Talos Linux provides sophisticated block storage configuration through dedicated document types. These replace the deprecated machine.disks and machine.systemDiskEncryption fields from v1alpha1.
UserVolumeConfig The UserVolumeConfig document defines user-managed volumes that are automatically provisioned and mounted under /var/mnt/<name>.
Document Structure kind : UserVolumeConfig apiVersion : v1alpha1 metadata : name : volume-name
Volume Configuration Name of the volume (1-34 characters). Can contain lowercase/uppercase ASCII letters, digits, and hyphens. The partition label is automatically generated as u-<name>.
volumeType
string
default: "partition"
Type of volume to create. Available types:
partition - Create a partition on a disk (default)disk - Use an entire diskdirectory - Create a directory in the system partition Provisioning Configuration Describes how the volume is provisioned (not applicable for directory type). Show Provisioning Options
provisioning.diskSelector
Select which disk to use for provisioning. provisioning.diskSelector.match
CEL expression to match disks. Use disk properties like transport, size, model, etc. provisioning : diskSelector : match : 'disk.transport == "nvme"'
provisioning : diskSelector : match : 'disk.size >= 500u * GB && disk.type == "ssd"'
Minimum size for the partition (supports units like GiB, GB). provisioning : minSize : 10GiB
Maximum size for the partition. If not specified, uses all available space. provisioning : maxSize : 50GiB
Automatically grow the partition to fill available space on subsequent boots.
Filesystem Configuration Describes how the volume is formatted. Filesystem type to create. Available types:
xfs (default) - XFS filesystemext4 - ext4 filesystem filesystem.projectQuotaSupport
Enable project quota support (XFS only). Note: Changing this may require a full remount.filesystem : type : xfs projectQuotaSupport : true
Encryption Configuration Describes how the volume is encrypted. Encryption provider to use. Available providers: encryption : provider : luks2
Encryption keys generation and storage methods. Multiple keys can be configured in different slots. Key slot number for LUKS2 (0-7).
Static passphrase key stored in configuration. encryption : provider : luks2 keys : - slot : 0 static : passphrase : my-secret-passphrase
Deterministically generated key from node UUID and partition label. encryption : keys : - slot : 0 nodeID : {}
TPM-based disk encryption. encryption : keys : - slot : 0 tpm : checkSecurebootStatusOnEnroll : true
encryption.keys[].tpm.options
TPM key protection options. encryption.keys[].tpm.options.pcrs
List of PCR indices to bind the key to. Defaults to PCR 7 if not set. tpm : options : pcrs : [ 7 , 12 ]
encryption.keys[].tpm.checkSecurebootStatusOnEnroll
Verify Secure Boot is enabled during key enrollment.
KMS-managed encryption key. encryption : keys : - slot : 0 kms : endpoint : https://kms.example.com:4443
encryption.keys[].lockToState
Lock the encryption key to random salt in STATE partition. Prevents volume unlock if STATE is compromised. Recommended with TPM encryption.
Cipher to use for encryption (provider-dependent). Available ciphers:
aes-xts-plain64xchacha12,aes-adiantum-plain64xchacha20,aes-adiantum-plain64 encryption : cipher : aes-xts-plain64
Encryption key length in bits.
Encryption sector size. encryption : blockSize : 4096
Additional --perf parameters for LUKS2. Available options:
no_read_workqueueno_write_workqueuesame_cpu_crypt encryption : options : - no_read_workqueue - no_write_workqueue
Mount Configuration Additional mount options for the volume. Disable file access time updates (noatime). mount : disableAccessTime : true
Enable secure mount options (nosuid, nodev). Defaults to true for better security. Complete Examples Partition Volume with TPM Encryption
Disk Volume
Directory Volume
kind : UserVolumeConfig apiVersion : v1alpha1 name : local-data volumeType : partition provisioning : diskSelector : match : 'disk.transport == "nvme"' maxSize : 50GiB filesystem : type : xfs encryption : provider : luks2 keys : - slot : 0 tpm : {} - slot : 1 static : passphrase : topsecret
ExistingVolumeConfig The ExistingVolumeConfig document mounts existing volumes that were created outside of Talos.
kind : ExistingVolumeConfig apiVersion : v1alpha1 name : data volumeLocator : partitionLabel : DATA mountpoint : /var/mnt/data
RawVolumeConfig The RawVolumeConfig document provides raw (unformatted) volume access.
kind : RawVolumeConfig apiVersion : v1alpha1 name : raw-storage volumeType : partition provisioning : diskSelector : match : 'disk.size >= 100u * GB'
SwapVolumeConfig The SwapVolumeConfig document configures swap space.
kind : SwapVolumeConfig apiVersion : v1alpha1 provisioning : diskSelector : match : 'disk.transport == "nvme"' minSize : 8GiB
VolumeConfig The VolumeConfig document configures system volumes (EPHEMERAL, STATE, etc.).
kind : VolumeConfig apiVersion : v1alpha1 name : EPHEMERAL provisioning : grow : true encryption : provider : luks2 keys : - slot : 0 tpm : {}
Disk Selector Expressions Disk selectors use CEL (Common Expression Language) for flexible disk matching. Available disk properties:
disk.size - Disk size in bytes (use * GB or * GiB multipliers)disk.transport - Transport type (nvme, sata, usb, etc.)disk.type - Disk type (ssd, hdd)disk.model - Disk model stringdisk.serial - Disk serial numberdisk.wwid - World-wide identifierdisk.rotational - Boolean indicating rotational media
Example Expressions # NVMe drives only match : 'disk.transport == "nvme"' # SSDs larger than 500GB match : 'disk.size >= 500u * GB && disk.type == "ssd"' # Non-rotational drives match : '!disk.rotational' # Specific model match : 'disk.model.contains("Samsung")' # Multiple conditions match : 'disk.transport == "nvme" && disk.size >= 1u * TB && disk.type == "ssd"'
Encryption Key Management Key Slot Strategy LUKS2 supports up to 8 key slots (0-7). Use multiple slots for key rotation and recovery:
Slot 0 : Primary key (TPM-based for production)Slot 1 : Recovery key (static passphrase)Slot 2 : KMS-managed key (for centralized management)
TPM-Based Encryption TPM encryption binds the key to the machine’s hardware and boot state:
encryption : provider : luks2 keys : - slot : 0 tpm : options : pcrs : [ 7 ] # Secure Boot state checkSecurebootStatusOnEnroll : true - slot : 1 static : passphrase : recovery-key lockToState : true
KMS Integration Use external Key Management Service for centralized key management:
encryption : provider : luks2 keys : - slot : 0 kms : endpoint : https://kms.example.com:4443
Best Practices
Always Configure Recovery Keys
Use Appropriate Volume Types
Use partition for most cases
Use disk when you need an entire dedicated disk
Use directory for lightweight storage without partitioning
Set maxSize to prevent volumes from consuming all available space. Use grow: true when you want the volume to expand.
For non-STATE volumes with TPM encryption, enable lockToState for additional security.
Migration from Deprecated Fields The following deprecated v1alpha1 fields are replaced by the new volume configuration documents:
Deprecated Field New Document Type machine.disksUserVolumeConfigmachine.systemDiskEncryptionVolumeConfig
Machine Configuration See machine-level configuration options
Network Configuration Configure network interfaces
