks-password.txt</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">settings</span> <span class="o">=</span> <span class="p">{</span> <span class="n">allowDiscards</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> <span class="p">};</span> <span class="c1"># btrfs details omitted</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> <span class="c1"># other curly braces omitted</span> </span></span></code></pre></div><p>On a real NixOS system the password coming from the <code>luks-password.txt</code> file would be encrypted. I usually use <a href="https://github.com/Mic92/sops-nix/">sops-nix</a> for that.</p> <p>That previous part will generate something roughly like these commands:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">parted /dev/vdb mkpart primary 1025MiB 100% </span></span><span class="line"><span class="cl">cryptsetup --label<span class="o">=</span>NIXLUKS2 luksFormat --type luks2 /dev/vdb2 </span></span><span class="line"><span class="cl"><span class="c1"># and, for mount:</span> </span></span><span class="line"><span class="cl">cryptsetup open /dev/vdb2 crypt_disk2 </span></span></code></pre></div><p><strong>Note</strong>: The password is entered interactively in the commands above.</p> <p>Then, in the content part, we define what goes inside the LUKS encrypted volume, in this case, a btrfs file system.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="c1"># beginning omitted</span> </span></span><span class="line"><span class="cl"><span class="n">partitions</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># ESP partition omitted</span> </span></span><span class="line"><span class="cl"> <span class="n">crypt_disk2</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># LUKS details omitted</span> </span></span><span class="line"><span class="cl"> <span class="n">content</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">type</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">extraArgs</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;--label&#34;</span> <span class="s2">&#34;NIXOS&#34;</span> <span class="s2">&#34;-d&#34;</span> <span class="s2">&#34;raid1&#34;</span> <span class="s2">&#34;-m&#34;</span> <span class="s2">&#34;raid1&#34;</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">subvolumes</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/@&#34;</span> <span class="o">=</span> <span class="p">{</span> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/&#34;</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/@home&#34;</span> <span class="o">=</span> <span class="p">{</span> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/home&#34;</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/@root&#34;</span> <span class="o">=</span> <span class="p">{</span> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/root&#34;</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/@nix&#34;</span> <span class="o">=</span> <span class="p">{</span> <span class="n">mountpoint</span> <span class="o">=</span> <span class="s2">&#34;/nix&#34;</span><span class="p">;</span> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></div><p>This part will generate something roughly like these commands:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cryptsetup open /dev/vdb2 crypt_disk2 </span></span><span class="line"><span class="cl">mkfs.btrfs --label NIXOS -d raid1 -m raid1 /dev/mapper/crypt_disk1 /dev/mapper/crypt_disk2 </span></span><span class="line"><span class="cl">mkdir -p /mnt </span></span><span class="line"><span class="cl">mount /dev/mapper/crypt_disk2 /mnt </span></span><span class="line"><span class="cl">btrfs subvolume create /mnt/@ </span></span><span class="line"><span class="cl">btrfs subvolume create /mnt/@home </span></span><span class="line"><span class="cl">btrfs subvolume create /mnt/@root </span></span><span class="line"><span class="cl">btrfs subvolume create /mnt/@nix </span></span><span class="line"><span class="cl">umount /mnt </span></span><span class="line"><span class="cl"><span class="c1"># and, for mount:</span> </span></span><span class="line"><span class="cl">mount -o <span class="nv">subvol</span><span class="o">=</span>@ /dev/mapper/crypt_disk2 / </span></span><span class="line"><span class="cl">mkdir /mnt/<span class="o">{</span>home,nix,root,boot<span class="o">}</span> </span></span><span class="line"><span class="cl">mount -o <span class="nv">subvol</span><span class="o">=</span>@home /dev/mapper/crypt_disk2 /home </span></span><span class="line"><span class="cl">mount -o <span class="nv">subvol</span><span class="o">=</span>@nix /dev/mapper/crypt_disk2 /nix </span></span><span class="line"><span class="cl">mount -o <span