Background
Traditionally on Linux you use mount to use external drives. This requires root/sudo to do, and is not easy for beginners.
Especially beginners can mess things up, dont use the correct parameters, have the drive not writable.
Also, when using LUKS to encrypt the drive, you need to use 2 utilities.
udisks2 & polkit
udisks2 is a modern disk management tool designed for Linux systems to handle storage devices without requiring manual intervention from users. It is easier to use and less prone to issues.
It integrates with polkit, which enables flexible control of each privileged action.
For example, removable storage devices can be mounted and unmounted without any privileged permissions, groups or a password.
Especially on Wayland, graphical apps can’t run as root, which is an important security measurement.
udisks2, using polkit, allows the various filemanagers (KDE Dolphin, GNOME Nautilus, XFCE Thunar, …) to do these privileged actions, without running them as root.
List available drives
An example output can look like this:
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 931,5G 0 disk
└─sda1 8:1 0 931,5G 0 part
zram0 252:0 0 8G 0 disk [SWAP]
nvme0n1 259:0 0 1,8T 0 disk
├─nvme0n1p1 259:1 0 576M 0 part /boot/efi
├─nvme0n1p2 259:2 0 24,3G 0 part /boot
└─nvme0n1p3 259:3 0 1,8T 0 part
└─luks-64ae1755-4591-455d-b723-1e46c31ffe53 253:0 0 1,8T 0 crypt /var/home
/var
/sysroot/ostree/deploy/fedora/var
/usr
/etc
/
/sysroot
Here, sda is an externally connected SATA SSD in a USB enclosure. nvme0n1 is the internally used NVME SSD of the PC.
All devices are accessed at /dev, so the external SSD is at /dev/sda.
A: unlock and mount an encrypted drive
udisksctl unlock -b /dev/sda1
You will be prompted for the passphrase. Normally the drive is then referenced as /dev/dm-1.
Mount it:
udisksctl mount -b /dev/dm-1
B: mount an unencrypted drive
udisksctl mount -b /dev/sda1
In both cases, the drives will be mounted to /run/media/$USERNAME/$Partitionname. They should be writable by an unprivileged user.
Changing permissions to make a drive writable
If a drive is not writable after mounting it with udisksctl, you need to change the file ownership.
Assuming your drive is mounted to /run/media/user/Backups
sudo chown $USER -R /run/media/user/Backups
This will change the ownership of all files and directories, -R ensures this is done recursively, for all nested directories.
Without changing file ownership
If you don’t want to change the file ownership, you can still avoid using sudo and instead use the admin:/ function.
This is available in GNOME and KDE. Enter admin: in the location bar of your filemanager.
After a password entry, a separated process with elevated privileges can be used, reducing the attack surface.
Example location:
admin:/run/user/Backups
GUI
Alternatively, this works in the graphical user interface. But these commands also work on servers, without a GUI, etc.
Using udisks2 instead of mount saves you then need for root, and is way easier.
See also
- HowTo change the LUKS disk encryption password
- HowTo upgrade from the insecure LUKS1 to LUKS2 (coming soon)
