From fb9102f3de28eb6aed7a28e32461622cfca543ce Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Mon, 16 Oct 2023 18:50:51 +0200 Subject: [PATCH] add LUKS format arguments --- template/README.md | 3 +++ template/disk-configs/luks-btrfs.nix | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/template/README.md b/template/README.md index 694475d..591c354 100644 --- a/template/README.md +++ b/template/README.md @@ -2,6 +2,9 @@ This is an example repository for nixos-anywhere and disko. +* disko reference: https://github.com/nix-community/disko/blob/master/docs/reference.md +* nixos-anywhere reference: https://github.com/nix-community/nixos-anywhere/blob/main/docs/reference.md + ## Build installer ISO with passwordless SSH ```shell diff --git a/template/disk-configs/luks-btrfs.nix b/template/disk-configs/luks-btrfs.nix index 0da314f..3c9c020 100644 --- a/template/disk-configs/luks-btrfs.nix +++ b/template/disk-configs/luks-btrfs.nix @@ -35,6 +35,13 @@ content = { type = "luks"; name = "crypted"; + # Additional arguments passed to luksFormat: + # - 4GB RAM to unlock disk + # - 5 seconds to open + extraFormatArgs = [ + "--cipher" "aes-xts-plain64" "--key-size" "512" "--hash" "sha512" + "--pbkdf-memory" "4000000" "--iter-time" "5000" "--use-random" + ]; extraOpenArgs = [ "--allow-discards" ]; # If you want to use the key for interactive login be sure there is no trailing newline. # For example use `echo -n 'password' > /tmp/secret.key`