Automount LUKS Encrypted Device in Linux - kifarunix.com (2024)

Table of Contents
Create LUKS Key File Add a Passphrase to LUKS Key File Automount LUKS Encrypted Device in Linux on System Startup Other tutorials; FAQs

In this tutorial, you will learn how to automount LUKS encrypted device in Linux on system startup. Unless you configure the device to automount, it usually doesn’t by default. However, if you enabled device encryption with LUKS during system install, the automount is usually setup and the device automatically mounts once you supply the correct drive encryption passphrase.

Please note that security wise, automounting an encrypted device might not be a good practise, IMO.

Mount an NFS share in Linux - Ansib...

Mount an NFS share in Linux - Ansible module mount

In our previous tutorial, we learnt how to encrypt a disk partition with LUKS in Linux. We will be using the same device to demonstrate how to automount LUKS Encrypted Device in Linux.

Below command lists the block device that we will use to demonstrate the auto-mounting procedure.

See Also
Auto-mounting encrypted drives with a remote key on Linux | With Blue InkHow to Encrypt Hard Disk (partition) using LUKS in Linux | GoLinuxCloudVerify encryption status for Linux - Azure Disk Encryption - Azure Virtual Machineshow to mount a luks-encrypted file?

lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTsda 8:0 0 15G 0 disk ├─sda1 8:1 0 13G 0 part /├─sda2 8:2 0 1K 0 part └─sda5 8:5 0 2G 0 part [SWAP]sdb 8:16 0 4G 0 disk └─sdb1 8:17 0 4G 0 part  └─luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 254:0 0 4G 0 crypt

Create LUKS Key File

With LUKS encryption, you can unlock the device by interactively supplying the passphrase or automatically specifying a key file containing the passphrase to unlock the drive.

To automount LUKS encrypted device in Linux, then you need to use the key file containing the passphrase.

To create the LUKS key file, you use the dd command as follows.

dd if=/dev/random of=/etc/.crypt-me bs=32 count=1

So, we use the /etc/.crypt-me file as our LUKS key file, can be a different file for you. The command above fills random data on the key file as evident by the command below;

xxd /etc/.crypt-me
00000000: 62cc f2b2 b431 fdb5 d908 8cfd b6c5 b27d b....1.........}00000010: f38b 877a 6575 279c 3c20 5b36 a5fa ce7d ...zeu'.< [6...}

Add a Passphrase to LUKS Key File

Once you have created a LUKS key file, you need to add a new passphrase to the file using thecryptsetuputility:

cryptsetup luksAddKey <device> <path-to-key-file>
cryptsetup luksAddKey /dev/sdb1 /etc/.crypt-me

You will be prompted to enter any existing passphrase.

If you specified the existing passphrase using the key file as well, then use the command below;

cryptsetup luksAddKey <device> <path-to-key-file> --key-file <path-to-existing-passphrase-key-file>
cryptsetup luksAddKey /dev/sdb1 /etc/.crypt-me --key-file ~/luks-key

For now, the device has two key slots used, as per our setup. To confirm, print the device details.

cryptsetup luksDump /dev/sdb1
LUKS header informationVersion: 2Epoch: 4Metadata area: 16384 [bytes]Keyslots area: 16744448 [bytes]UUID: 242c24d8-ac65-413d-b3a2-eb7f2f0993b0Label: (no label)Subsystem: (no subsystem)Flags: (no flags)Data segments: 0: cryptoffset: 16777216 [bytes]length: (whole device)cipher: aes-xts-plain64sector: 512 [bytes]Keyslots: 0: luks2Key: 512 bitsPriority: normalCipher: aes-xts-plain64Cipher key: 512 bitsPBKDF: argon2iTime cost: 4Memory: 1003317Threads: 2Salt: b3 c8 b0 69 db 38 cb bd 1c 58 d0 a2 8a b8 92 12 05 47 ca dd c7 3d dd 94 c0 f7 51 04 12 fb 3a 56 AF stripes: 4000AF hash: sha256Area offset:32768 [bytes]Area length:258048 [bytes]Digest ID: 0 1: luks2Key: 512 bitsPriority: normalCipher: aes-xts-plain64Cipher key: 512 bitsPBKDF: argon2iTime cost: 4Memory: 984615Threads: 2Salt: 17 9c 29 fc 61 a2 a4 b0 8b 10 42 6d 51 a0 5b 37 77 18 ef db 05 40 79 71 79 88 0a b1 85 41 ee 41 AF stripes: 4000AF hash: sha256Area offset:290816 [bytes]Area length:258048 [bytes]Digest ID: 0Tokens:Digests: 0: pbkdf2Hash: sha256Iterations: 133338Salt: e1 9b 70 5e 87 25 46 d6 08 20 43 60 6c ae 2c 06 42 fa 61 32 f0 fc ca 5f 10 f9 3d 63 dd 22 a4 96 Digest: e9 62 ab 83 4c 3c 81 88 52 08 42 9b 47 c2 e1 b6 d5 8a 59 88 5c 17 02 54 c4 89 36 7e 5f e0 f5 ec

