Luks encryption
 

If I plug a Luks encrypted external drive into my laptop, I enter the password and it opens. If I mount an internal Luks encrypted partition (noauto in fstab), as well as the password, it asks for the root password as well, despite the fact that I am the "owner" of the partition.

Why? And How do I stop it?

--
Pete

Does your fstab entry include the "user" option? You need that to allow a non-root user to mount. Using "users" instead of "user" allows any user to unmount, not just the user who mounted it.

Note: You really should include the "nosuid" and "nodev" options also. Think about the security implications of a user-mounted filesystem that might include suid and device inodes.

I had "owner" in there instead of "user", but changing it to "user" has made no difference.

I'll bear that in mind, once I get it working as I want! Its really irritating having to use two passwords when one ought to do it...!

Thanks for the advice!

--
Pete

Are you perhaps issuing the mount command with both the device and the mount point? You need to use just one of those and have the mount command get the other from /etc/fstab. When you supply both, /etc/fstab is ignored.

I'm actually doing it from Dolphin (Plasma5's file manager).

If I plug in an encrypted external drive, it appears in the devices window, I click on it, enter the password and it opens. The external drive doesn't have a defined mount point, and gets mounted under /run/media/myname/ExtDrive. I've tried commenting out the line in fstab, hoping it would be treated the same way as an external drive, but it didn't make any difference. It still mounted, but only after supplying the root password as well.

But here's a thing that may be relevant: Even when the fstab line is active, it still mounts the drive under /run/media/myname/ rather than its designated mount point! I have no idea why. I'm assuming that the filesystem type should be ext4 (or whatever) in fstab, and not luks, or some derivation? I've not tried this before, so I'm guessing some stuff here!

I'll come back shortly and post an anonymised version of the fstab line, see if I've done everything right. I've never had a problem before adding drives or nfs shares.

--
Pete

That's already the default, see man mount:

I think you'll find that mounting from the command line works just fine. For a GUI file manager, all bets are off!

Here's the relevant line from fstab:
Despite the /mnt/hd directory command, it still gets mounted to /run/media/myname which makes me think that the fstab entry is being ignored. But why?

I am the "owner" of the partition I'm trying to mount. I'm not sure if it should be necessary or not, but I'm in the sys and disk groups. I can't think of any other reason why this doesn't work!

All ideas welcome!

--
Pete

No user should be in the disk group. It means you can read, write and destroy anything on the disk.

I'm not 100% sure, because I just returned to Slackware, but I've been using KDE for a long time, and in other distroes it mounts in /var/run/media with owner/group as root. So you can't access the disk, even if everthing in there is owned by user user. I'm fairly sure polkit is the one causing the password prompt, and fairly sure polkit allows you to "escalate" you to do something you wouldn't normally be allowed to do.

You can write a polkit rule to get rid of the password prompt. Should be in /usr/share/polkit/rules.d.

Personally I didn't use an external disk much, so I would go into the folder and change the owner/group, and as far as I remember you only need to do that once for each disk. But that's only advisable if the disk is only for user owned stuff anyways.

Noted. Thanks!

There seems to be a rule in there already that allows those in the "plugdev" group to mount and unmount things. But perhaps that only applies to plugable devices? It would explain why I don't get asked for root password when I plug in an external drive. I think you are on to something here.

I need to figure out the syntax and apply it to a non-plugable partition, and looking at it now, it that looks above my pay-grade! ;)

I'll have a look in the morning when I'm not half-asleep!

Many thanks for the suggestions!

--
Pete

I found a suggestion over on the archlinux board from someone who was having a similar issue. The suggestion there was to create a "10-mount-system.rules" file containing:
Tried it, but it didn't work. I'm not familiar with polkit rules, but from what I've read, it sounds like the right approach.

Any hints welcome!

--
Pete

That doesn't change anything, because that's basically the same as the (first part of) plugdev rule you mentioned above, except the group under that rule in this case has another name. So in a way the group is irrelevant, if you read the rules backward (which makes it easier to understand). It's the long org.xy.z thing that actually matters.

Here is alot of information: (but the basics about how it works are at the start)
https://develop.kde.org/docs/use/kauth/
https://develop.kde.org/docs/use/kauth/using_kauth/

To list the actions you can use:
And to get information on what they do:
I would guess one of these could be relevant:
org.freedesktop.udisks2.filesystem-mount
org.freedesktop.udisks2.open-device
org.freedesktop.udisks2.open-device-system

So, you could test and make the same rule as above, but you can use a group like myusergroup or any group you're a member of by now.

But I'm no expert on polkit, and like I said I don't really use external disks very much, and when I do I don't use polkit for it.

Thanks for the info! I'll have a read of that documentation - thanks for the pointer! I'll also checkout that pkaction command.

I'm beginning to wonder if I'm looking at this from the wrong angle. The actual message that comes up is "Authentication is required to unlock the encrypted device", and I've just noticed that it is generated by "PolicyKit1 Kde Agent" (this latter only appears in the small box on the panel at the bottom of the screen, not the main window). To me, that is pointing to the pkaction command you mention. I'll go and have a closer look at this.

What is puzzling me is why I don't need the root password to mount external encrypted disks, but I do for internal ones.

<sigh!> Whoever said computers were logical! :(

UPDATE: All those polkit scripts seem to refer to removable devices, which aren't the problem. I'm beginning to think I'm asking the impossible! Google shows quite a few similar questions, but no solutions!

--
Pete

It's only as logic as those who implement the logic ;)
Sorry, I put the wrong link in there:
https://develop.kde.org/docs/use/kauth/

Anyways, looking at that message, I guess it would be one of these 2:
org.freedesktop.udisks2.encrypted-unlock
org.freedesktop.udisks2.encrypted-unlock-system

Well, since it does that, it should mean that there is an action for that purpose. The purpose of making a polkit rule like above with "YES", is that it automatically grants the request (without password) to people in that particular group it refers to.

But I have no idea what action it is, sorry.

Btw. If you make/test rules, put a high leading number in front, so it's loaded last. Like 90-myrule.rules