I thought #29441 did this already, or am I misunderstanding what this patch does?

That one temporarily saves the passphrase and automatically tries to reuse it for the next LUKS device opened from the initrd. That allows opening multiple LUKS devices in the initrd while typing only one passphrase.

What I need is to open just one device in the initrd (where the root filesystem is), and open another device automatically during the systemd boot. That other device does not need to be opened in the initrd; configuring it to be opened in the initrd would prevent me from booting if the device does not work, would also increase the boot time a little (since it is not done in parallel).

This patch makes it possible for the initrd to save the passphrase so that it can be used later (after the initrd is done) to open another device. To do that I added a systemd service like this:

systemd.services.cryptsetup-crypt-disk = let
  name = "crypt-disk";
  device = "/dev/disk/by-uuid/xxx";
  keyFile = "/run/initrd-saved-passphrases/luks-crypt-ssd";
in {
  description = "Open LUKS volume ${name}";
  requires = [ "${utils.escapeSystemdPath device}.device" ];
  after = [ "${utils.escapeSystemdPath device}.device" ];
  # I use ZFS so this is a dependency of the service that imports the pool.
  # Otherwise it would be a dependency of mount units directly.
  before = [ "zfs-import-zfs-disk.service" ];
  requiredBy = [ "zfs-import-zfs-disk.service" ];
  unitConfig.DefaultDependencies = "no";
  serviceConfig = {
    Type = "oneshot";
    RemainAfterExit = true;
    ExecStart = "${pkgs.cryptsetup}/bin/cryptsetup luksOpen ${device} ${name} --key-file ${keyFile}";
  };
};

another option would be to have a regular keyfile on the encrypted rootfs, and then always use that to open the 2nd luks device

another option would be to have a regular keyfile on the encrypted rootfs, and then always use that to open the 2nd luks device

This is true but I'm not fond of keeping encryption keys on the disk and it's also manual work.

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

1. Search for maintainers and people that previously touched the
   related code and @ mention them in a comment.
2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
   irc.freenode.net.

I know this is stale, but I find myself with a bit of time to try and work through the oldest, non-conflicting issues.

For clarity, why can't you mount this in the initrd phase? Won't putting the key in /run/initrd-saved-passphrases/ be the equivalent of putting the key on another encrypted drive that's been mounted in initrd? This turns the passphrase into a keyfile.

Is it just another way of doing things that doesn't require a benefit? / What's the benefit?