class="nv">subvol</span><span class="o">=</span>@root /dev/mapper/crypt_disk2 /root </span></span></code></pre></div><p>At the end of the operation, Disko will mount btrfs at <code>/mnt</code>. You can verify everything by running:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># list the partitions and file systems</span> </span></span><span class="line"><span class="cl">lsblk -f </span></span><span class="line"><span class="cl"><span class="c1"># list the btrfs subvolumes</span> </span></span><span class="line"><span class="cl">sudo btrfs subvolume list /mnt </span></span></code></pre></div><h3 id="raid-1-on-btrfs"> <a href="#raid-1-on-btrfs" class="site-blog-post-header"> <span class="site-blog-post-header-text">RAID 1 on btrfs</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>Notice that I passed the parameters <code>-d raid1 -m raid1 /dev/mapper/crypt_disk1</code>, which means btrfs will be running in RAID 1 for both metadata and data, and in parity with the first disk, which has also already been configured for encryption with LUKS. The reason for defining everything on the second disk is because Disko operates in the order defined, so when disk 1 is being prepared disk 2 still has not been partitioned.</p> <p>In RAID 1, everything written to one disk is immediately copied (mirrored) to the other disks. In this case, we have a RAID 1 with two disks, controlled directly by the btrfs file system. With Linux, it is very common to do this with <a href="https://docs.kernel.org/admin-guide/md.html">mdadm</a>, but in this case mdadm is unnecessary because btrfs <a href="https://btrfs.readthedocs.io/en/latest/Volume-management.html">has native RAID support</a>.</p> <p>You can check the RAID status by running:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">btrfs device stats /mnt </span></span></code></pre></div><h3 id="subvolumes-on-btrfs"> <a href="#subvolumes-on-btrfs" class="site-blog-post-header"> <span class="site-blog-post-header-text">Subvolumes on btrfs</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>I defined several <a href="https://btrfs.readthedocs.io/en/latest/Subvolumes.html">btrfs subvolumes</a>. They are useful because they let us manage them independently. For example, we can save everything written to a volume using snapshots, as well as define several settings that on other file systems are available only for partitions, such as quotas, for example. They can also be nested, inheriting the settings and actions performed within the hierarchy.</p> <p>Subvolumes can also be mounted wherever we want, and that is exactly what we did, for example by mounting <code>/home</code> from the <code>@home</code> volume.</p> <p>On an already prepared system, this is the list of subvolumes:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-console" data-lang="console"><span class="line"><span class="cl"><span class="gp">$</span> sudo btrfs subvolume list / </span></span><span class="line"><span class="cl"><span class="go">ID 256 gen 1103 top level 5 path @ </span></span></span><span class="line"><span class="cl"><span class="go">ID 257 gen 923 top level 5 path @home </span></span></span><span class="line"><span class="cl"><span class="go">ID 258 gen 923 top level 5 path @nix </span></span></span><span class="line"><span class="cl"><span class="go">ID 259 gen 695 top level 5 path @root </span></span></span><span class="line"><span class="cl"><span class="go">ID 260 gen 19 top level 256 path srv </span></span></span><span class="line"><span class="cl"><span class="go">ID 261 gen 19 top level 256 path var/lib/portables </span></span></span><span class="line"><span class="cl"><span class="go">ID 262 gen 19 top level 256 path var/lib/machines </span></span></span><span class="line"><span class="cl"><span class="go">ID 263 gen 1080 top level 256 path tmp </span></span></span><span class="line"><span class="cl"><span class="go">ID 264 gen 1080 top level 256 path var/tmp </span></span></span></code></pre></div><p>The root volume is always <code>5</code>, which is why the four subvolumes created point to it as the parent subvolume.</p> <p>It is still possible to create subvolumes with <code>btrfs subvolume create</code> and make snapshots with <code>btrfs subvolume snapshot</code>.</p> <h3 id="using-disko-as-a-module"> <a href="#using-disko-as-a-module" class="site-blog-post-header"> <span class="site-blog-post-header-text">Using Disko as a module</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>As I mentioned at the start of the post, Disko lets you use it as a module that declares file systems, without needing to declare them in the <code>hardware-configuration.nix</code> file.