In this tutorial, you will learn how to automount LUKS encrypted device in Linux on system startup. Unless you configure the device to automount, it usually doesn’t by default. However, if you enabled device encryption with LUKS during system install, the automount is usually setup and the device automatically mounts once you supply the correct drive encryption passphrase.<\/p>\n\n\n\n
Please note that security wise, automounting an encrypted device might not be a good practise, IMO.<\/p>\n\n\n\n
In our previous tutorial, we learnt how to encrypt a disk partition with LUKS in Linux<\/a>. We will be using the same device to demonstrate how to automatically mount LUKS Encrypted Device in Linux.<\/p>\n\n\n\n Below command lists the block device that we will use to demonstrate the auto-mounting procedure.<\/p>\n\n\n\n With LUKS encryption, you can unlock the device by interactively supplying the passphrase or automatically specifying a key file containing the passphrase to unlock the drive.<\/p>\n\n\n\n To create the LUKS key file, you use the So, we use the Once you have created a LUKS key file, you need to add a new passphrase to the file using the You will be prompted to enter any existing passphrase.<\/p>\n\n\n\n If you specified the existing passphrase using the key file as well, then use the command below;<\/p>\n\n\n\n For now, the device has two key slots used, as per our setup. To confirm, print the device details.<\/p>\n\n\n\n Verify that you can unlock the disk with the key file created using the command;<\/p>\n\n\n\n If the drive is already opened, then close if first;<\/p>\n\n\n\n Next, verify the new key file can unlock the LUKS drive;<\/p>\n\n\n\n Sample output;<\/p>\n\n\n\n Next, you need to add an entry to An entry in Where:<\/p>\n\n\n\n You can obtain the UUID, PARTUUID using the To obtain the LABEL, use Also, you can obtain the UUID using the command below;<\/p>\n\n\n\n Consult Therefore, this is how our device entry looks on Next, you need to update the The entry in the Make the changes accordingly.<\/p>\n\n\n\n Ensure the mount point exists.<\/p>\n\n\n\n Verify the mounting using the You can now reboot your system to confirm the same.<\/p>\n\n\n\n Once the reboot is done, check the mounting;<\/p>\n\n\n\n Or use That concludes our guide.<\/p>\n\n\n\n How to Use VeraCrypt on Command Line to Encrypt Drives on Ubuntu 18.04<\/a><\/p>\n\n\n\n How to Encrypt Files and Folders with eCryptFS on Ubuntu 18.04<\/a><\/p>\n\n\n\nlsblk<\/code><\/pre>\n\n\n\n\nNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT\nsda 8:0 0 15G 0 disk \n\u251c\u2500sda1 8:1 0 13G 0 part \/\n\u251c\u2500sda2 8:2 0 1K 0 part \n\u2514\u2500sda5 8:5 0 2G 0 part [SWAP]\nsdb 8:16 0 4G 0 disk \n\u2514\u2500sdb1 8:17 0 4G 0 part \n \u2514\u2500luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 254:0 0 4G 0 crypt<\/strong>\n<\/code><\/pre>\n\n\n\nCreate LUKS Key File<\/h3>\n\n\n\n
dd<\/code><\/strong> command as follows.<\/p>\n\n\n\ndd if=\/dev\/random of=\/etc\/.crypt-me bs=32 count=1<\/code><\/pre>\n\n\n\n\/etc\/.crypt-me<\/code><\/strong> file as our LUKS key file, can be a different file for you. The command above fills random data on the key file as evident by the command below;<\/p>\n\n\n\nxxd \/etc\/.crypt-me<\/code><\/pre>\n\n\n\n00000000: 62cc f2b2 b431 fdb5 d908 8cfd b6c5 b27d b....1.........}\n00000010: f38b 877a 6575 279c 3c20 5b36 a5fa ce7d ...zeu'.< [6...}<\/code><\/pre>\n\n\n\nAdd a Passphrase to LUKS Key File<\/h3>\n\n\n\n