Verify that you can unlock the disk with the key file created using the command;

cryptsetup luksOpen <device> <name> --key-file <path-to-key-file>

If the drive is already opened, then close if first;

cryptsetup -v luksClose luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0

Next, verify the new key file can unlock the LUKS drive;

See Also
Disk Encryption User Guide

cryptsetup -v luksOpen /dev/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 --key-file /etc/.crypt-me

Sample output;

Key slot 1 unlocked.Command successful.

Automount LUKS Encrypted Device in Linux on System Startup

Update crypttab file with device information

Next, you need to add an entry to /etc/crypttab describing the information about the LUKS encrypted device that you need to automount.

An entry in /etc/crypttab should look like;

<target name> <source device> <key-file> <options>

Where:

  • target name: describes the mapped device name. For example, if your device mapping is /dev/mapper/name, then name is the required target.
  • source device: describes either the block special device or file that contains the encrypted data. This is specified using UUID=<uuid>, or LABEL=<label>, PARTUUID=<partuuid> or PARTLABEL=<partlabel>.

You can obtain the UUID, PARTUUID using the blkid command. For example:

blkid /dev/sdb1
/dev/sdb1: UUID="242c24d8-ac65-413d-b3a2-eb7f2f0993b0" TYPE="crypto_LUKS" PARTUUID="629e6177-01"

To obtain the LABEL, use lsblk command;

lsblk -f /dev/sdb1
NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINTsdb1 crypto_LUKS 242c24d8-ac65-413d-b3a2-eb7f2f0993b0 └─luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 ext4 e940b45b-dbc8-4c40-aaa5-9acf9fcb2119

Also, you can obtain the UUID using the command below;

cryptsetup luksDump /dev/sdb1 | grep "UUID"
  • key file: describes the file to use as a key for decrypting the data of the source device. Note that the passphrase must not be followed by a newline character.
  • options: describes the cryptsetup options associated with the encryption process. At minimum, the field should contain either the string luks respectively tcrypt or the cipher, hash and size options. Options are in the format: key=value [,key=value …].

Consult man crypttab for more information.

Therefore, this is how our device entry looks on /etc/crypttab file.

luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 UUID="242c24d8-ac65-413d-b3a2-eb7f2f0993b0" /etc/.crypt-me luks

Update fstab file with Device information

Next, you need to update the /etc/fstab file with device information as well to define how to mount the LUKS device.

The entry in the /etc/fstab file should take the format;

<file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 /mnt/luks-242c24d8 ext4 defaults,nofail 0 0

Make the changes accordingly.

Ensure the mount point exists.

Verify the mounting using the mount command before you can reboot your system. If all is well, you should see “successfully mounted” for your LUKS device.

mount -av
/ : ignored/mnt/luks-242c24d8 : successfully mounted

You can now reboot your system to confirm the same.

systemctl reboot

Once the reboot is done, check the mounting;

lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTsda 8:0 0 15G 0 disk ├─sda1 8:1 0 13G 0 part /├─sda2 8:2 0 1K 0 part └─sda5 8:5 0 2G 0 part [SWAP]sdb 8:16 0 4G 0 disk └─sdb1 8:17 0 4G 0 part └─luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 254:0 0 4G 0 crypt /mnt/luks-242c24d8

Or use df command.

df -hT
Filesystem Type Size Used Avail Use% Mounted onudev devtmpfs 984M 0 984M 0% /devtmpfs tmpfs 200M 3.1M 197M 2% /run/dev/sda1 ext4 13G 3.6G 8.5G 30% //dev/dm-0 ext4 3.9G 16M 3.7G 1% /mnt/luks-242c24d8

That concludes our guide on how to automount LUKS encrypted device in Linux on system startup.

