If I have an encrypted external disk (or an internal disk that is not in fstab), I see an entry for it in Nautilus — with an entry like "X GB Encrypted Volume". I can click on this volume, and am prompted for a password to decrypt and mount the device.
But how do I do this from the command line?
This wiki page, and other docs I can find, only refer to GUI methods of decrypting the device; but this won't do in the context of headless servers or SSH logins. Is there a simple way to get devices to mount to automatic locations in /media
just like they would with the GUI?
(I'm not asking about encrypted home directories — I'm aware of ecryptfs-mount-private
. This question is about additional encrypted volumes.)
Best Answer
The steps in @Georg Schölly's answer did not work for me at the time, although they might work now, a few Ubuntu releases after. Back then, after the
sudo mount /dev/mapper/my_encrypted_volume /media/my_device
step I got the error:Unlocking and mounting the disk with udiskctl
Instead, I used
udisksctl
, a command-line interface that interacts with theudisksd
service.Here's what worked (
/dev/sdb5
is the partition on my hard disk marked ascrypt-luks
):After typing the first command, you'll be prompted for your encryption passphrase. Once the encrypted partition is unlocked, the second command will mount it. If that's successful, you'll end up with a message similar to this:
From there I could access the data :)
Locking the disk with udiskctl
Unmount the device:
You'll need to deactivate all logical volumes in the
ubuntu-vg
volume group first. Otherwise you'll get an error along the lines of 'Device busy' if you try to lock it (more info):Then you'll be able to lock back the encrypted partition
Notes
udisksctl
commands are executed withoutsudo
.Device mapper names: the
ubuntu--vg-root
naming might change across Ubuntu releases (e.g. I've seen it calledsystem-root
andubuntu-root
too). An easy way to find out the name is to run the following command after unlocking the LUKS partition:ls -la /dev/mapper
Then looking at the output of the
ls
command, the name you'll need will be generally the one symlinked to/dev/dm-1
Device mapper names, alternative: an alternative to the previous command is to run:
lsblk -e7
There you'll be able to see the device name mapping as a tree view. The
-e 7
option is used to exclude the loop devices (ID 7) created by installed snaps from the output. Simply to have less clutter.sudo lvs
command to find out the names of volume groups and logical volumessudo lvchange -an ubuntu-vg
command before you can lock it from the GUI.