Merge pull request #8554 from dwe11er/luks-detached-header

allow for using LUKS devices with detached header
2024-09-29 15:43:00 +00:00 · 2015-07-04 13:17:54 +02:00 · 2015-07-04 13:17:54 +02:00 · 07bdaa97da
commit 07bdaa97da
parent 2d49c104a3 c1becad3eb
1 changed files with 12 additions and 1 deletions
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@ -5,7 +5,7 @@ with lib;
 let
  luks = config.boot.initrd.luks;

-  openCommand = { name, device, keyFile, keyFileSize, allowDiscards, yubikey, ... }: ''
+  openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: ''
    # Wait for luksRoot to appear, e.g. if on a usb drive.
    # XXX: copied and adapted from stage-1-init.sh - should be
    # available as a function.
@ -33,6 +33,7 @@ let

    open_normally() {
        cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} \
+          ${optionalString (header != null) "--header=${header}"} \
          ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"}
    }

@ -251,6 +252,16 @@ in
          description = "Path of the underlying block device.";
        };

+        header = mkOption {
+          default = null;
+          example = "/root/header.img";
+          type = types.nullOr types.string;
+          description = ''
+            The name of the file or block device that
+            should be used as header for the encrypted device.
+          '';
+        };
+
        keyFile = mkOption {
          default = null;
          example = "/dev/sdb1";