How to auto mount LUKS device (encrypted partition) using fstab in Linux


LUKS, Linux, Security

In my last article I had shared the steps to encrypt a partition using LUKS. Now in this article I will continue with LUKS disk encryption and will share the steps to auto mount LUKS device with and without encrypt key during boot up of the Linux node. If you have not enabled auto mount using secret key then you can use LUKS passphrase to manually mount the encrypted partition.

 

Below are some more articles on LUKS based Disk Encryption

 

How LUKS Disk Encryption Works?

  • The entire block device can be encrypted using LUKS; it's well suited for protecting the data on removable storage media or the laptop disk drives
  • LUKS Disk Encryption uses the existing device mapper kernel subsystem
  • It also provides passphrase strengthening, which helps protect against dictionary attacks

 

Auto mount encrypted partition using fstab without key (prompts for LUKS passphrase)

From our last article we already have an LUKS encrypted partition /dev/sdb1, Now you can manually mount the encrypted partition every time node bootsor you can use fstab to auto mount LUKS device during boot stage using LUKS passphrase.

IMPORTANT NOTE:
If you perform this activity without using encrypt key then the reboot will halt with a user prompt asking for LUKS passphrase to mount the LUKS device. Alternatively you can also configure Network Bound Disk Encryption wherein the client will get this key from tang server to auto mount LUKS device.

Add below entry to your /etc/fstab

/dev/mapper/secret      /secret                 ext4    defaults        0 0

 

Next add below entry to /etc/crypttab. Here we are providing the LUKS device name, the mapped partition and the key file location. But since at this stage we have not created any key file, we will put it as none.

secret  /dev/sdb1       none

Next reboot the node and check if the reboot halts waiting for LUKS passphrase to mount the encrypted device

How to auto mount LUKS encrypted partition using key at boot in Linux

 

Mount LUKS device using fstab with key (No prompt for LUKS passphrase)

LUKS Disk Encryption can use up to 8 key slots to store passwords. We can use these keys to auto mount LUKS device.

Use the below command to check the currently utilised key slots. Here as you see only one key slot is in use where we have set the LUKS passphrase of the encrypted partition.

[root@node1 ~]# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      4f 28 47 d0 91 cd 30 1f c0 78 73 b9 0e 83 cd d6 77 99 bf c8
MK salt:        dc 91 2a 87 49 44 a9 2a 75 f7 f4 18 ee 39 54 e2
                2f 72 e0 21 ba 07 59 84 75 58 c6 a9 ad 7e 43 ae
MK iterations:  19006
UUID:           1da14492-aec4-4924-905d-e5aa28cbcff4

Key Slot 0: ENABLED
        Iterations:             296206
        Salt:                   06 af 5b fc 27 a3 3c 84 02 d8 1e 89 ec fc c9 15
                                d8 c4 5e 3c 58 9b 92 0a e3 e5 48 5d 6b da cf 65
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

To add a new encrypt key to auto mount LUKS device use the below command.

[root@node1 ~]# cryptsetup luksAddKey /dev/sdb1
Enter any existing passphrase:
Enter new passphrase for key slot:
Verify passphrase:

Next verify the key slots again

[root@node1 ~]# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      4f 28 47 d0 91 cd 30 1f c0 78 73 b9 0e 83 cd d6 77 99 bf c8
MK salt:        dc 91 2a 87 49 44 a9 2a 75 f7 f4 18 ee 39 54 e2
                2f 72 e0 21 ba 07 59 84 75 58 c6 a9 ad 7e 43 ae
MK iterations:  19006
UUID:           1da14492-aec4-4924-905d-e5aa28cbcff4

Key Slot 0: ENABLED
        Iterations:             296206
        Salt:                   06 af 5b fc 27 a3 3c 84 02 d8 1e 89 ec fc c9 15
                                d8 c4 5e 3c 58 9b 92 0a e3 e5 48 5d 6b da cf 65
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             729190
        Salt:                   3b a3 55 c0 5a d6 d0 0f 26 84 84 c4 a7 d1 83 23
                                9c 2d 6d ea 9f 76 83 04 36 8b d4 d6 19 07 ba 10
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

As you see now we have one more key slot added and is enabled. We will use this key to auto mount LUKS device.

NOTE:
To remove a key slot you can use "cryptsetup luksRemoveKey /dev/device" where the device or partition will be /dev/sdb1 for our demo.

Now let us create a key file which will be used to get the LUKS passphrase while booting the system. So at the reboot stage the system will not halt asking for passphrase and will get the key to auto mount LUKS device from this key file and continue to boot without password.

