Error installing Nix on macOS Catalina and Big Sur on FileVault-encrypted boot volume on Mac without T2 chip

Question

I ran the following command to install Nix on my Mac:

sh <(curl -L https://nixos.org/nix/install) --daemon --darwin-use-unencrypted-nix-store-volume

And I got the following error:

error: refusing to create Nix store volume because the boot volume is
       FileVault encrypted, but encryption-at-rest is not available.
       Manually create a volume for the store and re-run this script.
       See https://nixos.org/nix/manual/#sect-macos-installation

https://nixos.org/nix/manual/#sect-macos-installation says:

If you're using a recent Mac with a T2 chip, your drive will still be encrypted at rest (in which case "unencrypted" is a bit of a misnomer). To use this approach, just install Nix with:

sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume

If you don't like the sound of this, you'll want to weigh the other approaches and tradeoffs detailed in this section.

I don't have a mac with a T2 chip, so what do I do?

I found some related github issues, but no direct answer.

Answer 1

I chose to use the Use a separate encrypted volume suggestion as outlined in by Philipp Haussleiter:

This approach only works if you have a Disk that is formated with APFS (that should always be the case, if your OS is running of a SSD).

You can check this with:

% diskutil list | grep APFS

…
0:      APFS Container Scheme -                      +250.8 GB   disk1
…

Create another Volume on your Disk for NIX:

% sudo diskutil apfs addVolume disk1 'APFS' nix
Will export new APFS Volume "nix" from APFS Container Reference disk1
Started APFS operation on disk1
Preparing to add APFS Volume to APFS Container disk1
Creating APFS Volume
Created new APFS Volume disk1s6
Mounting APFS Volume
Setting volume permissions
Disk from APFS operation: disk1s6
Finished APFS operation on disk1

Your disk may not be named disk1s6. Find the name of your disk with:

% diskutil list | grep nix
4:                APFS Volume nix                      7.7 GB    disk1s6

Again, your disk may not be named disk1s6.

Encrypt disk:

You need to enter a passphrase for the encryption. You have to remember that passphrase once – you can add it to your key chain later on. After that the disk encryption will start in the background.

% sudo diskutil apfs encryptvolume disk1s6 -user disk
Passphrase for the new "Disk" user (672C4CFF-34C6-4407-83ED-294C1C42E161):
Repeat passphrase:
Starting background encryption with the new "Disk" crypto user on disk1s6
The new "Disk" user will be the only one who has initial access to disk1s6
The new APFS crypto user UUID will be 672C4CFF-34C6-4407-83ED-294C1C42E161
Background encryption is ongoing; see "diskutil apfs list" to see progress

Setup Mount Point:

MacOS Catalina does not allow to create folders directly under your Root Path /. But we can use another method to have MacOS create that folder for us. To do this, we have to add an entry into the file /etc/synthetic.conf:

% sudo bash -c 'echo nix >> /etc/synthetic.conf'

Now, the next time, the system starts, a mount point /nix will be created. The next task is to have our Volume mounted at Boot.

Setup Mount:

For the Mount Configuration, we need to the UUID of the Volume. We can find this via the diskutil tool (again, your disk may not be named disk1s6):

% diskutil info /dev/disk1s6 | grep UUID

We must edit /etc/fstab with vifs:

% sudo vifs

(vifs behaves just like vi, so use vi commands to edit the file):

UUID=1D9389C1-5676-4077-88F5-8D5304A0B1A6 /nix apfs  rw

(Your UUID will be different!)

Reboot. You will get a GUI prompt to enter your encryption passphrase, and save it to the keychain.

I then ran:

sh <(curl -L https://nixos.org/nix/install) --daemon

The --darwin-use-unencrypted-nix-store-volume option isn't necessary because we have an encrypted volume now.