</p> <p>To use it, just add <code>disko.nixosModules.disko</code> to the system modules, along with your Disko configuration file, which in this example is <code>disko.nix</code>, the same one that was used on its own to create the file system. It looks like this:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">inputs</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">nixpkgs</span><span class="o">.</span><span class="n">url</span> <span class="o">=</span> <span class="s2">&#34;github:NixOS/nixpkgs/nixos-unstable&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">disko</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">url</span> <span class="o">=</span> <span class="s2">&#34;github:nix-community/disko/latest&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">inputs</span><span class="o">.</span><span class="n">nixpkgs</span><span class="o">.</span><span class="n">follows</span> <span class="o">=</span> <span class="s2">&#34;nixpkgs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="n">outputs</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> <span class="n">self</span><span class="o">,</span> <span class="n">nixpkgs</span><span class="o">,</span> <span class="n">disko</span><span class="o">,</span> <span class="o">...</span> <span class="p">}</span><span class="o">@</span><span class="n">inputs</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">nixosConfigurations</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">nixos</span> <span class="o">=</span> <span class="n">nixpkgs</span><span class="o">.</span><span class="n">lib</span><span class="o">.</span><span class="n">nixosSystem</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">system</span> <span class="o">=</span> <span class="s2">&#34;x86_64-linux&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">modules</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="sr">./configuration.nix</span> </span></span><span class="line hl"><span class="cl"> <span class="sr">./disko.nix</span> </span></span><span class="line hl"><span class="cl"> <span class="n">disko</span><span class="o">.</span><span class="n">nixosModules</span><span class="o">.</span><span class="n">disko</span> </span></span><span class="line"><span class="cl"> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Note that my <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm/src/branch/main/hardware-configuration.nix">hardware-configuration.nix</a> file does not declare any file systems. See <a href="https://wiki.nixos.org/wiki/Filesystems">NixOS docs about file systems</a> for how this is normally declared, and, because I used Disko, I did not need to do it.</p> <p>If I had to do it manually, it would be more or less like this:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">fileSystems</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;subvol=@&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/home&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;subvol=@home&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/nix&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;subvol=@nix&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/root&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/mapper/crypt_disk1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;btrfs&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;subvol=@root&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;/boot&#34;</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">device</span> <span class="o">=</span> <span class="s2">&#34;/dev/disk/by-label/EFI1&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">fsType</span> <span class="o">=</span> <span class="s2">&#34;vfat&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">options</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;fmask=0022&#34;</span> <span class="s2">&#34;dmask=0022&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>And that only after manually partitioning the main disks with LUKS and formatting them with btrfs.</p> <p>It becomes obvious how much Disko simplifies the whole process: we use its definitions to configure the disks during installation, and later to bring up the operating system itself.</p> <h3 id="conclusion"> <a href="#conclusion" class="site-blog-post-header"> <span class="site-blog-post-header-text">Conclusion</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>With a disk and file system declaration that is later used to configure it, it is possible to prepare all the storage for a future Linux operating system using just one command line.</p> <p>Instead of having to keep commands in documentation or build a shell script to prepare everything, we have it all versioned in executable files.