How to automatically mount an encrypted volume at boot?

I have some LUKS-encrypted drives in use for backups. The ‘mount at system startup’ option in the Gnome disks app (configured for both ‘encryption’ and ‘mount’ options) doesn’t prompt for a password after logging in, thus the drive remains inaccessible until several manual steps have been completed in the said app after each reboot.

I only need the password prompt to appear when the desktop environment starts (better if several drives can be configured to be unlocked at once, provided that they use the same password). The passphare file should under no circumstances be stored on disk — I’m fine with typing the password manually at every boot (until I fully understand the security implications).

Someone else asked this same question yesterday:

As for the multiple luks volumes, the way this is handles most commonly is to open one of them with your password and then store a keyfile(not your password) on that volume which opens the rest. Because the keyfile lives in an exncrypted filesystem, you can’t unlock the other volumes without first decrypting that one.


I see, I searched relatively thoroughly a couple of weeks ago.

I only use internal drives (due to S.M.A.R.T. access and heat concerns) — are internal and external drives any different in this context?

1 Like

To be fair, that question hasn’t been answered yet so finding it wouldn’t have helped you much.

From a luks perspective, I don’t think it matters. Generally speaking, it is almost never harder to work with internal drives.

1 Like

Yes - I asked the same question as @dalto mentioned.

I found for me a solution by using pam_mount, more or less the same procedure as I am doing with Ubuntu.

sudo dnf install pam_mount
sudo blkid
Find the right UUID of the encrypted disk you would like to automount after login.

sudoedit /etc/security/pam_mount.conf.xml

Insert following row after comment row: <!-- Volume definitions -->

<volume user="your_login_user" fstype="crypt" path="/dev/disk/by-uuid/the_uuid_of_encrypted_disk" mountpoint="path_to_your_mount_point" options="relatime" />

According to here:

sudoedit /etc/pam.d/gdm-password
Insert first row:
auth optional try_first_pass

Insert first row in block session
session optional


Important additional note:
As said in the Ubuntu forums one of your passphrases of your LUKS encrypted disk must be the same then your login password! I did not check if this is also true for Fedora.

As I am new to Fedora can somebody confirm this procedure. Thanks.


1 Like

For myself I usually use this method:

  1. Check devices hierarchy with lsblk.
    Find your device name, like “sda1”.
  2. Get UUID for your device with cryptsetup tool:
    sudo cryptsetup luksUUID /dev/sda1.
    UUID will be like “1234567a-b890-1c23-45de-f67f8gh90i12”.
  3. Edit /etc/crypttab with sudo and add new line:
    PartitionName UUID=12345 none
    Where “PartitionName” - name for your encrypted partition for crypttab (change it to your),
    “12345” - your UUID from step 2.
    This config needed for decryption on boot stage.
  4. Edit /etc/fstab with sudo and add new line:
    /dev/mapper/PartitionName /run/media/YOUR_USER/PartitionName/ ext4 defaults,noatime,discard,rw 0 2
    Where “PartitionName” - name from step 3,
    “/run/media/YOUR_USER/PartitionName/” - path for mounting your partition (change it to your),
    and other usual settings for fstab mounting.

This works for me and on Fedora 36 Kinoite, and on several other distro.
The decryption password will be requested at the boot stage, even before SDDM.


This is not an automated method, but only requires running two commands per-drive (and is easy to understand) — in addition to typing the disk passphrase and the user account password. Can be saved as an .sh script, add any drives you’d like:


# SATA SSD (1)
udisksctl unlock --block-device /dev/sdc1
udisksctl mount --block-device /dev/mapper/luks-[...]

The block device paths are examples (I’ve truncated the latter), they can be verified in Gnome Disks for instance.

1 Like

Here’s an entirely automated method involving a Gnome autostart file (barring entering the passphrase) which I’ve used about a hundred times thus far: A recommend method to run a command at startup? - #19 by grass

1 Like

Documenting my experience as someone not versed in linux with getting @grass solution (thank you for sharing) to work (adjusted for fedora silverblue 39, including steps which might be obvious to experienced users, but which I had to figure out myself through trial and error cuz I’m a newb):

  1. in order to enable the autostart functionality in the first place, I had to install gnome-tweaks through rpm-ostree install gnome-tweaks in the terminal, then systemctl reboot and finally enable autostart through the gui (I just added some apps there).

  2. I created the aforementioned files, touch ~/.config/autostart/.desktop and touch ~/.bin/ Yea, I put the in my home’s freshly created, hidden sub-folder because I’m on silverblue and I had no idea whether it would work if I put it anywhere else.

  3. Next I edited the newly created .desktop and put in this:

[Desktop Entry]
Exec=gnome-terminal – /var/home/YOURUSERNAME/.bin/

  1. then (NOTE: to figure out the string which follows after luks below, I used the sudo fdisk -l, but be warned that I only saw it there when the disk/partition was already mounted through gnome files.):


udisksctl unlock -b /dev/nvme0n1p1
udisksctl mount -b /dev/mapper/luks-REDACTED-PLACE-YOUR-OWN-NUMBERS

  1. lastly I had to chmod +x ~/.bin/ to make it executable (edit the path if your is saved elsewhere).
1 Like