cryptsetup<\/code> utility:<\/p>\n\n\n\ncryptsetup luksAddKey <device> <path-to-key-file><\/code><\/pre>\n\n\n\ncryptsetup luksAddKey \/dev\/sdb1 \/etc\/.crypt-me<\/code><\/pre>\n\n\n\ncryptsetup luksAddKey <device> <path-to-key-file> --key-file <path-to-existing-passphrase-key-file><\/code><\/pre>\n\n\n\ncryptsetup luksAddKey \/dev\/sdb1 \/etc\/.crypt-me --key-file ~\/luks-key<\/code><\/pre>\n\n\n\ncryptsetup luksDump \/dev\/sdb1<\/code><\/pre>\n\n\n\n\nLUKS header information\nVersion: \t2\nEpoch: \t4\nMetadata area: \t16384 [bytes]\nKeyslots area: \t16744448 [bytes]\nUUID: \t242c24d8-ac65-413d-b3a2-eb7f2f0993b0\nLabel: \t(no label)\nSubsystem: \t(no subsystem)\nFlags: \t(no flags)\n\nData segments:\n 0: crypt\n\toffset: 16777216 [bytes]\n\tlength: (whole device)\n\tcipher: aes-xts-plain64\n\tsector: 512 [bytes]\n\nKeyslots:\n 0: luks2\n\tKey: 512 bits\n\tPriority: normal\n\tCipher: aes-xts-plain64\n\tCipher key: 512 bits\n\tPBKDF: argon2i\n\tTime cost: 4\n\tMemory: 1003317\n\tThreads: 2\n\tSalt: b3 c8 b0 69 db 38 cb bd 1c 58 d0 a2 8a b8 92 12 \n\t 05 47 ca dd c7 3d dd 94 c0 f7 51 04 12 fb 3a 56 \n\tAF stripes: 4000\n\tAF hash: sha256\n\tArea offset:32768 [bytes]\n\tArea length:258048 [bytes]\n\tDigest ID: 0\n 1: luks2\n\tKey: 512 bits\n\tPriority: normal\n\tCipher: aes-xts-plain64\n\tCipher key: 512 bits\n\tPBKDF: argon2i\n\tTime cost: 4\n\tMemory: 984615\n\tThreads: 2\n\tSalt: 17 9c 29 fc 61 a2 a4 b0 8b 10 42 6d 51 a0 5b 37 \n\t 77 18 ef db 05 40 79 71 79 88 0a b1 85 41 ee 41 \n\tAF stripes: 4000\n\tAF hash: sha256\n\tArea offset:290816 [bytes]\n\tArea length:258048 [bytes]\n\tDigest ID: 0<\/strong>\nTokens:\nDigests:\n 0: pbkdf2\n\tHash: sha256\n\tIterations: 133338\n\tSalt: e1 9b 70 5e 87 25 46 d6 08 20 43 60 6c ae 2c 06 \n\t 42 fa 61 32 f0 fc ca 5f 10 f9 3d 63 dd 22 a4 96 \n\tDigest: e9 62 ab 83 4c 3c 81 88 52 08 42 9b 47 c2 e1 b6 \n\t d5 8a 59 88 5c 17 02 54 c4 89 36 7e 5f e0 f5 ec\n<\/code><\/pre>\n\n\n\ncryptsetup luksOpen <device> <name> --key-file <path-to-key-file><\/code><\/pre>\n\n\n\ncryptsetup -v luksClose luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 <\/code><\/pre>\n\n\n\ncryptsetup -v luksOpen \/dev\/sdb1 luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 --key-file \/etc\/.crypt-me<\/code><\/pre>\n\n\n\nKey slot 1 unlocked.\nCommand successful.<\/code><\/pre>\n\n\n\nAutomount LUKS Device on System Startup<\/h3>\n\n\n\n
Update crypttab file with device information<\/h4>\n\n\n\n
\/etc\/crypttab<\/code> describing the information about the LUKS encrypted device that you need to automount.<\/p>\n\n\n\n\/etc\/crypttab<\/strong><\/code> should look like;<\/p>\n\n\n\n<target name> <source device> <key-file> <options><\/code><\/pre>\n\n\n\n\n