</p> <p>In the next post I will show how to finally install NixOS on the file system that was mounted. In the following ones I will demonstrate how to use TPM to obtain an encryption key that will be used to unlock LUKS without human interaction, directly at boot.</p>NixOS: Installation Guide with RAID 1, encryption, and TPM unlock (part 1)https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-1/Tue, 28 Apr 2026 16:34:00 -0300giggio@giggio.net (Giovanni Bassi)https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-1/infra<p>It is time to migrate from Ubuntu to NixOS!</p> <p>For a long time, I have been using Nix on Ubuntu through <a href="https://nix-community.github.io/home-manager/">Home Manager</a>, and I have been automating my <a href="https://codeberg.org/giggio/dotfiles">dotfiles</a> more and more, steadily removing my custom setup and using Nix instead. Recently, I adopted the new <a href="https://github.com/numtide/system-manager">System Manager</a> project, whose goal is to bring system-level configuration to operating systems other than NixOS, where it was previously only available.</p> <p>After quite a while on that journey, and after already migrating <a href="https://codeberg.org/giggio/nixos_serverbase">my home servers</a>, it is time to move to NixOS and leave Ubuntu behind.</p> <p>I want to live on the edge of what is new and configure my Linux exactly the way I want, and NixOS will let me do that. I have also come to really like the way it keeps configuration in versioned file systems that I can control in detail.</p> <p>This post will show how to meet what I consider the bare minimum for security: I am going to create a NixOS system with an encrypted disk, mirrored with RAID 1, using the most modern file system available right now (btrfs), and use the TPM to decrypt the system without human interaction.</p> <p>Already know NixOS, TPM, btrfs, and the rest, and just want the code? It is free and available <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm">in a repository on my Codeberg</a>. The README explains what is going on, but I will go into more detail here on the blog, explaining the concepts in more depth. This will be a series of posts, where I intend to explain each piece.</p> <p>The plan is to do something like this:</p> <ol> <li><strong>Creating the VM and the initial partitions (this post)</strong></li> <li><a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-2-disko-luks-e-btrfs/">More information about Disko, LUKS and btrfs</a></li> <li><a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-3-instalando-o-so/">Installing NixOS</a></li> <li><a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-4-secure-boot/">Preparing Secure Boot</a></li> <li><a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-5-destrancando-o-disco-com-tpm/">Using the TPM to decrypt the disks</a></li> <li><a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-6-mitigando-o-ataque-de-troca-de-volume/">Mitigating the volume-swapping attack</a></li> <li><a href="https://giggio.net/en/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-7-mitigando-o-ataque-de-troca-de-so/">Mitigating the OS-swapping attack</a></li> <li>Review and conclusions</li> </ol> <p>I am sure the plan will fall apart, but it gives you an idea of what I intend to cover.</p> <p>In this first part, we will prepare the VM and the initial partitions.</p> <h3 id="preparing-the-virtual-machine"> <a href="#preparing-the-virtual-machine" class="site-blog-post-header"> <span class="site-blog-post-header-text">Preparing the virtual machine</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>I am on Ubuntu 24, using <a href="https://virt-manager.org/">Virtual Machine Manager</a> 5.1, installed through NixOS. Adapt this to your own OS setup.</p> <p>Download the <a href="https://nixos.org/download/#nixos-iso">NixOS ISO</a>. I used the graphical ISO, but I imagine the minimal image should work just fine too.</p> <p>I chose to create the disks ahead of time with <code>qemu-img</code>, because it creates disks that do not consume all the reserved space right away; they grow as needed (sparse files). I noticed that when creating the disks through the VMM UI, it creates them with the full size by default, unless you go through the custom storage option, where there is a checkbox for &ldquo;Allocate entire volume now&rdquo;. In any case, I prefer the command line, so I will leave it here for reference. In my case, I will keep the VM files under <code>/mnt/data/vms/vmm</code>, so adapt that to whatever directory you prefer.