Chiliparrot has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
eraserhd has joined #nix-darwin
eraserhd has quit [Ping timeout: 258 seconds]
<domenkozar[m]>
LnL: If you're using a recent Mac with a T2 chip, your drive will still be encrypted at rest (in which case "unencrypted" is a bit of a misnomer). To use this approach, just install Nix with:
<domenkozar[m]>
what does that mean? I'm confused
<domenkozar[m]>
I think you want to create unencrypted volume
<domenkozar[m]>
(nvm the last sentence)
<LnL>
recent macs have hardware encryption
<domenkozar[m]>
so it will be software unecrypted but hardware encrypted?
<domenkozar[m]>
users who get the error of not having T2 chip are really confused what they have to do
<domenkozar[m]>
which commands do they need to run to have recommended approach?
<LnL>
yeah, without filevault on the root volume the chip will decrypt everything at rest without requiring a passphrase
<LnL>
so without it still protects against hardware tampering
<LnL>
and with there's no way to access the unencrypted volume unless safe boot is disabled
<domenkozar[m]>
how do those without the chip install nix unecrypted?
<LnL>
the combination of no T2 and filevault currently bails out
<domenkozar[m]>
yeah I'm trying to help a user to install nix as they don't know what manual wants from them
<clever>
you also have the "benefit" of your data being toast if the motherboard ever fails
<clever>
with no way to ever recover the data
<domenkozar[m]>
so what options are there for such users?
<LnL>
they have to create the volume themselves, along with enabling encryption (or not)
<LnL>
given an existing volume they can run the installer again and it will reuse that
<{^_^}>
nix#3692 (by mpscholten, 36 minutes ago, open): Don't stop user from installing the nix store on an unencrypted volume
<domenkozar[m]>
that's quite bad UX, can't we just offer a flag?
<LnL>
we've had many discussions about this already
<LnL>
that combination is nonsensical
__monty__ has joined #nix-darwin
<domenkozar[m]>
but users are quite confused
<domenkozar[m]>
I'll read the issue again
<LnL>
we don't have a nice solution for this case unless encryption is automated
<LnL>
would be really great if 10.16 exposes firmlinks so we can just use that
eraserhd has joined #nix-darwin
eraserhd has quit [Ping timeout: 258 seconds]
eraserhd has joined #nix-darwin
eraserhd has quit [Ping timeout: 264 seconds]
__monty__ has quit [Quit: leaving]
eraserhd has joined #nix-darwin
eraserhd has quit [Ping timeout: 246 seconds]
eraserhd has joined #nix-darwin
hedgie has quit [Ping timeout: 258 seconds]
hedgie has joined #nix-darwin
Chiliparrot has joined #nix-darwin
eraserhd has quit [Ping timeout: 258 seconds]
hedgie_ has joined #nix-darwin
hedgie_ has quit [Remote host closed the connection]
hedgie_ has joined #nix-darwin
hedgie has quit [Ping timeout: 260 seconds]
hedgie has joined #nix-darwin
hedgie_ has quit [Ping timeout: 240 seconds]
eraserhd has joined #nix-darwin
eraserhd has quit [Ping timeout: 256 seconds]
eraserhd has joined #nix-darwin
eraserhd has quit [Ping timeout: 246 seconds]
<abathur>
LnL domenkozar[m] grumble; good to update the docs or error messages if they can be clearer here, compared to having an unending stream of confused issues that follow the same arc that the original GH issue followed. I don't mind turning the error message into a small book that explains the issue if we're comfortable having an error message that long (but they may just refuse to read it...)
eraserhd has joined #nix-darwin
<abathur>
Burke Libbey has some process built into the dev bootstrap tool at Shopify that also supposedly handles the ergonomics issues; we can also evaluate whether that's an acceptable outcome