NixOS supports file systems that are encrypted using LUKS (Linux Unified Key Setup). For example, here is how you create an encrypted Ext4 file system on the device /dev/sda2: $ cryptsetup luksFormat /dev/sda2 WARNING! ======== This will overwrite data on /dev/sda2 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: *** Verify passphrase: *** $ cryptsetup luksOpen /dev/sda2 crypted Enter passphrase for /dev/sda2: *** $ mkfs.ext4 /dev/mapper/crypted To ensure that this file system is automatically mounted at boot time as /, add the following to configuration.nix: boot.initrd.luks.devices = [ { device = "/dev/sda2"; name = "crypted"; } ]; fileSystems."/".device = "/dev/mapper/crypted";