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">cd</span> /mnt/data/vms/vmm </span></span><span class="line"><span class="cl">qemu-img create -f qcow2 nixos1-1.qcow2 200G </span></span><span class="line"><span class="cl">qemu-img create -f qcow2 nixos1-2.qcow2 200G </span></span></code></pre></div><p>Copy the downloaded <code>.iso</code> into that same directory.</p> <p>Create the virtual machine with those two disks and with the NixOS ISO. Configure the TPM for version 2. Enable the boot menu. Configure the network as NAT. If you want to see my configuration, it is available in <a href="https://giggio.net/blog/nix-os-guia-de-instalacao-com-raid-1-criptografia-e-tpm-unlock-parte-1/files/nixos.xml">nixos.xml</a>.</p> <p>Delete all Secure Boot keys and disable Secure Boot in the VM, because the installer does not have a signed <code>.efi</code> file and will not boot with Secure Boot enabled.</p> <p>To do that: when the VM starts, press <code>ESC</code> to enter the boot menu. Then choose &ldquo;Device Manager&rdquo; and &ldquo;Secure Boot Configuration&rdquo;. Select &ldquo;Reset Secure Boot Keys&rdquo; and confirm. That will disable Secure Boot as well. Go back to the main menu and choose &ldquo;Reset&rdquo;, which will restart the boot process. It is possible that during this process it will eject the virtual installation CD (<code>.iso</code>); add it back in the VM settings and restart it.</p> <h3 id="starting-the-installation"> <a href="#starting-the-installation" class="site-blog-post-header"> <span class="site-blog-post-header-text">Starting the installation</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>Choose one of the installation options. I went with Gnome and the latest Kernel, but I imagine it will make little difference; all we need is a shell. When the installer opens, close it and open a terminal.</p> <p>From that point on, you can continue from that terminal.</p> <p><strong>Tip</strong>: I preferred to connect via SSH, since that makes it easier to copy and paste commands into the terminal. To do that, create a password with <code>passwd</code>. Find the VM IP with <code>ip a</code> and connect to it from the host with <code>ssh nixos@&lt;ip&gt;</code>.</p> <h3 id="declarative-partitioning-with-disko"> <a href="#declarative-partitioning-with-disko" class="site-blog-post-header"> <span class="site-blog-post-header-text">Declarative partitioning with Disko</span> <i class="fa-solid fa-link site-blog-post-header-paragraph"></i> </a> </h3> <p>First, check the current partition status with <code>lsblk -f</code>.</p> <p>I am using <a href="https://github.com/nix-community/disko/">Disko</a> to create the partitions and file systems.</p> <p>Clone the repository into <code>~/nixos</code>: <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm">https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm</a></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">git clone https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm.git ~/nixos </span></span><span class="line"><span class="cl"><span class="nb">cd</span> ~/nixos </span></span><span class="line"><span class="cl">git checkout 397fb28 <span class="c1"># checkout the commit with message &#34;Updated config&#34;</span> </span></span><span class="line"><span class="cl"><span class="c1"># create the partitions</span> </span></span><span class="line"><span class="cl">sudo nix --experimental-features <span class="s2">&#34;nix-command flakes&#34;</span> run github:nix-community/disko/latest -- --mode destroy,format,mount ~/nixos/disko.nix </span></span><span class="line"><span class="cl"><span class="c1"># check the results</span> </span></span><span class="line"><span class="cl">lsblk -f </span></span><span class="line"><span class="cl">sudo fdisk -l /dev/vd<span class="o">{</span>a,b<span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="c1"># or</span> </span></span><span class="line"><span class="cl">sudo parted /dev/vda print all </span></span></code></pre></div><p>See the file used by Disko: <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm/src/branch/main/disko.nix">disko.nix</a>. Note that the password is <code>luks</code>, and it comes from the file <a href="https://codeberg.org/giggio/nixos_raid_btrfs_luks_tpm/src/branch/main/luks-password.txt">luks-password.txt</a>.</p> <p>In the next post, I will explain in more detail what Disko did. For now, I can say that it already created two partitions on each disk: one partition for EFI (ESP) and another for Linux, which will be encrypted using LUKS, and will internally use btrfs, with subvolumes already created. I will explain all of that later.</p> <p>For now, enjoy figuring out how Disko managed to do all that with just one file. That is the beauty of NixOS: no endless command typing in the terminal, everything is versioned and declarative.</p> <p>See you in the next post.</p>