While it’s easy to install a GNU/Linux operating system on your machine, and opt for full disk encryption during that installation process, it can be a little trickier if you want to add a second encrypted disk to your system and have that automatically unlock on start-up.

Fortunately, it’s not too much harder. This guide just focuses on decrypting the partition and mounting it somewhere. If you’re interested in setting up an encrypted partition, you’re probably just best off Googling it 🙂

Let’s get started.

Let’s say your partition is /dev/sda1.  Firstly, create a key that only root can read.

$ sudo bash

# cd /root

# dd if=/dev/urandom of=sda1keyfile bs=1024 count=4

# chmod 400 sda1keyfile

Now, you need to add this key file as a passphrase to your encrypted disk.  This key will live in a slot, which there are eight of in total.  You will be prompted to enter your passphrase that your originally supplied when creating the partition:

# cryptsetup -v luksAddKey /dev/sda1 sda1keyfile
Enter any passphrase:

Once entered, you will see something like this:

Key slot 0 unlocked.
Key slot 1 created.
Command successful.

Now, you need to locate the disk using a way that will always be recognised by the system, even if disks change positions and /dev/sd* entries remap.  The safest way is to use the UUID of the partition.

This one-liner will probably get you the right answer (be sure to change the disk id):

ls -l /dev/disk/by-uuid/ | grep sda1 | awk ' {print $9;}'

This should give you something looking like this:

2e08befa-6a53-4628-8f16-8b6dd7631aa5

You then want to tell the system to unlock this disk on boot. How to do this? Well, the file /etc/crypttab is all you need to know!

The field order is like this:

NamePathUnlock credentialOptions
mycryptdiskUUID=2e08befa-6a53-4628-8f16-8b6dd7631aa5/root/sda1keyfileluks,timeout=30,discard

Just save the file and you’re nearly ready. Device Mapper (dm) will read this file on boot up, and attempt to unlock the encrypted partition using the supplied key.

The last part of this process is to automatically mount this decrypted partition. For that, you’ll need to visit /etc/fstab. Enter a line similar to the following, making adjustments for your environment:

/dev/mapper/mycryptdisk /mnt/mydata ext4 defaults,discard 0 2

There you have it. You should now be able to access your encrypted volume automatically on boot up, and not rely on a desktop environment like GNOME to help you unlock it with a passphrase in your keyring.

5 thoughts on “Automatically unlock encrypted partition in Linux

    • Funnily enough I was browsing your site the other day, for your post on WordPress to Jekyll conversion. I was tempted to have a GitHub pages sites myself, but have again resisted.

      • I followed your instructions at the weekend and they worked perfectly, thank you Steve.

        I hardly touch my blog now, so am very pleased that GitHub pages is costing me nothing. I was quite surprised when I did an update recently and it still all worked perfectly. Another option that I use for other purposes is DokuWiki, which is just an absolute joy to use.

Have your say!