Auto mounting usb key encrypted

lawmanuk · May 19, 2021, 11:25pm

Hi,

I’ve been partially successful in automounting encrypted veracrypt volume

MOUNT AT BOOT - VERACRYPT LOCAL HDD

The following works perfectly.

cryptab
veracrypt1 PARTLABEL=vcsda5 /dev/null noauto,tcrypt-veracrypt,tcrypt-hidden,tcrypt-keyfile=/keyfile.bin

fstab
/dev/mapper/veracrypt1 /media/veracrypt1 btrfs defaults,noatime,space_cache,autodefrag,compress=zstd:10 0 2

AUTO MOUNT NOT AT BOOT - VERACRYPT USB KEY

I followed instructions at this link but its not working fully.
https://wiki.archlinux.org/title/Fstab# … filesystem

cryptab
veracrypt2 PARTLABEL=usb4gb /dev/null noauto,tcrypt-veracrypt,tcrypt-hidden,tcrypt-keyfile=/keyfile.bin

The cryptab entry with “noauto” works fine. The usb key encryption is opened whether usb key is present at boot time or when inserting after boot time.
I can manually mount this with “sudo mount /dev/mapper/veracrypt2 /media/veracrypt2”

fstab
/dev/mapper/veracrypt2 /media/veracrypt2 btrfs noauto,x-systemd.automount,x-systemd.mount-timeout=5,defaults,noatime,space_cache,autodefrag,compress=zstd:10 0 2

This fstab entry is the problem. It just doesn’t work at all. It actually makes thunar hang and system unstable.

I’ve tried combinations of
noauto,x-systemd.automount,x-systemd.mount-timeout=5
nofail,x-systemd.device-timeout=1ms,noauto,x-systemd.automount
nofail,x-systemd.device-timeout=1ms

What is the correct fstab entry to use so that the usb key auto mounts when inserted not at boot time.

Thanks in advance.

jonathon · May 20, 2021, 12:22am

I suspect this is not the correct device for your USB flash drive. Only you will know what is.

otherbarry · May 20, 2021, 2:16am

To automount an encrypted usb device on “plug in” you need a custom udev rule, combined with systemd luks device config. Systemd alone can’t do what you want.

You can get the gist of what is required here, luks automounting is coupled with a server backup.

https://askubuntu.com/questions/1283544/server-automount-usb-drive-with-systemd

Personally I just use a 2-3 char alias to chain the commands I need to decrypt and mount an encrypted usb device. If you don’t want to enter a password then use a luks keyfile. Another alias unmounts and closes.

lawmanuk · May 22, 2021, 12:31am

Hi Jonathan,

It is the correct device.

I’m using cryptab with a veracrypt partition, instead of luks as partition cannot be proven to be encrypted data, opposed to luks.

lawmanuk · May 22, 2021, 12:38am

Hi otherbarry,

The strange thing is that EOS auto unlocks my luks usb key without any custom udev rule. I entered my password once on thunar, and now it remembers whatever it needs to auto unlocking and mounting my usb whenever I plug the usb in.

I’ve tried figuring out where this information is stored so I can customize the mounting eg. with zstd:10 compression for btrfs, but can’t see how EOS does this or where it stores the decrypt key + mount info.

Although EOS does it auto for luks, I want to do auto plugin for veracrypt usb key.

I’ll try the link you sent to see if it works for the veracrypt usb key, but how is EOS is auto decrypting/mounting my luks usb key without the udev rules having been setup?