target name<\/code><\/strong>: describes the mapped device name. For example, if your device mapping is \/dev\/mapper\/name<\/strong><\/code>, then name<\/strong><\/code> is the required target.<\/li>\n\n\n\nsource device<\/code><\/strong>: describes either the block special device or file that contains the encrypted data. This is specified using UUID=<uuid>, or LABEL=<label>, PARTUUID=<partuuid> or PARTLABEL=<partlabel>.<\/li>\n<\/ul>\n\n\n\nblkid<\/code><\/strong> command. For example:<\/p>\n\n\n\nblkid \/dev\/sdb1<\/code><\/pre>\n\n\n\n\/dev\/sdb1: UUID=\"242c24d8-ac65-413d-b3a2-eb7f2f0993b0\"<\/strong> TYPE=\"crypto_LUKS\" PARTUUID=\"629e6177-01\"<\/strong><\/code><\/pre>\n\n\n\nlsblk<\/strong><\/code> command;<\/p>\n\n\n\nlsblk -f \/dev\/sdb1<\/code><\/pre>\n\n\n\n\nNAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT\nsdb1 crypto_LUKS 242c24d8-ac65-413d-b3a2-eb7f2f0993b0 \n\u2514\u2500luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 ext4 e940b45b-dbc8-4c40-aaa5-9acf9fcb2119<\/strong>\n<\/code><\/pre>\n\n\n\ncryptsetup luksDump \/dev\/sdb1 | grep \"UUID\"<\/code><\/pre>\n\n\n\n\n
key file<\/code><\/strong>: describes the file to use as a key for decrypting the data of the source device. Note that the passphrase must not be followed by a newline character.<\/li>\n\n\n\noptions<\/code><\/strong>: describes the cryptsetup options associated with the encryption process. At minimum, the field should contain either the string luks respectively tcrypt or the cipher, hash and size options. Options are in the format: key=value [,key=value \u2026]<\/code><\/strong>.<\/li>\n<\/ul>\n\n\n\nman crypttab<\/code><\/strong> for more information.<\/p>\n\n\n\n\/etc\/crypttab<\/strong><\/code> file.<\/p>\n\n\n\nluks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 UUID=\"242c24d8-ac65-413d-b3a2-eb7f2f0993b0\" \/etc\/.crypt-me luks<\/code><\/pre>\n\n\n\nUpdate fstab file with Device information<\/h4>\n\n\n\n
\/etc\/fstab<\/code><\/strong> file with device information as well to define how to mount the LUKS device.<\/p>\n\n\n\n\/etc\/fstab<\/code><\/strong> file should take the format;<\/p>\n\n\n\n<file system> <mount point> <type> <options> <dump> <pass><\/code><\/pre>\n\n\n\n\/dev\/mapper\/luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 \/mnt\/luks-242c24d8 ext4 defaults,nofail 0 0<\/code><\/pre>\n\n\n\nmount<\/code> command before you can reboot your system. If all is well, you should see “successfully mounted”<\/strong> for your LUKS device.<\/p>\n\n\n\nmount -av<\/code><\/pre>\n\n\n\n\/ : ignored\n\/mnt\/luks-242c24d8 : successfully mounted<\/code><\/pre>\n\n\n\nsystemctl reboot<\/code><\/pre>\n\n\n\nlsblk<\/code><\/pre>\n\n\n\n\nNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT\nsda 8:0 0 15G 0 disk \n\u251c\u2500sda1 8:1 0 13G 0 part \/\n\u251c\u2500sda2 8:2 0 1K 0 part \n\u2514\u2500sda5 8:5 0 2G 0 part [SWAP]\nsdb 8:16 0 4G 0 disk \n\u2514\u2500sdb1 8:17 0 4G 0 part \n \u2514\u2500luks-242c24d8-ac65-413d-b3a2-eb7f2f0993b0 254:0 0 4G 0 crypt \/mnt\/luks-242c24d8<\/strong>\n<\/code><\/pre>\n\n\n\ndf<\/code> command.<\/p>\n\n\n\ndf -hT<\/code><\/pre>\n\n\n\n\nFilesystem Type Size Used Avail Use% Mounted on\nudev devtmpfs 984M 0 984M 0% \/dev\ntmpfs tmpfs 200M 3.1M 197M 2% \/run\n\/dev\/sda1 ext4 13G 3.6G 8.5G 30% \/\n\/dev\/dm-0 ext4 3.9G 16M 3.7G 1% \/mnt\/luks-242c24d8<\/strong>\n<\/code><\/pre>\n\n\n\nOther tutorials;<\/h3>\n\n\n\n