How to hide from Nautilus left bar: LUKS encrypted and unmounted filesystem

In the following figure we can see in the left pane, 107 GB Encrypted

This filesystem has no entry in /etc/fstab, this is also confirmed in the above image from Gnome Disk.

Another observation, the LUKS device UUID shows up in crypttab:

$ sudo \cat /etc/crypttab
luks-4b6bfcdb-a266-41a9-b0e3-040366e3a5e2 UUID=4b6bfcdb-a266-41a9-b0e3-040366e3a5e2 none nofail,noauto

I want this filesystem to be hidden and not be visible, how can I do this? Should this be removed from /etc/crypttab?

Does your user account have read access to the block device /dev/vgubuntu? If so, can you remove read access with a command like sudo chmod go-rwx /dev/vgubuntu? If that works, you should be able to create a udev rule that will automatically restrict the permissions on that device node. For example:

/etc/udev/rules.d/90-vgubuntu.rules:

KERNEL=="vgubuntu", OWNER="root", GROUP="disk", MODE="0600"

Edit: Oh, vgubuntu is a directory, not a node, so that udev rule probably won’t work. It might work if you change KERNEL=="vgubuntu" to KERNEL=="vgubuntu/*".

vgubuntu is the name of the volume group

SecureCrypt is the logical volume device that is encrypted with LUKS2 and not auto mounted.

$ sudo pvs
  PV             VG       Fmt  Attr PSize  PFree
  /dev/nvme0n1p5 vgubuntu lvm2 a--  <1.82t    0 
$ sudo vgs
  VG       #PV #LV #SN Attr   VSize  VFree
  vgubuntu   1   7   0 wz--n- <1.82t    0 
$ sudo lvs
  LV          VG       Attr       LSize     Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  Backup      vgubuntu -wi-ao----   100.00g                                                    
  Data        vgubuntu -wi-ao----   200.00g                                                    
  Documents   vgubuntu -wi-ao----   325.00g                                                    
  FedoraHome  vgubuntu -wi-ao----    25.00g                                                    
  FedoraRoot  vgubuntu -wi-ao----   100.00g                                                    
  Media       vgubuntu -wi-ao---- <1010.64g                                                    
  SecureCrypt vgubuntu -wi-a-----   100.00g                                                    
$ ls /dev/mapper
control  vgubuntu-Backup@  vgubuntu-Data@  vgubuntu-Documents@  vgubuntu-FedoraHome@  vgubuntu-FedoraRoot@  vgubuntu-Media@  vgubuntu-SecureCrypt@

If you go into gnome disks select the drive, click the cog for settings and go to edit mount options can you uncheck show in user interface?

1 Like

I don’t use LVM these days. I use ZFS instead, so I’m not sure. But I think you might be able to match something with a udev rule and remove access to it. Or, if it is a partition, you could set the partition to hidden.

This setting is not visible for LUKS encrypted device. But what you said is applicable for other devices, that are unencrypted.

Can you remove access to just mapper/vgubuntu-SecureCrypt?

Could you please tell me what do you mean by to remove access to mapper/vgubuntu-SecureCrypt

$ command ls -la /dev/mapper
total 0
drwxr-xr-x.  2 root root     200 Dec 28 20:59 .
drwxr-xr-x. 23 root root    4660 Dec 28 20:59 ..
crw-------.  1 root root 10, 236 Dec 28 20:59 control
lrwxrwxrwx.  1 root root       7 Dec 28 20:59 vgubuntu-Backup -> ../dm-5
lrwxrwxrwx.  1 root root       7 Dec 28 20:59 vgubuntu-Data -> ../dm-2
lrwxrwxrwx.  1 root root       7 Dec 28 20:59 vgubuntu-Documents -> ../dm-3
lrwxrwxrwx.  1 root root       7 Dec 28 20:59 vgubuntu-FedoraHome -> ../dm-1
lrwxrwxrwx.  1 root root       7 Dec 28 20:59 vgubuntu-FedoraRoot -> ../dm-0
lrwxrwxrwx.  1 root root       7 Dec 28 20:59 vgubuntu-Media -> ../dm-4
lrwxrwxrwx.  1 root root       7 Dec 28 20:59 vgubuntu-SecureCrypt -> ../dm-6

Note: I want to be able to use LUKS to unenecrypt and mount the partition when I need it, I just don’t want that in GUI it shows up in Nautilus.

It looks like those are symlinks, so you won’t be able to change the permissions there. You would need to adjust the permissions on the target of the symlink, but that would be more difficult to match with a udev rule (but perhaps not impossible).

Nautilus runs as your user account, so I think you should be able to block your user account from having read access to the device node (currently /dev/dm-6 but that might change across system boots). What does ls -al /dev/dm-6 show?

$ command ls -al /dev/dm-6 
brw-rw----. 1 root disk 253, 6 Dec 28 20:59 /dev/dm-6

Yes, that’s true that it might change after reboot and point to another device.

I assume your account isn’t in the disk group, so apparently just changing the permissions won’t work.

LVM has its own filters.

I guess you’d have to experiment with those to get it to not automatically import that specific volume (but still import the others).

Edit: Scratch that, that was for devices, not volumes. But maybe there is something similar in /etc/lvm/lvm.conf for volumes?

Edit2: I think this is what you are looking for: lvmautoactivation(7) - Linux manual page

1 Like

You are right.

$ sudo lvchange -an vgubuntu/SecureCrypt

When I manually deactivated the logical volume (above command), the entry in nautilus vanished, so I just need to make sure that the logical volume does not gets active automatically on boot.

1 Like

It is active though. So I guess you need to figure out what activated it and stop that?

Maybe something like journalctl -g lvm-activate will help narrow down what caused that VG to be activated?

Data for last boot

-- Boot 7c5236e9f726457c8bbfa49961cc398a --
2024-12-28T20:59:52+01:00 lamyer systemd[1]: Started lvm-activate-vgubuntu.service - /usr/sbin/lvm vgchange -aay --autoactivation event vgubuntu.
2024-12-28T20:59:52+01:00 lamyer audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lvm-activate-vgubuntu comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
2024-12-28T20:59:52+01:00 lamyer audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lvm-activate-vgubuntu comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
2024-12-28T20:59:52+01:00 lamyer systemd[1]: lvm-activate-vgubuntu.service: Deactivated successfully.

I don’t know. From the vgchange man page:

ay specifies autoactivation, which is used by system-generated activation commands. By default, LVs are autoactivated. An autoactivation property can
be set on a VG or LV to disable autoactivation, see --setautoactivation y|n in vgchange, lvchange, vgcreate, and lvcreate. Display the property with vgs or
lvs “-o autoactivation”. The lvm.conf(5) auto_activation_volume_list includes names of VGs or LVs that should be autoactivated, and anything not listed is not
autoactivated. When auto_activation_volume_list is undefined (the default), it has no effect. If auto_activation_volume_list is defined and empty, no LVs are
autoactivated. Items included by auto_activation_volume_list will not be autoactivated if the autoactivation property has been disabled.

Can you add x-gvfs-hide to fstab for that entry?

There is no entry for the device in the fstab as it is encrypted and so the Filesystem is not available in the encrypted state.

Cryptab has noauto for the encrypted device.

Has the /etc/crypttab file also been updated in the initramfs? You can use lsinitrd | grep crypttab and check that the size of the file in the current initramfs image matches the size of the /etc/crypttab file on your root filesystem. If they don’t match, sudo dracut -f should work to update your current initramfs.