Linux – Mounting LUKS from the command line

I don't know of a single-command way to do this. The GUI programs are doing a fair bit of interrogation of the disk to take the "right" approach and you'll need to do some of that work yourself. You don't need sudo, though, and I think the resulting sequence of events is relatively painless.

The Short Answer

Use udisksctl from the udisks2 package:

udisksctl unlock -b /path/to/disk/partition
udisksctl mount -b /path/to/unlocked/device

Your user account will need to be appropriately authorized in order for the above to work. On Debian and Ubuntu, that means adding your account to the plugdev group.

When you're done with the disk:

udisksctl unmount -b /path/to/unlocked/device
udisksctl lock -b /path/to/disk/partition
udisksctl power-off -b /path/to/disk/or/partition

How to Set Things Up

Here's how you can set things up (via the command line) to make the process of using the disk as painless as possible. I'll assume you want to use the entirety of the USB drive as a single filesystem. Other configurations will require modifications to the instructions. Caveat on variations: I haven't found a way to use LVM in the encrypted container that will allow an unprivileged account to disconnect everything. (I don't see a way to deactivate a volume group via udisksctl.)

For purposes of illustration, we'll say that the disk is /dev/sda. You'll need a name for the filesystem to make it easier to reference later. I'll use "example".

Partition the Disk

Run sudo parted /dev/sda and run the following commands:

mklabel gpt
mkpart example-part 1MiB -1s
quit

The mkpart command will probably prompt you to adjust the parameters slightly. You should be okay accepting its recommended numbers.

The partition will now be available via /dev/disk/by-partlabel/example-part.

Create and Mount the LUKS Partition

sudo cryptsetup luksFormat /dev/disk/by-partlabel/example-part

Go through the prompts.

sudo cryptsetup luksOpen /dev/disk/by-partlabel/example-part example-unlocked

The encrypted device is now available at /dev/mapper/example-unlocked. This is not going to be a permanent thing; it's just for the setup process.

Create Your Filesystem

Let's assume that the filesystem you're using is XFS. Pretty much any other traditional filesystem will work the same way. The important thing is to add a label that you can reference later:

sudo mkfs -t xfs -L example /dev/mapper/example-unlocked

The filesystem's block device can now be accessed via /dev/disk/by-label/example.

Set Filesystem Permissions

By default, the filesystem will be only accessible by root. In most cases, you probably want the files to be accessible by your user account. Assuming your account name is "user":

udisksctl mount -b /dev/disk/by-label/example
sudo chown user:user /media/user/example

Close Everything Down

udisksctl unmount -b /dev/disks/by-label/example
sudo cryptsetup luksClose example-unlocked

Use Your Filesystem

This is what you'll do regularly. After plugging in the USB drive,

udisksctl unlock -b /dev/disks/by-partlabel/example-part
udisksctl mount -b /dev/disks/by-label/example

If your user account is "user", the filesystem will now be mounted at /media/user/example.

To unmount the filesystem:

udisksctl unmount -b /dev/disks/by-label/example
udisksctl lock -b /dev/disks/by-partlabel/example-part
udisksctl power-off -b /dev/disks/by-partlabel/example-part

Now you can disconnect the USB drive.