在没有 T2 芯片的 Mac 上的 FileVault 加密启动卷上,在 macOS Catalina 和 Big Sur 上安装 Nix 时出错
Error installing Nix on macOS Catalina and Big Sur on FileVault-encrypted boot volume on Mac without T2 chip
我 运行 使用以下命令在我的 Mac 上安装 Nix:
sh <(curl -L https://nixos.org/nix/install) --daemon --darwin-use-unencrypted-nix-store-volume
我收到以下错误:
error: refusing to create Nix store volume because the boot volume is
FileVault encrypted, but encryption-at-rest is not available.
Manually create a volume for the store and re-run this script.
See https://nixos.org/nix/manual/#sect-macos-installation
https://nixos.org/nix/manual/#sect-macos-installation 说:
If you're using a recent Mac with a T2 chip, your drive will still be encrypted at rest (in which case "unencrypted" is a bit of a misnomer). To use this approach, just install Nix with:
sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume
If you don't like the sound of this, you'll want to weigh the other approaches and tradeoffs detailed in this section.
我没有带 T2 芯片的 mac,我该怎么办?
我选择使用 Use a separate encrypted volume suggestion as outlined in by Philipp Haussleiter:
This approach only works if you have a Disk that is formated with APFS (that should always be the case, if your OS is running of a SSD).
You can check this with:
% diskutil list | grep APFS
…
0: APFS Container Scheme - +250.8 GB disk1
…
Create another Volume on your Disk for NIX:
% sudo diskutil apfs addVolume disk1 'APFS' nix
Will export new APFS Volume "nix" from APFS Container Reference disk1
Started APFS operation on disk1
Preparing to add APFS Volume to APFS Container disk1
Creating APFS Volume
Created new APFS Volume disk1s6
Mounting APFS Volume
Setting volume permissions
Disk from APFS operation: disk1s6
Finished APFS operation on disk1
Your disk may not be named disk1s6. Find the name of your disk with:
% diskutil list | grep nix
4: APFS Volume nix 7.7 GB disk1s6
Again, your disk may not be named disk1s6.
Encrypt disk:
You need to enter a passphrase for the encryption. You have to
remember that passphrase once – you can add it to your key chain later
on. After that the disk encryption will start in the background.
% sudo diskutil apfs encryptvolume disk1s6 -user disk
Passphrase for the new "Disk" user (672C4CFF-34C6-4407-83ED-294C1C42E161):
Repeat passphrase:
Starting background encryption with the new "Disk" crypto user on disk1s6
The new "Disk" user will be the only one who has initial access to disk1s6
The new APFS crypto user UUID will be 672C4CFF-34C6-4407-83ED-294C1C42E161
Background encryption is ongoing; see "diskutil apfs list" to see progress
Setup Mount Point:
MacOS Catalina does not allow to create folders directly under your
Root Path /. But we can use another method to have MacOS create that
folder for us. To do this, we have to add an entry into the file
/etc/synthetic.conf:
% sudo bash -c 'echo nix >> /etc/synthetic.conf'
Now, the next time, the system starts, a mount point /nix will be
created. The next task is to have our Volume mounted at Boot.
Setup Mount:
For the Mount Configuration, we need to the UUID of the Volume. We can
find this via the diskutil tool (again, your disk may not be named
disk1s6):
% diskutil info /dev/disk1s6 | grep UUID
We must edit /etc/fstab with vifs:
% sudo vifs
(vifs behaves just like vi, so use vi commands to edit the file):
UUID=1D9389C1-5676-4077-88F5-8D5304A0B1A6 /nix apfs rw
(Your UUID will be different!)
Reboot. You will get a GUI prompt to enter your encryption passphrase,
and save it to the keychain.
然后我运行:
sh <(curl -L https://nixos.org/nix/install) --daemon
不需要 --darwin-use-unencrypted-nix-store-volume 选项,因为我们现在有一个加密卷。
我 运行 使用以下命令在我的 Mac 上安装 Nix:
sh <(curl -L https://nixos.org/nix/install) --daemon --darwin-use-unencrypted-nix-store-volume
我收到以下错误:
error: refusing to create Nix store volume because the boot volume is
FileVault encrypted, but encryption-at-rest is not available.
Manually create a volume for the store and re-run this script.
See https://nixos.org/nix/manual/#sect-macos-installation
https://nixos.org/nix/manual/#sect-macos-installation 说:
If you're using a recent Mac with a T2 chip, your drive will still be encrypted at rest (in which case "unencrypted" is a bit of a misnomer). To use this approach, just install Nix with:
sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volumeIf you don't like the sound of this, you'll want to weigh the other approaches and tradeoffs detailed in this section.
我没有带 T2 芯片的 mac,我该怎么办?
我选择使用 Use a separate encrypted volume suggestion as outlined in by Philipp Haussleiter:
This approach only works if you have a Disk that is formated with APFS (that should always be the case, if your OS is running of a SSD).
You can check this with:
% diskutil list | grep APFS … 0: APFS Container Scheme - +250.8 GB disk1 …Create another Volume on your Disk for NIX:
% sudo diskutil apfs addVolume disk1 'APFS' nix Will export new APFS Volume "nix" from APFS Container Reference disk1 Started APFS operation on disk1 Preparing to add APFS Volume to APFS Container disk1 Creating APFS Volume Created new APFS Volume disk1s6 Mounting APFS Volume Setting volume permissions Disk from APFS operation: disk1s6 Finished APFS operation on disk1Your disk may not be named
disk1s6. Find the name of your disk with:% diskutil list | grep nix 4: APFS Volume nix 7.7 GB disk1s6Again, your disk may not be named
disk1s6.Encrypt disk:
You need to enter a passphrase for the encryption. You have to remember that passphrase once – you can add it to your key chain later on. After that the disk encryption will start in the background.
% sudo diskutil apfs encryptvolume disk1s6 -user disk Passphrase for the new "Disk" user (672C4CFF-34C6-4407-83ED-294C1C42E161): Repeat passphrase: Starting background encryption with the new "Disk" crypto user on disk1s6 The new "Disk" user will be the only one who has initial access to disk1s6 The new APFS crypto user UUID will be 672C4CFF-34C6-4407-83ED-294C1C42E161 Background encryption is ongoing; see "diskutil apfs list" to see progressSetup Mount Point:
MacOS Catalina does not allow to create folders directly under your Root Path
/. But we can use another method to have MacOS create that folder for us. To do this, we have to add an entry into the file/etc/synthetic.conf:% sudo bash -c 'echo nix >> /etc/synthetic.conf'
Now, the next time, the system starts, a mount point /nix will be created. The next task is to have our Volume mounted at Boot.
Setup Mount:
For the Mount Configuration, we need to the UUID of the Volume. We can find this via the
diskutiltool (again, your disk may not be nameddisk1s6):% diskutil info /dev/disk1s6 | grep UUIDWe must edit /etc/fstab with vifs:
% sudo vifs(vifs behaves just like vi, so use vi commands to edit the file):
UUID=1D9389C1-5676-4077-88F5-8D5304A0B1A6 /nix apfs rw(Your UUID will be different!)
Reboot. You will get a GUI prompt to enter your encryption passphrase, and save it to the keychain.
然后我运行:
sh <(curl -L https://nixos.org/nix/install) --daemon
不需要 --darwin-use-unencrypted-nix-store-volume 选项,因为我们现在有一个加密卷。