To create a key file execute the below command. Here my key file "lukskey" will be available under /root

[root@node1 ~]# dd if=/dev/random bs=32 count=1 of=/root/lukskey
1+0 records in
1+0 records out
32 bytes (32 B) copied, 0.000294018 s, 109 kB/s

To check the content of the lukskey file use xxd. As you see it is filled with random data.

[root@node1 ~]# xxd /root/lukskey
0000000: cd37 d965 8eb6 e1cd b009 467f 524b bf8e  .7.e......F.RK..
0000010: 5a53 7250 19c0 78b5 6d68 3f9c c8b6 6bf9  ZSrP..x.mh?...k.

Now let us add this key to our LUKS device

[root@node1 ~]# cryptsetup luksAddKey /dev/sdb1 /root/lukskey
Enter any existing passphrase:

Verify the new keyslot. Now we have a new keyslot enabled.

[root@node1 ~]# cryptsetup luksDump /dev/sdb1
LUKS header information for /dev/sdb1

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha256
Payload offset: 4096
MK bits:        256
MK digest:      4f 28 47 d0 91 cd 30 1f c0 78 73 b9 0e 83 cd d6 77 99 bf c8
MK salt:        dc 91 2a 87 49 44 a9 2a 75 f7 f4 18 ee 39 54 e2
                2f 72 e0 21 ba 07 59 84 75 58 c6 a9 ad 7e 43 ae
MK iterations:  19006
UUID:           1da14492-aec4-4924-905d-e5aa28cbcff4

Key Slot 0: ENABLED
        Iterations:             296206
        Salt:                   06 af 5b fc 27 a3 3c 84 02 d8 1e 89 ec fc c9 15
                                d8 c4 5e 3c 58 9b 92 0a e3 e5 48 5d 6b da cf 65
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: ENABLED
        Iterations:             729190
        Salt:                   3b a3 55 c0 5a d6 d0 0f 26 84 84 c4 a7 d1 83 23
                                9c 2d 6d ea 9f 76 83 04 36 8b d4 d6 19 07 ba 10
        Key material offset:    264
        AF stripes:             4000
Key Slot 2: ENABLED
        Iterations:             683556
        Salt:                   1a 13 aa 01 e1 c2 71 33 29 5f ae fc 25 71 2e c8
                                9f 9f 85 df 4b 80 61 4d 8d 52 35 7c 66 0a d0 af
        Key material offset:    520
        AF stripes:             4000
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Next modify your crypttab and provide the keyfile details to make sure system does not halts asking for passphrase of luks device.

[root@node1 ~]# vim /etc/crypttab
secret  /dev/sdb1       /root/lukskey

Next reboot your node

[root@node1 ~]# reboot

I am sure this time your system should come up automatically without prompting for any passphrase to mount the LUKS encrypted partition.

Post reboot I will validate my mounted file system and I see as expected /secret is already in mounted state

[root@node1 ~]# df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root   25G  3.8G   20G  16% /
devtmpfs                 1.9G     0  1.9G   0% /dev
tmpfs                    1.9G     0  1.9G   0% /dev/shm
tmpfs                    1.9G  9.2M  1.9G   1% /run
tmpfs                    1.9G     0  1.9G   0% /sys/fs/cgroup
/dev/sda1                488M  134M  319M  30% /boot
/dev/mapper/secret       4.8G   20M  4.6G   1% /secret
tmpfs                    379M  8.0K  379M   1% /run/user/42
tmpfs                    379M     0  379M   0% /run/user/0

 

In coming articles I will share the steps to extend or shrink (resize) LUKS encrypted partition in Linux.

 

Lastly I hope the steps from the article to auto mount LUKS device using fstab to boot with LUKS passphrase and with LUKS key on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
An overview on LUKS encryption

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

45 thoughts on “How to auto mount LUKS device (encrypted partition) using fstab in Linux”

  1. No. Don’t use on Kubuntu/Ubuntu 24.04, it will forward you to busybox and you will need to recover system with the manualy opening your luks root device.

    Here is missing all about the initrams update which is required.

    Reply
  2. Hi there. I want to install case “Auto mount encrypted partition using fstab without key (prompts for LUKS passphrase)”
    However, my os crashes a bit after entering a password during boot. As i understand fstab doesn’t know when it will obtain unencrypted mapped partition.

    x-systemd.device-timeout for my encrypted ext4 doesn’t help much. What else might went wrong on ubuntu 22.04?

