macos - 在没有 T2 芯片的 Mac 上的 FileVault 加密启动卷上，在 macOS Catalina 和 Big Sur 上安装 Nix 时出错

Question

我运行以下命令在我的 Mac 上安装 Nix:

sh <(curl -L https://nixos.org/nix/install) --daemon --darwin-use-unencrypted-nix-store-volume

我收到以下错误:

error: refusing to create Nix store volume because the boot volume is
       FileVault encrypted, but encryption-at-rest is not available.
       Manually create a volume for the store and re-run this script.
       See https://nixos.org/nix/manual/#sect-macos-installation

https://nixos.org/nix/manual/#sect-macos-installation说:

If you're using a recent Mac with a T2 chip, your drive will still be encrypted at rest (in which case "unencrypted" is a bit of a misnomer). To use this approach, just install Nix with:

sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume

If you don't like the sound of this, you'll want to weigh the other approaches and tradeoffs detailed in this section.

我没有带 T2 芯片的 mac，我该怎么办？

我找到了一些相关的github issues ，但没有直接的答案。

Answer 1

我选择使用 Use a separate encrypted volume Philipp Haussleiter 中概述的建议:

This approach only works if you have a Disk that is formated with APFS (that should always be the case, if your OS is running of a SSD).

You can check this with:

% diskutil list | grep APFS

…
0:      APFS Container Scheme -                      +250.8 GB   disk1
…

Create another Volume on your Disk for NIX:

% sudo diskutil apfs addVolume disk1 'APFS' nix
Will export new APFS Volume "nix" from APFS Container Reference disk1
Started APFS operation on disk1
Preparing to add APFS Volume to APFS Container disk1
Creating APFS Volume
Created new APFS Volume disk1s6
Mounting APFS Volume
Setting volume permissions
Disk from APFS operation: disk1s6
Finished APFS operation on disk1

Your disk may not be named disk1s6. Find the name of your disk with:

% diskutil list | grep nix
4:                APFS Volume nix                      7.7 GB    disk1s6

Again, your disk may not be named disk1s6.

Encrypt disk:

You need to enter a passphrase for the encryption. You have toremember that passphrase once – you can add it to your key chain lateron. After that the disk encryption will start in the background.

% sudo diskutil apfs encryptvolume disk1s6 -user disk
Passphrase for the new "Disk" user (672C4CFF-34C6-4407-83ED-294C1C42E161):
Repeat passphrase:
Starting background encryption with the new "Disk" crypto user on disk1s6
The new "Disk" user will be the only one who has initial access to disk1s6
The new APFS crypto user UUID will be 672C4CFF-34C6-4407-83ED-294C1C42E161
Background encryption is ongoing; see "diskutil apfs list" to see progress

Setup Mount Point:

MacOS Catalina does not allow to create folders directly under yourRoot Path /. But we can use another method to have MacOS create thatfolder for us. To do this, we have to add an entry into the file/etc/synthetic.conf:

% sudo bash -c 'echo nix >> /etc/synthetic.conf'

Now, the next time, the system starts, a mount point /nix will becreated. The next task is to have our Volume mounted at Boot.

Setup Mount:

For the Mount Configuration, we need to the UUID of the Volume. We canfind this via the diskutil tool (again, your disk may not be nameddisk1s6):

% diskutil info /dev/disk1s6 | grep UUID

We must edit /etc/fstab with vifs:

% sudo vifs

(vifs behaves just like vi, so use vi commands to edit the file):

UUID=1D9389C1-5676-4077-88F5-8D5304A0B1A6 /nix apfs  rw

(Your UUID will be different!)

Reboot. You will get a GUI prompt to enter your encryption passphrase,and save it to the keychain.

然后我跑了:

sh <(curl -L https://nixos.org/nix/install) --daemon

--darwin-use-unencrypted-nix-store-volume 选项不是必需的，因为我们现在有一个加密卷。