Mounting LUKS encrypted external drive with user write permission

I have one USB 1TG eternal disk. I plan to use this disk to back up files in my main drive.

I created the encrypted disk drive with LUKS and the btrfs format, following the guide. [1] The working log is [2]. Now I am looking for a way to mount and use this drive by “user” permission.

Here is the current status. The “/dev/sdb” is the encrypted disk with LUKS and the btrfs format. The “/dev/sda” is just to compare the situation. It’s another USB external disk with an unencrypted and vfat format.

$ lsblk -r -p -o NAME,TYPE,FSTYPE,UUID,SIZE,LABEL | grep -v "^/dev/loop"
NAME TYPE FSTYPE UUID SIZE LABEL
/dev/sda disk   232.9G 
/dev/sda1 part vfat 1A53-9E55 232.9G 
/dev/sdb disk   931.5G 
/dev/sdb1 part crypto_LUKS XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX 931.5G 
/dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX crypt btrfs XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX 931.5G backup
...

In the case of the “/dev/sdb1”, the LUKS encrypted disk, it was mounted as root, and I couldn’t write the file on the disk.

$ udisksctl mount -b /dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
Mounted /dev/dm-1 at /run/media/jaruga/backup

$ df -h | grep dm-1
/dev/dm-1       932G  3.8M  930G   1% /run/media/jaruga/backup

$ ls -dl /run/media/jaruga/backup
drwxr-xr-x. 1 root root 0 Nov  8 17:14 /run/media/jaruga/backup/

$ touch /run/media/jaruga/backup/BACKUP.txt
touch: cannot touch '/run/media/jaruga/backup/BACKUP.txt': Permission denied

On the other hand, in the case of the “/dev/sda1”, an unencriped disk, it was mounted as user (jaruga), as expected.

$ udisksctl mount -b /dev/sda1
Mounted /dev/sda1 at /run/media/jaruga/1A53-9E55

$ ls -dl /run/media/jaruga/1A53-9E55
drwxr-xr-x. 2 jaruga jaruga 32768 Jan  1  1970 /run/media/jaruga/1A53-9E55/

How to mount the “/dev/sdb1” as user (jaruga) permission giving the write access? Thanks.

References

A few things to consider:

The mounted filesystem itself may have it’s own permissions and the UID/GID is what is more important than the actual name of the user or group. If the jaruga user has a UID of 1001 on the system that the files were wirtten on and jaruga on the current system has a UID of 1000, they won’t match.

Another thing to consider is that if the root user mounts the volume in a location that other users cannot read/write to, users won’t be able to access or write to it due to the FS hierarchy perms.

For mounts in /run, these are usually done through something like gvfs, which is designed to make the mounts specific to the users. This is so if a user mounts their Google Drive via Gnome Accounts, another user won’t be able to get access to their personal files for that mount. udisks does something very similar, per the man page:

ACCESS CONTROL
       By default, logged-in users in active log-in sessions are permitted to perform operations (for example, mounting, unlocking or modifying) on
       devices attached to the seat their session is on. Access-control is fine-grained and based on polkit(8), see the “Authorization Checks” chapter
       in the udisks documentation for more information. Note that the x-udisks-auth option can be used in the /etc/fstab and /etc/crypttab files to
       specify that additional authorization is required to mount resp. unlock the device (typically requiring the user to authenticate as an
       administrator).

If you man polkit, there is a chapter called “AUTHORIZATION RULES” that describes how polkit rules work, but if you want to use udisks, specifically, you likely need to define the access rules that way.

1 Like

Thanks for the info! It’s very useful.

I plan to add the entry of this disk to the /etc/crypttab, but I didn’t plan to set the /etc/fstab because I don’t use the disk as a permanent mount state.

I am reading the man polkit, and also ArchLinux’s Polkit page.[1] It seems I need to set up the files below.

/usr/share/polkit-1/actions/*.policy
/usr/share/polkit-1/rules.d/*.rules

I found a workaround. I just created a sub-directory with the user’s (jaruga’s) permission to use it as a top directory to back up files.

$ df -h | grep dm-1
/dev/dm-1       932G  3.8M  930G   1% /run/media/jaruga/backup

$ cd /run/media/jaruga/backup

$ sudo mkdir framework

$ sudo chown jaruga:jaruga framework

$ cd framework/

$ touch BACKUP.txt

$ ls -l
total 0
-rw-r--r--. 1 jaruga jaruga 0 Nov  8 20:39 BACKUP.txt

References