diff options
author | Kenny Ballou <kballou@devnulllabs.io> | 2020-06-05 07:20:25 -0600 |
---|---|---|
committer | Kenny Ballou <kballou@devnulllabs.io> | 2020-06-05 07:20:25 -0600 |
commit | 94677d92fab2969cd005acec0e0a54209011ae4f (patch) | |
tree | b66e5e32f044ca0541278fbbf73a7eda295bc7e1 | |
parent | a1ec790f289a3252224bcac8922eb7e71983b940 (diff) | |
download | cfg.nix-94677d92fab2969cd005acec0e0a54209011ae4f.tar.gz cfg.nix-94677d92fab2969cd005acec0e0a54209011ae4f.tar.xz |
eligos: add gpgcard support for encrypted drives
Found this configuration options in a [reddit][0] post. This works out
pretty well.
Remove the keyfiles since they are never available when the system is
unlocking.
[0]: https://www.reddit.com/r/NixOS/comments/fv3iza/yubikey_and_luks_on_multiple_machines/
Signed-off-by: Kenny Ballou <kballou@devnulllabs.io>
-rw-r--r-- | eligos/configuration.nix | 19 |
1 files changed, 16 insertions, 3 deletions
diff --git a/eligos/configuration.nix b/eligos/configuration.nix index 7740b51..34f34bf 100644 --- a/eligos/configuration.nix +++ b/eligos/configuration.nix @@ -69,17 +69,30 @@ boot.initrd.luks = { reusePassphrases = true; + gpgSupport = true; devices = { - cvg0.device = "/dev/disk/by-uuid/5cd9cc98-a22c-48f3-87ef-00a04f6d3500"; + cvg0 = { + device = "/dev/disk/by-uuid/5cd9cc98-a22c-48f3-87ef-00a04f6d3500"; + gpgCard = { + publicKey = ./public.asc; + encryptedPass = ./luks-passphrase-cvg0.asc; + }; + }; cvg1 = { device = "/dev/disk/by-uuid/93479577-1b78-4b2c-b7c3-a1f905d19e54"; - keyFile = "/etc/cvg1"; fallbackToPassword = true; + gpgCard = { + publicKey = ./public.asc; + encryptedPass = ./luks-passphrase-cvg1.asc; + }; }; cvg2 = { device = "/dev/disk/by-uuid/4520c49c-12da-47ba-a9d1-1f53cd586cdd"; - keyFile = "/etc/cvg2"; fallbackToPassword = true; + gpgCard = { + publicKey = ./public.asc; + encryptedPass = ./luks-passphrase-cvg2.asc; + }; }; }; }; |