Commit 4afadc73 authored Feb 17, 2026 by Bjørn Forsman

nixos/luks: allow empty passphrases in prompt

LUKS itself supports empty passphrases, and NixOS even has
boot.initrd.luks.devices.<name>.tryEmptyPassphrase option, but still the
NixOS interactive LUKS passphrase prompt rejects empty passphrases.

Fix it.

Implementation note. The "open" command line is changed due to details
in how empty passphrases and trailing newlines are handled when reading
from stdin. This code path is only for the interactive prompt, not when
using keyfiles, and the "reuse passphrase" logic already strips trailing
newlines, so that's nothing new.

parent 57feb92a

nixos/modules/system/boot/luksroot.nix

+2 −2

Original line number	Diff line number	Diff line
		@@ -214,7 +214,7 @@ let

		# and try reading it from /dev/console with a timeout
		IFS= read -t 1 -r passphrase
		if [ -n "$passphrase" ]; then
		if [ $? = 0 ]; then
		${
		if luks.reusePassphrases then
		''
		@@ -232,7 +232,7 @@ let
		fi
		done
		echo -n "Verifying passphrase for ${dev.device}..."
		echo -n "$passphrase" \| ${csopen} --key-file=-
		echo "$passphrase" \| ${csopen}
		if [ $? == 0 ]; then
		echo " - success"
		${

Admin message