Ubuntu – Mount encrypted volumes from command line

command lineencryptionmount

If I have an encrypted external disk (or an internal disk that is not in fstab), I see an entry for it in Nautilus — with an entry like "X GB Encrypted Volume". I can click on this volume, and am prompted for a password to decrypt and mount the device.

But how do I do this from the command line?

This wiki page, and other docs I can find, only refer to GUI methods of decrypting the device; but this won't do in the context of headless servers or SSH logins. Is there a simple way to get devices to mount to automatic locations in /media just like they would with the GUI?

(I'm not asking about encrypted home directories — I'm aware of ecryptfs-mount-private. This question is about additional encrypted volumes.)

Best Answer

  • The steps in @Georg Schölly's answer did not work for me at the time, although they might work now, a few Ubuntu releases after. Back then, after the sudo mount /dev/mapper/my_encrypted_volume /media/my_device step I got the error:

    mount: unknown filesystem type 'LVM2_member'

    Unlocking and mounting the disk with udiskctl

    Instead, I used udisksctl, a command-line interface that interacts with the udisksd service.

    Here's what worked (/dev/sdb5 is the partition on my hard disk marked as crypt-luks):

    udisksctl unlock -b /dev/sdb5
    udisksctl mount -b /dev/mapper/ubuntu--vg-root
    

    After typing the first command, you'll be prompted for your encryption passphrase. Once the encrypted partition is unlocked, the second command will mount it. If that's successful, you'll end up with a message similar to this:

    Mounted /dev/dm-1 at /media/dpm/e8cf82c0-f0a3-41b3-ab28-1f9d23fcfa72
    

    From there I could access the data :)

    Locking the disk with udiskctl

    Unmount the device:

    udisksctl unmount -b /dev/mapper/ubuntu--vg-root
    

    You'll need to deactivate all logical volumes in the ubuntu-vg volume group first. Otherwise you'll get an error along the lines of 'Device busy' if you try to lock it (more info):

    sudo lvchange -an ubuntu-vg
    

    Then you'll be able to lock back the encrypted partition

    udisksctl lock -b /dev/sdb5
    

    Notes

    • The udisksctl commands are executed without sudo.
    • Device mapper names: the ubuntu--vg-root naming might change across Ubuntu releases (e.g. I've seen it called system-root and ubuntu-root too). An easy way to find out the name is to run the following command after unlocking the LUKS partition:

      ls -la /dev/mapper

      Then looking at the output of the ls command, the name you'll need will be generally the one symlinked to /dev/dm-1

    • Device mapper names, alternative: an alternative to the previous command is to run:

      lsblk -e7

      There you'll be able to see the device name mapping as a tree view. The -e 7 option is used to exclude the loop devices (ID 7) created by installed snaps from the output. Simply to have less clutter.

    • Logical volume names: you can run the sudo lvs command to find out the names of volume groups and logical volumes
    • Disks app: the GNOME Disks app does not automatically deactivate the logical volumes before locking the partition. Even if you've successfully unlocked the partition via the GUI, you will need to go to the command line and execute the sudo lvchange -an ubuntu-vg command before you can lock it from the GUI.