Other tutorials;

How to Use VeraCrypt on Command Line to Encrypt Drives on Ubuntu 18.04

How to Encrypt Files and Folders with eCryptFS on Ubuntu 18.04

Install and Setup VeraCrypt on Ubuntu 20.04

Automount LUKS Encrypted Device in Linux - kifarunix.com (2024)

FAQs

How do I decrypt a LUKS partition? ›

Decrypting LUKS2 devices in-place
  1. Verify that your block device has a LUKS2 header (and not LUKS1) using cryptsetup luksDump dev.
  2. Note what key slots are in use using cryptsetup luksDump dev.
  3. Reboot into a live environment using a USB stick.
  4. Identify your block device using blkid or lsblk .

Read On
How do I remove LUKS passphrase? ›

Removing the password

The easiest way is to use the built-in command to remove a key. LUKS will then ask you for a password. It automatically removes the key associated with the key you enter. If you prefer to specify which key to remove yourself, you can use the command KillSlot to remove the key in a specific slot.

Discover More Details
Which command is used to setup LUKS encrypted devices? ›

Use the cryptsetup luksFormat command to set up the partition for encryption.

Continue Reading
How do I mount a Luks encrypted file? ›

1 Answer
  1. First make your file accessible via a loopback device. losetup /dev/loop/0 /path/file.
  2. Open the loopback device to crypt_fun. cryptsetup luksOpen /dev/loop/0 crypt_fun.
  3. Mount it. mount /dev/mapper/crypt_fun /crypt.
Nov 16, 2018

See Details
How does Linux automount work? ›

Autofs sends a message to the automountd for the requested file system to be mounted. automountd locates the file system information in a map, creates the trigger nodes, and performs the mount. Autofs allows the intercepted request to proceed. Autofs unmounts the file system after a period of inactivity.

Find Out More
How do I turn off encryption in Linux? ›

Run sudo cryptsetup-reencrypt --decrypt <device_path> .

Tell Me More
Can LUKS encryption be broken? ›

Both Hashcat and John the Ripper support password cracking of LUKS passphrases, but they are both limited to what cipher/hashing/LUKS[12] they support. If you're lucky enough that you need to recover passphrase from some older LUKS encryption, you can use both tools.

Show Me More
How do you unlock LUKS remotely? ›

Login via ssh. Enter the ssh key passphrase. At the prompt, run command cryptroot-unlock. Enter the LUKS passphrase to unlock encrypted root partition.

Explore More
How do I know if my Linux disk is encrypted? ›

Another way to validate the encryption status is by looking at the Disk settings section. This status means the disks have encryption settings stamped, not that they were actually encrypted at the OS level. By design, the disks are stamped first and encrypted later.

Continue Reading
How do I access encrypted files in Linux? ›

In order to decrypt an encrypted file on Linux, you have to use the “gpg” command with the “-d” option for “decrypt” and specify the “. gpg” file that you want to decrypt. Again, you will be probably be prompted with a window (or directly in the terminal) for the passphrase.

Show Me More

How do I manually encrypt a file? ›

Right-click (or press and hold) a file or folder and select Properties. Select the Advanced button and select the Encrypt contents to secure data check box. Select OK to close the Advanced Attributes window, select Apply, and then select OK.

Read The Full Story
How do I unlock encrypted data? ›

If you have used EFS or a third-party software to encrypt a file, you may be able to unlock it using its file properties. Right-click the file in File Explorer, select Advanced and then clear the Encrypt Contents to Secure Data check box. If this does not work, contact the software provider.

See Details
How do I decrypt my device? ›

The device can only be unencrypted by performing a factory data reset.
  1. From a Home screen, tap. Apps. (lower-right). ...
  2. From the Apps tab, tap. Settings. .
  3. From the Personal section, tap. Security. .
  4. From the Encryption section, tap. Encrypt phone. to enable or disable. ...
  5. If desired, tap. Encrypt external SD card.

