How to mount a LUKS encrypted partition on boot
In order to automatically mount a LUKS encrypted partition on boot you have to find out its universally unique identifier (UUID) first. Open a root shell and enter
$ blkid
The program lists all mounted volumes and their UUIDs. If your LUKS partition is not listed, mount it and enter
$ blkid
again to find out the UUID. The output should look something like this:
/dev/mapper/enc-ext-hdd: UUID="faa852f5-7c53-4656-ac06-00144f0e5e76" TYPE="crypto_LUKS"
/dev/mapper/luks-faa852f5-7c53-4656-ac06-00144f0e5e76: UUID="111413ad-f7f9-4c36-85a9-ef47b10a7b3d" TYPE="ext4"
What you need is the UUID of the crypto_LUKS partition you want to mount automatically, e.g. faa852f5-7c53-4656-ac06-00144f0e5e76. The mapper name of the decrypted partition, e.g. luks-faa852f5-7c53-4656-ac06-00144f0e5e76, is generated automatically.
To mount the LUKS partition on boot, edit the file /etc/crypttab and add the mapper name and UUID of the encrypted partition. By default, the mapper name is luks-<UUID>, but you can give it any name you like. The partition will appear as a device in /dev/mapper/<mapper name>.
Entries in /etc/crypttab are of the form
<mapper name> UUID=<UUID>
so the line to add should look like this:
dec-ext-hdd UUID=faa852f5-7c53-4656-ac06-00144f0e5e76
For more information on /etc/crypttab, see $ man crypttab
.
When this is done, create the folder where you want the encrypted partition to be mounted, i.e. /media/ext-hdd and set access rights to your needs. Finally, edit the file /etc/fstab and add mapper name, mount point, file system type and mount options.
The line to add should look like this:
/dev/mapper/dec-ext-hdd /media/ext-hdd ext4 defaults 1 2
The next time you boot your system you will be prompted for the passphrase and the partition will be mounted to the given mount point. The output of $ blkid
should now contain
/dev/mapper/enc-ext-hdd: UUID="faa852f5-7c53-4656-ac06-00144f0e5e76" TYPE="crypto_LUKS"
/dev/mapper/dec-ext-hdd: UUID="111413ad-f7f9-4c36-85a9-ef47b10a7b3d" TYPE="ext4"
Posted on October 22, 2012, in Command-Line, Configure, Cryptography, Security and tagged Boot, encrypted partition, LUKS, mount. Bookmark the permalink. 7 Comments.
How to mount encrypted partition? There is no filesystem detected for it. It cannot be mounted because it is encrypted.
sudo mount /dev/sdc3 tmpmountdir/
mount: you must specify the filesystem type
To mount an encrypted partition manually, you can either use your file browser or cryptsetup. funkym0nk3y wrote an article on
how to mount a LUKS partition manually.
Ok. As i see blkid works for partitions created as LUKS by “cryptsetup luksFormat”, but not created by “cryptsetup create “.
“cryptsetup create” does not create an encrypted partition. It creates a mapping. Have a look at the man page of cryptsetup to get more details. Try to verify whether your device (/dev/sdc3) is really an encrypted LUKS-partition or not. You can use “cryptsetup isLuks /dev/sdc3”. It’ll return true (in my case nothing), if the device is a valid LUKS partition. If the device is not a valid LUKS-device, it’ll print the folloing message “Device /dev/sdc3 is not a valid LUKS device.”
I followed your steps but after the reboot the partition is not mounted.
I asked the same question with more details in SO http://askubuntu.com/questions/450895/mount-luks-encrypted-hard-drive-at-boot
Any idea?
Thanks,
Hi zeugor,
as you mentioned in your update on http://askubuntu.com/questions/450895/mount-luks-encrypted-hard-drive-at-boot, the problem is that your keyfile is on the encrypted partition. So in order to access the keyfile you would have to decrypt the partition, which doesn’t work. You have to put the keyfile on an unencrypted partition in order to access it during startup.
Best regards,
h0nk3ym0nk3y
Pingback: crypttab not working