diff --git a/example/complex.nix b/example/complex.nix index 9f317c2..722cea5 100644 --- a/example/complex.nix +++ b/example/complex.nix @@ -32,6 +32,7 @@ type = "luks"; name = "crypted1"; settings.keyFile = "/tmp/secret.key"; + additionalKeyFiles = ["/tmp/additionalSecret.key"]; extraFormatArgs = [ "--iter-time 1" # unsecure but fast for tests ]; diff --git a/example/luks-lvm.nix b/example/luks-lvm.nix index 3d4d857..acadad6 100644 --- a/example/luks-lvm.nix +++ b/example/luks-lvm.nix @@ -33,6 +33,7 @@ # if you want to use the key for interactive login be sure there is no trailing newline # for example use `echo -n "password" > /tmp/secret.key` settings.keyFile = "/tmp/secret.key"; + additionalKeyFiles = ["/tmp/additionalSecret.key"]; content = { type = "lvm_pv"; vg = "pool"; diff --git a/lib/types/luks.nix b/lib/types/luks.nix index dacc9b4..c3c9956 100644 --- a/lib/types/luks.nix +++ b/lib/types/luks.nix @@ -91,8 +91,7 @@ in cryptsetup luksOpen ${config.device} ${config.name} \ ${toString config.extraOpenArgs} \ ${keyFileArgs} - ${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"} - ${toString (lib.lists.forEach config.additionalKeyFiles (x: "cryptsetup luksAddKey ${config.device} ${lib.optionalString (config.keyFile != null) "--key-file ${config.keyFile}"} ${x};"))} + ${toString (lib.lists.forEach config.additionalKeyFiles (x: "cryptsetup luksAddKey ${config.device} --key-file ${config.settings.keyFile} ${x};"))} ${lib.optionalString (config.content != null) config.content._create} ''; }; diff --git a/tests/lib.nix b/tests/lib.nix index 05985ca..aca1102 100644 --- a/tests/lib.nix +++ b/tests/lib.nix @@ -135,6 +135,7 @@ machine.start() machine.succeed("echo -n 'secretsecret' > /tmp/secret.key") + machine.succeed("echo -n 'additionalSecret' > /tmp/additionalSecret.key") ${lib.optionalString (testMode == "direct") '' machine.succeed("${tsp-create}") machine.succeed("${tsp-mount}")