luks upd

systems/jeroboam/default.nix

@@ -70,10 +70,21 @@
     initrd = {
         systemd.enable = true; # tpm2 unlock requires systemd initrd
         luks.devices."cryptroot" = {
-            allowDiscards = true;
             bypassWorkqueues = true;
             device = "/dev/nvme0n1p2";
             crypttabExtraOpts = [ "tpm2-device=auto" ]; # tpm2 unlock
+            preLVM = true;
+
+            # If using a USB or SD Card for decryption include the following.
+            allowDiscards = true;
+            keyFileSize = 4096;
+            # This is the disk id of your USB or SD Card.
+            # Get this by running `ls -l /dev/disk/by-id`,
+            # and copy the long string into the spot below.
+            keyFile = "/dev/disk/by-id/Hello";
+
+            # Use this if you want to fallback to the encryption password when the drive can't be found. HIGHLY RECCOMENDED!!!!
+            fallbackToPassword = true;
         };
     };
     resumeDevice = config.fileSystems."/swap".device;