Get More Info Here
How do I encrypt a USB with LUKS? ›

Encrypt pendrive with LUKS
  1. Switch to root. su - ...
  2. We will now encrypt the pendrive. This will remove all pendrive contents. ...
  3. We will now create filesystem on our pendrive. First let's decrypt/open it. ...
  4. Create file system. ...
  5. It's done. ...
  6. The last step is necessary only if you used ext4 file system.

Continue Reading
How secure is Linux Luks? ›

By default in a Red Hat 8 Linux environment, LUKS uses a highly secure 512-bit AES (Advanced Encryption Standard) key. Encrypted LUKS volumes contain multiple key slots, allowing users to add backup keys or passphrases, plus use features such as key revocation and protection for bad passphrases using Argon2.

View More
What does LUKS do in Linux? ›

LUKS (Linux Unified Key Setup) is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy. LUKS uses the kernel device mapper subsystem via the dm-crypt module.

View Details
What is a main benefit of using automount over mount? ›

In short, it only mounts a given share when that share is being accessed and are unmounted after a defined period of inactivity. Automounting NFS shares in this way conserves bandwidth and offers better performance compared to static mounts controlled by /etc/fstab .

See More
What does automount command do? ›

Description. The automount command is used as an administration tool for AutoFS. It installs AutoFS mount points and associates an automount map with each mount point. The AutoFS file system monitors attempts to access directories within it and notifies the automountd daemon.

Learn More
How do I turn on automount? ›

You must restart each node after enabling disk automounting.
...
To enable automounting:
  1. Enter the following commands at a command prompt: Copy C:\> diskpart DISKPART> automount enable Automatic mounting of new volumes enabled.
  2. Type exit to end the diskpart session.
  3. Repeat steps 1 and 2 for each node in the cluster.

Discover More Details
Can encryption be bypassed? ›

No matter how high its level, encryption alone does not prevent hacking. If hackers can't bypass your encryption they will seek out other access points to your enterprise data.

Show Me More

How do I remove encryption from all files? ›

Right-click on the encrypted file and select Properties. In the General tab, select Advanced. Now, uncheck the Encrypt contents to secure data radio box and click on OK. You'll see another dialog box asking if you want to Apply changes to this folder or Apply changes to this folder, subfolders and files.

Learn More Now
Can LUKS be hacked? ›

Luks (linux unified key system), and dm-crypt are the standard that linux, and many others use for doing whole disk encryption. When implemented correctly, it can be nearly impossible to brute force. However when using a poor password or a shared password, it can fail horribly.

Explore More
Can encrypted data be recovered? ›

There is even a common belief that encrypted data cannot be restored. But in fact, though encryption adds complexity to the recovery process, in most cases, it doesn't prevent it entirely.

Explore More
Can hackers hack end-to-end encryption? ›

In an end-to-end encrypted system, the only people who can access the data are the sender and the intended recipient(s) – no one else. Neither hackers nor unwanted third parties can access the encrypted data on the server.

Continue Reading
Is it possible to recover the LUKS encrypted drive if you forgot the password yes no and why? ›

It is not possible to recover the master key of LUKS2 devices because the key is stored in the kernel directly.

Read The Full Story
What is LUKS master key? ›

the encrypted Master Key is stored in plaintext in the LUKS header, and the decrypted Master Key is used to encrypt and decrypt the disk sectors using a cipher (e.g. AES)

Keep Reading
Can I unlock my computer remotely? ›

You must use Remote Desktop in order to unlock any computer screen locked by Remote Desktop. When you unlock a computer screen, the desktop reappears, and the computer accepts keyboard and mouse input again. In the Remote Desktop window, select a computer list.

Explore More
How do I force mount a drive in Linux? ›

Mount the USB drive to the /media/pendrive directory using the mount command. The mount command has the following syntax; sudo mount /path/to/drive /path/to/mountpoint. 4. Check the drive has been mounted by re-running lsblk.

See Details
How do I access encrypted drives in Linux? ›

We are going to use a Tool called Dislocker to do the job.
  1. Step 1 – Install Dislocker to Open BitLocker Drive on Linux. ...
  2. Step 2 – Create a Folder to Mount the Drive. ...
  3. Step 3 – Finding our USB Drive. ...
  4. Step 4 – Unlocking your USB Drive. ...
  5. Step 5 – Mounting your Drive.
Aug 8, 2022

See More
How do I automatically mount a network share in Linux? ›

Mount password protected network folders
  1. The quickest way to auto-mounting a password-protected share is to edit /etc/fstab (with root privileges), to add this line: //servername/sharename /media/windowsshare cifs username=msusername,password=mspassword,iocharset=utf8 0 0. ...
  2. username=msusername password=mspassword.
Aug 8, 2022

Explore More

Does Linux automatically mount? ›

By default, Linux OS does not automount any other partition at startup other than the root and the home partition. You can mount other partitions very easily later, but you might want to enable some kind of automount feature on startup.

See Details
How do I fix mount issue in Linux? ›

Troubleshooting NFS Mount Issues in Linux
  1. Install the required nfs packages if not already installed on the server # rpm -qa | grep nfs-utils. # yum install nfs-util.
  2. Use the mount command to mount exported file systems. ...
  3. Update /etc/fstab to mount NFS shares at boot time.
Jan 9, 2020

Keep Reading
How do I fix USB device not recognized in Linux? ›

You've hooked up a USB flash drive or a keyboard or mouse to your Linux PC. But nothing is happening.
...
USB Device Not Working in Ubuntu?
  1. Confirm the USB port is detected.
  2. Make any necessary repairs to the port.
  3. Fix or repair USB devices.
  4. Reboot your Linux operating system.
  5. Confirm the presence of device drivers.
Jan 2, 2023

Explore More
How do you check if a drive is mounted? ›

Using the mount Command

One way we can determine if a directory is mounted is by running the mount command and filtering the output. The above line will exit with 0 (success) if /mnt/backup is a mount point. Otherwise, it'll return -1 (error).

Know More
How do I view encrypted files in Linux? ›

In order to decrypt an encrypted file on Linux, you have to use the “gpg” command with the “-d” option for “decrypt” and specify the “. gpg” file that you want to decrypt. Again, you will be probably be prompted with a window (or directly in the terminal) for the passphrase.

See More
How do I turn on auto mount? ›

To enable automounting: Enter the following commands at a command prompt: Copy C:\> diskpart DISKPART> automount enable Automatic mounting of new volumes enabled. Type exit to end the diskpart session.
...
You must enable automounting when using:
  1. Raw partitions for Oracle ASM.
  2. Oracle Clusterware.
  3. Logical drives for Oracle ASM.

Discover More Details
Which is used to mount file system automatically in Linux? ›

To have Linux automatically mount the file system on your new hard disk partition, you only need to add its name to the fstab file. You can do this by directly and carefully editing the /etc/fstab file to type in a new entry.

Show Me More
What is the command to mount in Linux? ›

Linux mount Command Syntax. The standard mount command syntax is: mount -t [type] [device] [dir] The command instructs the kernel to attach the file system found on [device] at the [dir] directory. The -t [type] option is optional, and it describes the file system type (EXT3, EXT4, BTRFS, XFS, HPFS, VFAT, etc.).

Tell Me More
Top Articles
5 Things to Do at 50 with No Retirement Savings
5 Simple Steps That Will Get You Out of Debt For Good
Eddie Izzard Doesn’t Trust This Whole Falling in Love Business
The Early Years | Eddie Izzard
Latest Posts
Can You Really Pay Off Debt $0.19 at a Time?
9 Genius Dave Ramsey Tips that Will Help you Achieve Financial Freedom
Article information

Author: Jeremiah Abshire

Last Updated:

Views: 6107

Rating: 4.3 / 5 (74 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Jeremiah Abshire

Birthday: 1993-09-14

Address: Apt. 425 92748 Jannie Centers, Port Nikitaville, VT 82110

Phone: +8096210939894

Job: Lead Healthcare Manager

Hobby: Watching movies, Watching movies, Knapping, LARPing, Coffee roasting, Lacemaking, Gaming

Introduction: My name is Jeremiah Abshire, I am a outstanding, kind, clever, hilarious, curious, hilarious, outstanding person who loves writing and wants to share my knowledge and understanding with you.