# Example taken form https://github.com/nix-community/disko/blob/master/example/luks-btrfs-subvolumes.nix # cryptsetup luksOpen --allow-discards # # https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption#Dm-crypt_on_SSDs_and_hybrid_drives # Cryptsetup can transparently forward discard operations to an SSD. This feature is activated by using the --allow-discards option in combination with cryptsetup open. Enabling discards on an encrypted SSD can be a measure to ensure effective wear leveling and longevity, especially if the full disk is encrypted. For an in detail discussion about the security implications, have a look at the cryptsetup FAQ and the man page of cryptsetup. # # https://man.archlinux.org/man/cryptsetup-luksOpen.8.en # Can make filesystem-level operations visible on the physical device. For example, information leaking filesystem type, used space, etc. may be extractable from the physical device. { lib, ... }: { disko.devices.disk = { "disk1" = { type = "disk"; device = lib.mkDefault "/dev/nvme0n1"; content = { type = "gpt"; partitions = { ESP = { label = "EFI"; name = "ESP"; size = "512M"; type = "EF00"; content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; mountOptions = [ "defaults" ]; }; }; LUKS = { size = "100%"; content = { type = "luks"; name = "crypted"; # Additional arguments passed to luksFormat: # - 4GB RAM to unlock disk # - 5 seconds to open extraFormatArgs = [ "--cipher" "aes-xts-plain64" "--key-size" "512" "--hash" "sha512" "--pbkdf-memory" "4000000" "--iter-time" "5000" "--use-random" ]; extraOpenArgs = [ "--allow-discards" ]; # If you want to use the key for interactive login be sure there is no trailing newline. # For example use `echo -n 'password' > /tmp/secret.key` passwordFile = "/tmp/secret.key"; # Interactive login. content = { type = "btrfs"; extraArgs = [ "-f" ]; subvolumes = { "/@" = { mountpoint = "/"; mountOptions = [ "compress=zstd" "noatime" ]; }; }; }; }; }; }; }; }; }; }