Stefan's blag and stuff

Blog – LUKS mount helper script

The Setup

You have an external (usb) hard drive with at least one LUKS encrypted partition. The hard drive isn't connected to your computer every time you boot your system, because it's only a backup drive or your computer is a notebook, …
Also you have a mostly recent linux distro installed and don't want to use the decrypt pop-up window which may appear automatically if you plug in your drive, because you are an enthusiastic bash user.

The Problem: LUKS needs 2 commands to mount external usb drive

To mount a LUKS encrypted file system you have to type two commands. First you mount the LUKS container to a file e.g. /dev/mapper/drive and then the actual file system. An example:

$ cryptsetup luksOpen /dev/disk/by-id/ata-xxx-part1 drive
$ mount /dev/mapper/drive /mnt/usbdrive -t btrfs

Truecrypt needs one command

In my truecrypt setup a single shell command was sufficient, because you can use the truecrypt file system type in the /etc/fstab as follows:

# <fs>                          <mountpoint>    <type>          <opts>          <dump/pass>
/dev/disk/by-id/ata-xxx-part1   /mnt/usbdrive   truecrypt       defaults,noauto 0 2

If this line is in your fstab, you can mount the truecrypt volume with the command

$ mount /mnt/usbdrive

and after typing your password (and maybe retype it, because you use long and complex passwords to protect your data ;-) everything is fine and everyone is happy.

Mounting LUKS containers with a single shell command

Now we want to do the same with your LUKS encrypted file system. Since I didn't found a way to do this with the standard mount-tool, /etc/fstab and maybe /etc/crypttab, I wrote a little mount helper script.

Here is a short tutorial:

  1. First download the script mount.myluks (Right click -> Save As), start a root shell and move this file to /sbin/mount.myluks and set the execution bits with the shell command

    $ chmod +x /sbin/mount.myluks

    The name myluks will be a new file system type we use in the /etc/fstab. (If you have truecrypt installed, there may be also /sbin/mount.truecrypt file. This was called in the setup described above.)

  2. Now plug in your external hard drive with the encrypted LUKS container and look for the appropriate file in /dev/disk/by-id/. Executing

    $ ls -l /dev/disk/by-id/

    may help you, because the argument '-l' shows the link targets.

  3. After this you edit /etc/fstab, add the line

    # <fs>              <mountpoint>    <type>      <opts>                              <dump/pass>
    SOURCE              DEST            myluks      defaults,noauto,name=NAME,type=TYPE 0 2
    

    and fill the 4 placeholders:

    • SOURCE the encrypted block device / LUKS container. This is the filepath to a partition in /dev/disk/by-id/. e.g.: "/dev/disk/by-id/ata-xxx-part1"
    • DEST the mountpoint to file system e.g. "/mnt/usbdrive"
    • NAME is the device mapper name; will be the unencryptend partition /dev/mapper/NAME.
    • TYPE is the file system type. e.g. "btrfs", "ext3", "ext4", "reiserfs"

    A working configuration example is

    # <fs>                        <mountpoint>  <type> <opts>                                <dump/pass>
    /dev/disk/by-id/ata-xxx-part1 /mnt/usbdrive myluks defaults,noauto,name=drive,type=btrfs 0 2
    

That's all. Now you can mount your external hard drive with the single command mount DEST, an example:

$ mount /mnt/usbdrive

Notes:

  1. I use disk-ids to identify my external hard drives e.g. /dev/disk/by-id/ata-xxx-part1. These are symbolic links to real block devices like e.g. /dev/sdb1. The advantage is mainly that these disc ids and links will be the same for the same hard drive. Whereas the /dev/s* or /dev/h* filenames may change every time you plug in your usb hard drive.
    You can't use the UUIDs to mount encrypted file system (these are accessible in folder /dev/by-uuid/* or with the "UUID=...." syntax in /etc/fstab). The reason is that UUIDs are a feature of file systems. It's stored in the partition itself, not in the partition table and the whole partition becomes encrypted with LUKS. The UUID isn't visible before the container is opened with cryptsetup luksOpen. But for our purposes we need an identification for the usb drive as soon as it's pluged into the machine and before we entered any password, since we want to call mount to mount and then to type the password.
  2. If you encounter any problems or have a suggestions, please send a mail to contact@stefanchrist.eu

Information: