Welcome!
Important information
-- Required MX 15/16 Repository Changes
-- Information on torrent hosting changes
-- Information on MX15/16 GPG Keys
-- Spectre and Meltdown vulnerabilities

News
-- Introducing our new Website
-- MX Linux on social media: here

Current releases
-- MX-18.2 Point Release release info here
-- Migration Information to MX-18 here
-- antiX-17.4.1 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

[SOLVED] How to auto-mount an encrypted non-system partition?

Help for Current Versions of MX
Post Reply
User avatar
JayM
Forum Regular
Forum Regular
Posts: 647
Joined: Tue Jan 08, 2019 4:47 am

[SOLVED] How to auto-mount an encrypted non-system partition?

#1

Post by JayM » Fri Mar 15, 2019 1:49 am

I'm having trouble figuring out how to mount my LUKS-encrypted second hard drive at boot instead of having to decrypt it and mount it in Thunar when I want to use it. The problem with doing it that way is that if the drive isn't mounted when I log in, my Sensor panel plugin doesn't detect it and I have to remove/reinstall the plugin after mounting the drive so I can monitor its temperature. So I need it to automatically decrypt and mount either at boot-time or when I log in, before my desktop and panel load. It's not a system partition, it's just a volume that I use for backups and for extra storage to keep my system disk from getting too full (if $HOME starts filling up I move stuff over to the second drive, which is twice the size of my system disk.) I added the second drive after MX was installed and LUKS-encrypted it with Zulucrypt.

My fstab:

Code: Select all

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>

#Entry for /dev/dm-0 :
UUID=06bc2e07-51e2-42e4-9e14-f5996efb41a8	/	ext4	defaults,noatime	1	1
#Entry for /dev/sdb1 :
UUID=12af7830-618c-4567-a84d-03a7bd3fe7d4	/boot	ext4	defaults,noatime	1	1
#Entry for /dev/dm-2 :
UUID=dcee786d-d836-4666-86bf-4d28433a0520	/media/jay/seagate-1tb	ext4	defaults,nosuid,nodev,relatime,data=ordered	0	0
#Entry for /dev/dm-1 :
UUID=d001e0f7-8493-49ef-99ce-2249745a4a36	swap	swap	defauts	0	0
My crypttab:

Code: Select all

rootfs /dev/disk/by-uuid/b3ee9920-8de0-420a-9ea6-81cd6f5476af none luks 
swapfs /dev/disk/by-uuid/b5ea0250-1df2-445d-977a-95129b2ca787 /root/keyfile luks,nofail 
luks-93729c04-c99e-41fa-9fd0-83587a8ae445 /dev/disk/by-uuid/dcee786d-d836-4666-86bf-4d28433a0520 none luks
The third line in crypttab was added by me to try to get this to auto-mount. The entry for the drive (dm2) already existed in fstab, I just changed the mount point there instead of it being named after the UUID. I prefer a mount directory name that's more human-understandable and shorter. It works when I decrypt and mount the drive in Thunar.

The contents of /dev/mapper:

Code: Select all

control  luks-93729c04-c99e-41fa-9fd0-83587a8ae445  rootfs  swapfs
The contents of /dev/disk/by-uuid:

Code: Select all

06bc2e07-51e2-42e4-9e14-f5996efb41a8  b5ea0250-1df2-445d-977a-95129b2ca787
12af7830-618c-4567-a84d-03a7bd3fe7d4  d001e0f7-8493-49ef-99ce-2249745a4a36
93729c04-c99e-41fa-9fd0-83587a8ae445  dcee786d-d836-4666-86bf-4d28433a0520
b3ee9920-8de0-420a-9ea6-81cd6f5476af
The results of running lsblk -f with the drive mounted:

Code: Select all

NAME                  FSTYPE      LABEL  UUID                                 MOUNTPOINT
sda                   crypto_LUKS        93729c04-c99e-41fa-9fd0-83587a8ae445 
└─luks-93729c04-c99e-41fa-9fd0-83587a8ae445
                      ext4               dcee786d-d836-4666-86bf-4d28433a0520 /media/jay/seagate-1tb
sdb                                                                           
├─sdb1                ext4        bootwd 12af7830-618c-4567-a84d-03a7bd3fe7d4 /boot
├─sdb2                crypto_LUKS        b3ee9920-8de0-420a-9ea6-81cd6f5476af 
│ └─rootfs                                                                    /
└─sdb3                crypto_LUKS        b5ea0250-1df2-445d-977a-95129b2ca787 
  └─swapfs            swap        swapMX d001e0f7-8493-49ef-99ce-2249745a4a36 [SWAP]
/media/jay/seagate-1tb exists and I am owner. Permissions:

Code: Select all

drwxr-xr-x 14 jay jay 4096 Mar 14 15:36 seagate-1tb
"Enable mounting of internal drives by non-root users" is enabled in MX Tweaks.

Note: sdb is my system drive and sda is the backup/storage drive because my SATA cables are connected backwards and I haven't gotten around to moving them (the PC's SATA1 cable is connected to the 1TB backup drive and the SATA2 cable to the 500GB MX system drive.)
Last edited by JayM on Fri Mar 15, 2019 4:03 am, edited 1 time in total.
OS: MX-18.2 x64. Kernel: 4.9.170-antix.1-amd64-smp x86_64. CPU: AMD Athlon 64 X2 5000+ 2.6GHz. GPU: AMD RS780 (Radeon HD 3200). Mobo: ASRock A780GM-LE. BIOS: AMI P1.50 (5/25/2010). HDDs: Gigabyte 120GB SSD+Seagate 1TB. RAM: 8GB (2x4GB) DDR2-800

User avatar
JayM
Forum Regular
Forum Regular
Posts: 647
Joined: Tue Jan 08, 2019 4:47 am

Re: How to auto-mount an encrypted non-system partition?

#2

Post by JayM » Fri Mar 15, 2019 4:03 am

I got it working by myself. These entries in crypttab and fstab respectively make it ask for the second drive's passphrase during the boot process, my sensor plugin in the panel detects it now, and I can access the drive in Thunar without being prompted for the password (which isn't a security issue as this is a single-user PC anyway):

Code: Select all

rootfs /dev/disk/by-uuid/b3ee9920-8de0-420a-9ea6-81cd6f5476af none luks 
swapfs /dev/disk/by-uuid/b5ea0250-1df2-445d-977a-95129b2ca787 /root/keyfile luks,nofail 
luks /dev/disk/by-uuid/93729c04-c99e-41fa-9fd0-83587a8ae445 none luks

Code: Select all

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>

#Entry for /dev/dm-0 :
UUID=06bc2e07-51e2-42e4-9e14-f5996efb41a8	/	ext4	defaults,noatime	1	1
#Entry for /dev/sdb1 :
UUID=12af7830-618c-4567-a84d-03a7bd3fe7d4	/boot	ext4	defaults,noatime	1	1
#Entry for /dev/dm-2 :
UUID=93729c04-c99e-41fa-9fd0-83587a8ae445	/media/jay/seagate-1tb	ext4	defaults,nosuid,nodev,relatime,data=ordered	0	0
#Entry for /dev/dm-1 :
UUID=d001e0f7-8493-49ef-99ce-2249745a4a36	swap	swap	defauts	0	0
1. The line I'd added in crypttab had incorrect syntax. I found an example online and made mine look like that one.
2. The drive's UUID in fstab, which was put there by the system not by me, was incorrect also. This puzzles me as the drive would mount fine in Thunar, and as I say I didn't manually edit fstab and add that. (I edited it today, but I found that old, incorrect UUID already there when I started trying to make this work yesterday, and I assumed it was correct. Very odd.)

