Full disk encryption with TPM and Secure Boot #13

New Issue

Closed

opened 2025-12-28 23:18:51 +01:00 by adam · 1 comment

adam commented 2025-12-28 23:18:51 +01:00

Owner

Copy Link

Originally created by @ryan4yin on GitHub (Dec 1, 2023).

Related to:

• https://github.com/nix-community/lanzaboote
• https://www.reddit.com/r/NixOS/comments/xrgszw/nixos_full_disk_encryption_with_tpm_and_secure/
  • Using lanzaboote with LUKS is no different than using ordinary NixOS with LUKS. Adding tpm on top of that is then just a matter of enabling systemd initrd and using systemd-cryptenroll to mess with the key slots, and the man page for that program is pretty descriptive.
  • The directions are basically: Use lanzaboote, enable systemd initrd, finally use systemd-cryptenroll to enroll a TPM2 based key for the drive. Both lanzaboote and systemd initrd are what I would call experimental

Originally created by @ryan4yin on GitHub (Dec 1, 2023). Related to: - https://github.com/nix-community/lanzaboote - https://www.reddit.com/r/NixOS/comments/xrgszw/nixos_full_disk_encryption_with_tpm_and_secure/ - Using lanzaboote with LUKS is no different than using ordinary NixOS with LUKS. Adding tpm on top of that is then just a matter of enabling systemd initrd and using systemd-cryptenroll to mess with the key slots, and the man page for that program is pretty descriptive. - The directions are basically: Use lanzaboote, enable systemd initrd, finally use systemd-cryptenroll to enroll a TPM2 based key for the drive. Both lanzaboote and systemd initrd are what I would call experimental

adam added the enhancement label 2025-12-28 23:18:51 +01:00

adam closed this issue 2025-12-28 23:18:51 +01:00

adam commented 2025-12-28 23:18:51 +01:00

Author

Owner

Copy Link

@ryan4yin commented on GitHub (Dec 2, 2023):

Secure Boot Enabled: 7c61a58808

Secure Boot signed all efi images, and it do not store other secrets in /boot, so it's safe to left /boot un-crypted(do not append any secret keys into initrd in this scenario!).

@ryan4yin commented on GitHub (Dec 2, 2023): Secure Boot Enabled: https://github.com/ryan4yin/nix-config/commit/7c61a588086644d77f6aaaa061b61b4488eb4c61 Secure Boot signed all efi images, and it do not store other secrets in /boot, so it's safe to left /boot un-crypted(do not append any secret keys into initrd in this scenario!).

adam referenced this issue 2025-12-28 23:19:08 +01:00

[PR #13] [MERGED] Fix typo #65

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dma-shell

i3-kickstarter

v0.15.0

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.0

v0.7.0

v0.6.0

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

bug

bug

documentation

enhancement

good first issue

pull-request

Mirrored from GitHub Pull Request

No Label enhancement

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/nix-config#13