systemd: decrypt luks device on access
Option 2 in the question actually works, but you have to use the same names for the crypt device in both /etc/crypttab
and /etc/fstab
.
/etc/crypttab
looks as follows:
# <name> <device> <password> <options>
mnt-usb-crypt UUID=<device-uuid> /path/to/key luks,noauto
/etc/fstab
looks as follows:
# <file system> <dir> <type> <options> <dump> <pass>
/dev/mapper/mnt-usb-crypt /mnt/usb btrfs defaults,noauto,x-systemd.automount 0 2
Note that if you use the UUID of the decrypted filesystem instead of the path /dev/mapper/mnt-usb-crypt
, then systemd cannot determine the device it has to decrypt. But if you use the device name as above, the device is automatically decrypted and mounted as expected.
A different solution would be to explicitly specify a requirement for the systemd crypt device.
Related videos on Youtube
morxa
Updated on September 18, 2022Comments
-
morxa almost 2 years
I have an external drive with a LUKS-encrypted partition. As the device is an external USB device and I don't always need it, I only want to decrypt and automount on demand. I can easily automount the fileystem on the decrypted partition with
x-systemd.automount
in/etc/fstab
. However, I cannot decrypt the partition on demand. I've tried two different approaches:I added the line
mnt-usb-crypt UUID=<UUID> /path/to/keyfile luks
to
/etc/crypttab
. However, now the partition is always decrypted, even if I don't specify a mountpoint in/etc/fstab
.I changed
/etc/crypttab
and added thenoauto
option:mnt-usb-crypt UUID=<UUID> /path/to/keyfile luks,noauto
Now, there is no systemd device at all, the expected
dev-mapper-mnt-usb.device
does not exist.
According to the manpage of
crypttab
, there is no option likex-systemd.automount
for crypt devices.Is there a possibility to configure systemd to decrypt the device only if it is accessed?
-
morxa about 9 yearsthis is related to this question, but I want a systemd solution.
-
user about 9 yearsNice first question. Unfortunately, I have a feeling that the answer is "no, that's not possible". A keyfile,
noauto
and a convenient alias (or similar) is probably about as close as you can get. You might however be able to configure the system to automount the file system when the LUKS device is opened -- that should be possible through udev. Not really what you are asking for, but it does remove at least one of the steps.