How-To automatically unlock and mount an encrypted USB partition on attach

Ask Fedora
,
1

I use a usb thumb drive with several partitions in order to share my personal data among machines. Each partition is (bitlocker) encrypted. I am looking for a solution to automatically unlock and mount the partitions at some dedicated location. This is what I tried so far:

  1. Using a script collecting cryptsetup and mount commands, which is properly protected from unauthorized inspection and has NOPASSWD privileges would provide a one-click-solution for the job. This to my understanding not receommended, due to security reasons.

  2. Using /etc/cryptsetup entries in combination with /etc/fstab entries would also do the job:

mobi_usb   PARTUUID=47119ece-19e8-423c-add4-20af5e57f527 /etc/cryptsetup-keys.d/mobi-bitlocker.key bitlk,nofail

/dev/mapper/mobi_usb /mnt/org/mobi  auto users,nosuid,nodev,nofail,x-systemd.automount 0 0

But I encounter problems, when trying to unmount the partitions, e.g. in dolphin (it would not let me do so!).

  1. Using the KDE Plasma settings System Settings > Removable Media would let me configure in order to have the encrypted volume opened on attach and then using the fstab entry above to mount it at the dedicated location. In this case, I am however prompted for confirmation of the password which was extracted successfully from kwallet.

In summary, I encounter either security, stability or a usability issue.

What is the correct approach to achieve my goal (i.e. attach the usb and magically have all encrypted partitions at the correct locations being opened with no further password/passphrase/click interaction)?

Thanks!

2

You mean Windows Bitlocker? Or linux encryption?

For windows bitlocker i found this https://www.baeldung.com/linux/bitlocker-encrypted-device

3

I mean indeed bitlocker, where as for my workflow, any interaction is most tedious.

But for backups I typically use Luks encrypted usb drives with ext4 and the issue occurs there, too.

Thanks for the link, though! But isn’t bitlocker natively supported by cryptsetup? No need for tools like dislocker?

4

I don’t know, but would like to know.

5

yes it works with most configurations. I used it a few times in a dual boot setup to access files ( mounted as read-only )
man cryptsetup / BITLK

6

Ok, I can kind of solve by myself:

  1. Configuring in /etc/fstab:
/dev/disk/by-uuid/<ID> /mnt/<mount-point> auto nosuid,nodev,nofail,x-gvfs-show 0 0
  1. Scripting without root:
udisksctl unlock --block-device /dev/disk/by-partuuid/<UUID>\
--key-file <(kwallet-query -f "SolidLuks" -r "<UUID>" kdewallet | head -n 1 | tr -d '\n')\
&& udisksctl mount --block-device /dev/disk/by-uuid/<UUID>

I’ll read the password from kwallet and magically check the settings in fstab. This will allow me to mount by running the script.

Is there a better solution?