Edit: oh, now I see what happened and why. The incorrect UUID in yesterday's fstab is the UUID of the decrypted ext4 partition, not that of its parent crypto_LUKS volume. New lsblk -f results (remember, sda is the non-system volume):

Code: Select all

NAME       FSTYPE      LABEL  UUID                                 MOUNTPOINT
sda        crypto_LUKS        93729c04-c99e-41fa-9fd0-83587a8ae445 
└─luks     ext4               dcee786d-d836-4666-86bf-4d28433a0520 
sdb                                                                
├─sdb1     ext4        bootwd 12af7830-618c-4567-a84d-03a7bd3fe7d4 /boot
├─sdb2     crypto_LUKS        b3ee9920-8de0-420a-9ea6-81cd6f5476af 
│ └─rootfs                                                         /
└─sdb3     crypto_LUKS        b5ea0250-1df2-445d-977a-95129b2ca787 
  └─swapfs swap        swapMX d001e0f7-8493-49ef-99ce-2249745a4a36 [SWAP]
It was probably put there after I decrypted the volume in Thunar so MX could then mount the drive. You have to have the UUID of the crypto_LUKS volume in fstab for it to prompt you for its passphrase during boot, decrypt it and mount it, not the UUID of the already-decrypted ext4 partition, which it can't mount during boot because, hey, it hasn't been decrypted yet so MX can't access it to mount it. That explains that. :smile:
OS: MX-18.2 x64. Kernel: 4.9.170-antix.1-amd64-smp x86_64. CPU: AMD Athlon 64 X2 5000+ 2.6GHz. GPU: AMD RS780 (Radeon HD 3200). Mobo: ASRock A780GM-LE. BIOS: AMI P1.50 (5/25/2010). HDDs: Gigabyte 120GB SSD+Seagate 1TB. RAM: 8GB (2x4GB) DDR2-800

User avatar
JayM
Forum Regular
Forum Regular
Posts: 647
Joined: Tue Jan 08, 2019 4:47 am

Re: [SOLVED] How to auto-mount an encrypted non-system partition?

#3

Post by JayM » Fri Mar 15, 2019 10:04 pm

Update 3: It was working, but it was mounting the decrypted ext4 partition, UUID dcee786d-d836-4666-86bf-4d28433a0520, in a directory named after the UUID and I don't want that. I think the original fstab entry was correct after all, because the volume that gets mounted is the decrypted one, not the crypto_LUKS one, so the way all this works is:

1. Crypttab contains information about encrypted volumes to be unlocked/decrypted at boot
2. Fstab contains information about unencrypted and already-unlocked volumes to be mounted at boot

So crypttab has to have an entry for the crypto_LUKS UUID 93729c04-c99e-41fa-9fd0-83587a8ae445 so it will prompt for its passphrase and decrypt during boot, and fstab needs an entry for UUID dcee786d-d836-4666-86bf-4d28433a0520 so it can mount the decrypted volume where I tell it to rather than creating its own mount point named after that UUID.

Code: Select all

sda        crypto_LUKS        93729c04-c99e-41fa-9fd0-83587a8ae445 
└─luks     ext4               dcee786d-d836-4666-86bf-4d28433a0520 /media/jay/seagate-1tb
sdb                                                                
├─sdb1     ext4        bootwd 12af7830-618c-4567-a84d-03a7bd3fe7d4 /boot
├─sdb2     crypto_LUKS        b3ee9920-8de0-420a-9ea6-81cd6f5476af 
│ └─rootfs                                                         /
└─sdb3     crypto_LUKS        b5ea0250-1df2-445d-977a-95129b2ca787 
  └─swapfs swap        swapMX d001e0f7-8493-49ef-99ce-2249745a4a36 [SWAP]
jay@mx:~
(As you can tell, I'm kind of new at dealing with crypttab plus I'm a bit rusty at fstab, but I managed to figure it out on my own. After I posted here for help, of course. It's always the way, you post and ask a question and only then do you find or figure out the answer.)
OS: MX-18.2 x64. Kernel: 4.9.170-antix.1-amd64-smp x86_64. CPU: AMD Athlon 64 X2 5000+ 2.6GHz. GPU: AMD RS780 (Radeon HD 3200). Mobo: ASRock A780GM-LE. BIOS: AMI P1.50 (5/25/2010). HDDs: Gigabyte 120GB SSD+Seagate 1TB. RAM: 8GB (2x4GB) DDR2-800

