I don’t think the NixOS Manual or NixOS Wiki do a great job of walking you through an encrypted installation, so I documented the process myself. This guide covers installing NixOS with ext4, LUKS, systemd-boot (this comes by default), and a swap file large enough for hibernation.

Preliminary Steps

Download and flash the minimal ISO image to a drive. Then, restart your machine and choose to boot from the flash drive in your BIOS. Once the NixOS installer menu appears, choose the first option or wait for it to boot automatically.

Once machine has booted into the installer, sudo into root. This will make it easier to do the rest of the installation.

sudo -i

Partitioning

The first thing you must do is partition your drive for the bootloader and the encrypted volume. Use lsblk to find the name of your drive; my machine uses /dev/sda as the name for it’s drive. Using cfdisk, partition drive with the layout above. Be sure to change the partition type.

cfdisk /dev/sda

Reboot the machine for the system to detect the new GPT.

reboot

Now, connect the installer to the internet. This is necessary for the installation to succeed. If you are using ethernet, you can skip this step, otherwise follow the network instructions from the NixOS Manual.

Encrypting

Now you can begin the fun part: encryption. Once again, you should sudo into root on the installer. Then, create an encrypted container within /dev/sda2 for the root filesystem. You will be prompted to define a passphrase. This will be how you decrypt the volume on boot.

cryptsetup -v luksFormat /dev/sda2

Open the encrypted container. root can be whatever you want this volume to be called.

cryptsetup open /dev/sda2 root

Formatting the Partitions

Begin by formatting the EFI partition with FAT32.

mkfs.fat -F32 /dev/sda1

Now, format the root partition with ext4. Be sure to use the same name you used when opening the LUKS container, in my case root.

mkfs.ext4 /dev/mapper/root

Mounting the Filesystems

Now, mount the root partition.

mount /dev/mapper/root /mnt

Then, mount the EFI system partition.

mount --mkdir /dev/sda1 /mnt/boot

Editing the Configuration

First, generate the initial NixOS configuration file.

nixos-generate-config --root /mnt

You should create a swap file large enough to support hibernation by adding the following lines in /mnt/etc/nixos/configuration.nix. My machine has 16GB of RAM, so a 16GB swap file should suffice.

swapDevices = [{
  device = "/swapfile";
  size = 16 * 1024;
}];

NOTE: swap file sizes are in megabytes.

If you are using wifi, be sure to uncomment the following lines.

networking.networkmanager.enable = true

And finally, I also recommend adding a user by uncommenting the following lines, changing alice to the desired username. Again, if you are using wifi, you should also add the networkmanager group to the user.

users.users.alice = {
  isNormalUser  = true;
  extraGroups  = [ "wheel" "networkmanager" ];
  packages = with pkgs; [
    tree
  ];
};

You can continue to edit the configuration file as needed, such as enabling OpenSSH.

Installing NixOS

At long last, install NixOS and set the root password when prompted.

nixos-install

If you plan to login with the user you created above, set their password before rebooting.

nixos-enter --root /mnt -c 'passwd alice'

Finally, reboot into your new NixOS machine.

reboot

References

For a great guide that was a huge inspiration and resource for me, check out Michael Picht’s guide Installing Arch Linux with Btrfs, systemd-boot and LUKS.

Of course, a great resource in general for these sorts of things is the Arch Wiki, specifically the Installation Guide, LUKS on a Partition from Encrypting an Entire System, and Using a Swap File from Swap Encryption.

And last, but certainly not least, the NixOS Manual section on Installation.