Uncharted Mind Space

Guix: Avoid Entering LUKS Passphrase Twice

If you follow the manual when installing Guix with full disk encryption, you’ll notice there is an annoying behavior: you need to input the LUKS passphrase twice during boot.

The reason is straightforward. During partitioning, we’re instructed to mount the EFI partition at /boot/efi, meaning the /boot directory (containing Grub’s configuration) resides within the encrypted root partition. This requires decrypting /boot first for Grub to read its configuration, followed by another decryption when booting the system.

The obvious solution is to use an unencrypted boot partition, but I do see the benefit of having it encrypted, and I want to avoid break everything again :), so I was about to make peace with it.

Until I read this comment in a mailing list thread. Apparently there is a more elegant solution and has been there for over a year.

Unlocking with A Key File

The approach involves using a key file to unlock the disk, while we still need to input the passphrase for Grub, This key file handles the second decryption during boot. While many guides exist for other distros (easily found with a quick search), there’s a lack of documentation for Guix—which motivated me to write this post (Even before I complete my “migrate to Guix” post).

Okay, enough rants, here are the steps.

Prepare the Files

  • Arch Wiki’s guide to this contains the first part we need: create a key file and add it as LUKS key.
  • Guix Manual’s Bootloader Configuration section explains how to create an extra-initrd image.
guix shell cryptsetup cpio

dd bs=512 count=4 if=/dev/random iflag=fullblock | sudo install -m 0600 /dev/stdin /cryptroot.key

echo /cryptroot.key | sudo cpio -oH newc | sudo tee /boot/cryptroot.cpio > /dev/null
sudo chmod 0000 /boot/cryptroot.cpio

# sudo rm /cryptroot.key # can also move to a backup device

The raw key file is not needed afterwards, so it’s safe to delete it or backup it somewhere else.

Update System Config

This is adapted from the manual with two key modifications:

  1. On L#4, note that the path to extra-initrd may require an additional /root prefix depending on your file system setup.
    • To verify the correct path, attempt booting first.
      • If Grub fails to find the file, boot will fail.
      • On next boot, press ’c’ in the Grub menu to inspect the kernel path.
    • In my configuration, all paths required the /root prefix for successful boot.
  2. On L#11, ensure the key-file path matches exactly what you specified in the cpio image. Using /cryptoroot.key is recommended as alternative paths may cause mounting issues.
    • I initially tried /boot/cryptoroot.key which failed to work.
(bootloader (bootloader-configuration
             (bootloader grub-efi-bootloader)
             (targets (list "/boot/efi"))
             (extra-initrd "/root/boot/cryptroot.cpio")
             (keyboard-layout keyboard-layout)))
             
(mapped-devices (list (mapped-device
                       (source (uuid "24288d14-bfe1-475e-96af-5a2ad58fd82c")) ;; replace this
                       (target "cryptroot")
                       (type (luks-device-mapping-with-options
                              #:key-file "/cryptroot.key")))))