systemd: decrypt luks device on access

encryption mount systemd luks
5,557

Option 2 in the question actually works, but you have to use the same names for the crypt device in both /etc/crypttab and /etc/fstab.

/etc/crypttab looks as follows:

# <name>        <device>            <password>      <options>
mnt-usb-crypt   UUID=<device-uuid>  /path/to/key    luks,noauto

/etc/fstab looks as follows:

# <file system>             <dir>       <type>  <options>                             <dump>    <pass>
/dev/mapper/mnt-usb-crypt   /mnt/usb    btrfs   defaults,noauto,x-systemd.automount   0         2

Note that if you use the UUID of the decrypted filesystem instead of the path /dev/mapper/mnt-usb-crypt, then systemd cannot determine the device it has to decrypt. But if you use the device name as above, the device is automatically decrypted and mounted as expected.

A different solution would be to explicitly specify a requirement for the systemd crypt device.

Share:
5,557

Related videos on Youtube

morxa
Author by

morxa

Updated on September 18, 2022

Comments

  • morxa
    morxa almost 2 years

    I have an external drive with a LUKS-encrypted partition. As the device is an external USB device and I don't always need it, I only want to decrypt and automount on demand. I can easily automount the fileystem on the decrypted partition with x-systemd.automount in /etc/fstab. However, I cannot decrypt the partition on demand. I've tried two different approaches:

    1. I added the line

      mnt-usb-crypt UUID=<UUID> /path/to/keyfile luks

      to /etc/crypttab. However, now the partition is always decrypted, even if I don't specify a mountpoint in /etc/fstab.

    2. I changed /etc/crypttab and added the noauto option: 

      mnt-usb-crypt UUID=<UUID> /path/to/keyfile luks,noauto

      Now, there is no systemd device at all, the expected dev-mapper-mnt-usb.device does not exist.

    According to the manpage of crypttab, there is no option like x-systemd.automount for crypt devices.

    Is there a possibility to configure systemd to decrypt the device only if it is accessed?

    • morxa
      morxa about 9 years
      this is related to this question, but I want a systemd solution.
    • user
      user about 9 years
      Nice first question. Unfortunately, I have a feeling that the answer is "no, that's not possible". A keyfile, noauto and a convenient alias (or similar) is probably about as close as you can get. You might however be able to configure the system to automount the file system when the LUKS device is opened -- that should be possible through udev. Not really what you are asking for, but it does remove at least one of the steps.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I auto-mount LUKS partition?
How to mount LUKS encrypted file?
Mounting USB disk with LUKS encrypted partion fails with a cryptsetup "Device already exists" error
Opening LUKS encrypted drive in nautilus results in "operation cancelled"
Mount LUKS encrypted hard drive at boot
Creating a grow-on-demand encrypted volume with LUKS
Cannot format device /dev/sda4 which is still in use
How to remove LUKS encryption?
How can I tell if my hard drive is encrypted?
"No key available with this passphrase" with a newly-created DM-CRYPT / LUKS partition