Luks encryption
If I plug a Luks encrypted external drive into my laptop, I enter the password and it opens. If I mount an internal Luks encrypted partition (noauto in fstab), as well as the password, it asks for the root password as well, despite the fact that I am the "owner" of the partition.
Why? And How do I stop it? -- Pete |
Does your fstab entry include the "user" option? You need that to allow a non-root user to mount. Using "users" instead of "user" allows any user to unmount, not just the user who mounted it.
Note: You really should include the "nosuid" and "nodev" options also. Think about the security implications of a user-mounted filesystem that might include suid and device inodes. |
Quote:
Quote:
Thanks for the advice! -- Pete |
Quote:
|
I'm actually doing it from Dolphin (Plasma5's file manager).
If I plug in an encrypted external drive, it appears in the devices window, I click on it, enter the password and it opens. The external drive doesn't have a defined mount point, and gets mounted under /run/media/myname/ExtDrive. I've tried commenting out the line in fstab, hoping it would be treated the same way as an external drive, but it didn't make any difference. It still mounted, but only after supplying the root password as well. But here's a thing that may be relevant: Even when the fstab line is active, it still mounts the drive under /run/media/myname/ rather than its designated mount point! I have no idea why. I'm assuming that the filesystem type should be ext4 (or whatever) in fstab, and not luks, or some derivation? I've not tried this before, so I'm guessing some stuff here! I'll come back shortly and post an anonymised version of the fstab line, see if I've done everything right. I've never had a problem before adding drives or nfs shares. -- Pete |
Quote:
Code:
owner |
Quote:
|
Here's the relevant line from fstab:
Code:
/dev/sdaX /mnt/hd ext4 rw,noauto,owner 1 2 I am the "owner" of the partition I'm trying to mount. I'm not sure if it should be necessary or not, but I'm in the sys and disk groups. I can't think of any other reason why this doesn't work! All ideas welcome! -- Pete |
Quote:
|
Quote:
You can write a polkit rule to get rid of the password prompt. Should be in /usr/share/polkit/rules.d. Personally I didn't use an external disk much, so I would go into the folder and change the owner/group, and as far as I remember you only need to do that once for each disk. But that's only advisable if the disk is only for user owned stuff anyways. |
Quote:
Quote:
I need to figure out the syntax and apply it to a non-plugable partition, and looking at it now, it that looks above my pay-grade! ;) I'll have a look in the morning when I'm not half-asleep! Many thanks for the suggestions! -- Pete |
I found a suggestion over on the archlinux board from someone who was having a similar issue. The suggestion there was to create a "10-mount-system.rules" file containing:
Code:
polkit.addRule(function(action, subject) { Any hints welcome! -- Pete |
Quote:
Here is alot of information: (but the basics about how it works are at the start) https://develop.kde.org/docs/use/kauth/ https://develop.kde.org/docs/use/kauth/using_kauth/ To list the actions you can use: Code:
pkaction Code:
pkaction --action-id org.freedesktop.udisks2.filesystem-mount-system --verbose org.freedesktop.udisks2.filesystem-mount org.freedesktop.udisks2.open-device org.freedesktop.udisks2.open-device-system So, you could test and make the same rule as above, but you can use a group like myusergroup or any group you're a member of by now. But I'm no expert on polkit, and like I said I don't really use external disks very much, and when I do I don't use polkit for it. |
Thanks for the info! I'll have a read of that documentation - thanks for the pointer! I'll also checkout that pkaction command.
I'm beginning to wonder if I'm looking at this from the wrong angle. The actual message that comes up is "Authentication is required to unlock the encrypted device", and I've just noticed that it is generated by "PolicyKit1 Kde Agent" (this latter only appears in the small box on the panel at the bottom of the screen, not the main window). To me, that is pointing to the pkaction command you mention. I'll go and have a closer look at this. What is puzzling me is why I don't need the root password to mount external encrypted disks, but I do for internal ones. <sigh!> Whoever said computers were logical! :( UPDATE: All those polkit scripts seem to refer to removable devices, which aren't the problem. I'm beginning to think I'm asking the impossible! Google shows quite a few similar questions, but no solutions! -- Pete |
Quote:
Sorry, I put the wrong link in there: https://develop.kde.org/docs/use/kauth/ Anyways, looking at that message, I guess it would be one of these 2: org.freedesktop.udisks2.encrypted-unlock org.freedesktop.udisks2.encrypted-unlock-system Quote:
But I have no idea what action it is, sorry. Btw. If you make/test rules, put a high leading number in front, so it's loaded last. Like 90-myrule.rules |
All times are GMT -5. The time now is 05:28 PM. |