Decrypt LUKS partition (only) on access

Folks, I need your help please :pray:

I just set up a new installation of EOS on a laptop with one SSD. I gave it 5 partitions and one of this partitions is encrypted with LUKS.
I want this partition to be encrypted all the time UNTIL I want to access it. (What I mean is when I click it in Dolphin it asks for the passphrase then gets decrypted and mounted).
But I didn’t get this kind of behavior after installation. Instead the system asks for the passphrase at startup and mounting/accessing the partition just asks for the user password because the partition is already decrypted.
Is there any way to achive what I want? Or is LUKS designed to always decrypt everything on startup?

Perhaps having a look at /etc/fstab could give some people some ideas on the setup and mount options etc.

1 Like

fstab has just 2 entries, boot & the LUKS partition. Tried to delete the entry for the LUKS partition but it still asks for the passphrase at startup.

What is the mountpoint of the luks partition?

1 Like

What about the rest of them? Not in fstab? Posting the fstab might give some info.

I see that @dalto is typing, so I respectfully withdraw but watch to learn :blush:

1 Like

Mount point in fstab is root.

I’m away from the machine atm. But no more entries in fstab. The other partitions also do not automount yet. I will figure out how to do this later.

1 Like

Erm…you can’t decrypt the root partition on access. The files needed to boot are encrypted on it.


Please post the output of …

  1. cat /etc/fstab | grep -v '#'
  2. sudo cat /etc/crypttab | grep -v '#'
  3. sudo blkid | grep LUKS
1 Like

It’s not the root partition. It’s just a partition for data. But mountpoint in fstab is /.

The partition mounted at / is the root partition. You can’t mount a different partition at /

Can post tomorrow, not near the machine atm.

Well, will check again tomorrow. But I’m 99% sure it said “/” :nerd_face:

edit: Wait, something’s fishy here…just 2 entries and one is boot…but the system partition has to be in fstab, hasn’t it?
Well, anyway, have to wait 'til tomorrow :confused:

So, I checked the fstab again and ofc @dalto was right…the LUKS partition wasn’t in there, just boot & system. (Seems like I was in the wrong column when checking the UUIDs)
Anyway, googling (or duckduckgoing :wink:) didn’t provide much for on demand encryption of LUKS partitions and since I don’t have much free time atm I decided to reinstall again without encryption and use Veracrypt later.

Thx to everybody willing to help!

BTW: Installing EOS with the online installer is so easy and quick, it’s incredible! :slightly_smiling_face: :+1:


I still think we could have provided a quick and simple solution if you’d provided some of the asked for information. I even bet you could have solved your problem by simply adding a “#”.

So you decided to reinstall instead …?

1 Like

I really didn’t get the impression that there’s a quick and easy solution. Also, unmounting the LUKS partition didn’t encrypt it, I could simply remount it with a single mouseclick. So I would have to find a solution for this also.
And installing EOS is really quick, takes less than 10 minutes and that already includes converting GiB to MiB so I get the partition sizes right :wink:
Anyway, thx again for trying to help but I really think that Verycrypt suits this usecase better than LUKS. I would always choose LUKS for FDE though.

automounting only works for network drives with autofs for example:

But a prerequisite for autofs is that the server has the partition mounted and shared via nfs or samba.

I do not see that your use case is supported anywhere.

Have you considered veracrypt instead of LUKS? veracrypt is on file level. It will allow you to mount the unencrypted partiton but it will not allow access to encrypted folders until you unlock them.

1 Like

That is exactly what I did! Thank you!

OK, almost done with everything and almost everything works…but ofc there’s a new problem :persevere: Don’t get me wrong, I really like Linux but sometimes it just drives me nuts :crazy_face:

Anyway, this doesn’t seem to be a huge problem and I’m confident there’s a simple solution. Therefore I thought it’s not worth to create a new thread for this.

So, everything was working until I set up automount for 2 partitions and explicitly disabled mount on boot for the drive that gets encrypted. This worked fine and after a restart all the drives I wanted were mounted. So far, so good. Next I installed plasma-wayland-session and, after a restart, switched to Wayland. And since then, after every (re)boot, as soon as I get to the desktop udisks seems to trigger the partition and I get a password prompt to mount the partition. Why this just happens on Wayland is beyond me. Anyway, how do I get udisks to not trigger the partition after booting? Any ideas anyone?

Here’s my fstab:

UUID=57CD-E1F6                            /boot/efi      vfat    defaults,noatime 0 2
UUID=de20c5f1-effc-4b97-b198-c216a0bd0b81 /              ext4    defaults,noatime 0 1
/dev/disk/by-uuid/ecebafd9-2894-4fb8-951b-e0df069b804f /mnt/ecebafd9-2894-4fb8-951b-e0df069b804f ext4 nosuid,nodev,nofail,x-gvfs-show,x-gvfs-name=Data 0 0
/dev/disk/by-uuid/3f74b8b4-bd2f-4439-acfd-064e6dd7a158 /mnt/3f74b8b4-bd2f-4439-acfd-064e6dd7a158 ext4 nosuid,nodev,nofail,x-gvfs-show,x-gvfs-name=Backup 0 0
/dev/disk/by-uuid/4316a32d-bec2-43eb-bb88-548dbad72f88 /mnt/4316a32d-bec2-43eb-bb88-548dbad72f88 ext4 nosuid,nodev,nofail,x-gvfs-show,noauto,x-gvfs-name=Storage 0 0

edit: And here’s a screenshot:


edit2: Figured out what exactly the problem is and therefore changed some text.