User avatar
truscellino
Forum Novice
Forum  Novice
Posts: 6
Joined: Mon Apr 15, 2019 10:23 am

Re: [SOLVED] How to auto-mount an encrypted non-system partition?

#4

Post by truscellino » Mon Apr 15, 2019 12:17 pm

Hi, not sure what your problem is at this point. I thought you were initially trying to get your volume automatically mounted at boot, without entering password manually?
For that, you need to
  • create a key (via dd)
  • assign it to your encrypted volume (via cryptsetup)
  • amend the corresponding line in /etc/crypttab so that cryptsetup can open the volume automatically
The key is specified in the third field of /etc/crypttab
https://manpages.debian.org/stretch/cry ... .5.en.html

Code: Select all

rootfs /dev/disk/by-uuid/b3ee9920-8de0-420a-9ea6-81cd6f5476af none luks 
swapfs /dev/disk/by-uuid/b5ea0250-1df2-445d-977a-95129b2ca787 /root/keyfile luks,nofail 
luks /dev/disk/by-uuid/93729c04-c99e-41fa-9fd0-83587a8ae445 none luks
As I can see from your crypttab file, the "none" keywork means that you need to enter the password manually. If you want an automatic decryption, "none" would be replaced by the location of the key... for your swap this has been done already, and the key is /root/keyfile.
Not sure I am understanding what you are trying to achieve though?
Cheers, Marc

User avatar
JayM
Forum Regular
Forum Regular
Posts: 647
Joined: Tue Jan 08, 2019 4:47 am

Re: [SOLVED] How to auto-mount an encrypted non-system partition?

#5

Post by JayM » Wed Apr 17, 2019 5:08 am

I was trying to get my second. encrypted drive to prompt me for its passphrase during boot and mount it then rather than later on when I clicked on the volume in Thunar after the system was running and I was logged in. I don't want it to automatically enter the passphrase or key for me. I prefer having some manual control over that. It's working the way I want it to now, except the volume's name in crypttab is simply "luks" and I haven't gotten around to changing it to something more descriptive of the drive yet.

Edit: edited crypttab, and also finally got around to rolling my SATA cables so the drives would be in their proper order:

Code: Select all

$ lsblk -f
NAME          FSTYPE      LABEL  UUID                                 MOUNTPOINT
sda                                                                   
├─sda1        ext4        bootwd 12af7830-618c-4567-a84d-03a7bd3fe7d4 /boot
├─sda2        crypto_LUKS        b3ee9920-8de0-420a-9ea6-81cd6f5476af 
│ └─rootfs                                                            /
└─sda3        crypto_LUKS        b5ea0250-1df2-445d-977a-95129b2ca787 
  └─swapfs    swap        swapMX d001e0f7-8493-49ef-99ce-2249745a4a36 [SWAP]
sdb           crypto_LUKS        93729c04-c99e-41fa-9fd0-83587a8ae445 
└─seagate-1tb ext4               dcee786d-d836-4666-86bf-4d28433a0520 /media/jay/seagate-1tb
OS: MX-18.2 x64. Kernel: 4.9.170-antix.1-amd64-smp x86_64. CPU: AMD Athlon 64 X2 5000+ 2.6GHz. GPU: AMD RS780 (Radeon HD 3200). Mobo: ASRock A780GM-LE. BIOS: AMI P1.50 (5/25/2010). HDDs: Gigabyte 120GB SSD+Seagate 1TB. RAM: 8GB (2x4GB) DDR2-800

Post Reply

Return to “MX Help”