    Reply
  3. Just in case: I had the problem that the devices from time to time didn’t automount correctly while booting. Problem was that sometimes it happened, that my system hdd was mounted as sdb and not sda and one of my external hdds were not mounted at all. My solution to this is to use the UUID in fstab and crypttab.
    If you encounter the problem: mount the encrypted devices manually and run:

    sudo blkid

    In my case:

    /dev/sda1: UUID="ee4ef57c-e4aa-43c1-a1ec-329b3239468e" TYPE="ext4" PARTUUID="6fd851d8-01"
    /dev/loop0: TYPE="squashfs"
    /dev/loop1: TYPE="squashfs"
    /dev/loop2: TYPE="squashfs"
    /dev/loop3: TYPE="squashfs"
    /dev/loop4: TYPE="squashfs"
    /dev/loop5: TYPE="squashfs"
    /dev/loop6: TYPE="squashfs"
    /dev/loop7: TYPE="squashfs"
    /dev/sdb1: UUID="ab44bd92-c9f1-49dd-a8f7-8e216da7ed53" TYPE="crypto_LUKS" PARTUUID="a337a472-1070-6540-b5ab-4144d19c4e32"
    /dev/sdc1: UUID="93a5d5b0-458f-4ec2-b5b4-399d8fee42eb" TYPE="crypto_LUKS" PARTUUID="2a5cc607-d9b3-4349-8902-033b8ab90e17"
    /dev/mapper/secret: UUID="6446f0d9-bc2f-4459-ae9f-aec7d705dd39" TYPE="ext4"
    /dev/mapper/backup: UUID="f44204f0-7634-4161-a9eb-49bf236da625" TYPE="ext4"

    There you see the UUIDs of the decrypted partitions (“TYPE=”crypto_LUKS”)and the UUIDs of the filesystems (TYPE=”ext4″)
    Put the TYPE="ext4" UUIDs in /etc/fstab and the Type="crypto_LUKS" in /etc/crypttab
    In my case fstab looks like this:

    UUID=ee4ef57c-e4aa-43c1-a1ec-329b3239468e /               ext4    errors=remount-ro 0       1
    /swapfile                                 none            swap    sw              0       0
    
    UUID=6446f0d9-bc2f-4459-ae9f-aec7d705dd39      /media/Benjis_ZS                 ext4    nofail,users,defaults        0 2
    UUID=f44204f0-7634-4161-a9eb-49bf236da625      /media/backup                    ext4    nofail,users,defaults        0 2

    and crypttab:

    secret UUID=93a5d5b0-458f-4ec2-b5b4-399d8fee42eb /root/lukskey
    backup UUID=ab44bd92-c9f1-49dd-a8f7-8e216da7ed53 /root/lukskey_backup

    This solved my issue. Hope that this helps someone out there….See you space cowboys…

    Reply
  4. and i forgot.. for anyone, who does not wanne use the cmd line, use “gnome-disks” for encrypting your drive, way easier for users.

    Reply
  5. oh.. ahm.. how to say this politly.. you do not store password in cmd lines, use this:

    cat password.file | cryptsetup …

    because it apears in “ps auxf ” and can be seen by any process,

    and i hope you encrypted the disk this is run on, or your security model just broke.
    Backups to unencrypted disks are done by creating a luks container on the drive, open it, format it, and copy the data into the container, close it, which makes it secure 😉

    Reply
  6. Hello there. Nice tutorial, thanks

    I would like Linux completely forget encrypted disk connected during the boot (not asking any password nor picking the password somewhere) as with my scritp (see below) I can do it when I want (i.e. at certain backup time when my NAS gets connected). Is it any way I can have Linux not paying attention nor request password for an encrypted device at the boot ? That would be magic !

    Here is my scripts:

    crontab -e:
    55 10 * * * /sbin/cryptsetup luksOpen /dev/disk/by-uuid/XXXXXXX secret -d /external-drive-mounted-where-the-key-is
    56 10 * * * mount /dev/mapper/secret /home/mydecrypteddisk
    
    00 12 * * * umount /home/mydecrypteddisk
    01 12 * * * /sbin/cryptsetup luksClose /dev/mapper/secret
    Reply
      • It is a good solution but I want encryption of my external hdd on client side be active always with the exception of the time frame while the nas performs its backup (to the unencrypted hdd on the client).
        I don’t believe, also, Synology nas can act the way you described the server.
        It looks too complicated. Need to investigate if I can load encryption modules on the fly and not at the beginning of boot process (simply adding few commands into my script)
        Thanks

        Reply
        • Please do share your observations, as I remember someone else had similar requirements for external disk. Unfortunately I have not been able to test this myself, will add it to my todo lists and if I can test this sometime then will create a new article.

          Reply

Leave a Comment