Disable crypto partition password at boot time

richardeigenmann · August 10, 2018, 8:40pm

I have a separate crypto partition for my private data on my laptop. I don’t always need to have it mounted so I would be happy to bypass the prompt at boot time only only mount on demand. How is this achieved?

systemctl start cryptsetup.target

Seems to be the command to start up the whole decryption thing with mounting. But it isn’t visible in yast as a service to disable at boot time

hcvv · August 10, 2018, 9:06pm

I do not know about the encryption, but when you want a partition defined in /etc/fstab not to be mounted at boot, you use the option

noauto

And when you the want a “normal” user to be able to mount it (later), use the option

user

nrickert · August 10, 2018, 9:08pm

Presumably, there is an entry for this partition in “/etc/crypttab”. You need to put “noauto” in the options field for this entry.

The options field is the 4th column. If it says “none”, then change that to “noauto”. Otherwise append “,noauto”.

If there isn’t a 4th column, add one (with “noauto”). If there isn’t even a third column, then add a third column with “none” and a 4th column with “auto”.

The quotes I used above are for readability, but do not enter those.

arvidjaar · August 11, 2018, 9:12am

These commands are generated dynamically when systemd starts from the content of /etc/crypttab.

richardeigenmann · August 11, 2018, 12:17pm

Thanks for the replies. It turns out changes to both /etc/crypttab and /etc/fstab are necessary.

Adding <space>none noauto to the /etc/crypttab entry disables the prompt for the password at boot. But then the boot hangs with the message “A start job is running for dev-disk-by/bla-bla-bla.device” for 1:30 minutes. This ends with a rescue system prompt. So we also need to change defaults to defaults,noauto in /etc/fstab. The system now boots cleanly with no crypto prompt and the mount point is empty.

But, how to activate the crypto partitions on demand? systemctl start cryptsetup.target does nothing now.

richardeigenmann · August 11, 2018, 12:49pm

systemctl start cryptsetup.target is not the right command.

Instead some systemd startables are created automagically. I’m no expert at systemd but typing systemctl start systemd-[TAB][TAB] shows a list of choices. For each entry in /etc/crypttab an entry is created in this auto-complete list. I have cr-auto-1 and cr-auto-2 as entries in my /etc/crypttab. This undergoes some character escaping and becomes systemd-cryptsetup@cr\\x2dauto\\x2d1.service and systemd-cryptsetup@cr\x2dauto\x2d2.service (where the first \ escapes the second \ and \x2d is the code for a dash).

Thus, to mount the crypto partition:


systemctl start systemd-cryptsetup@cr\\x2dauto\\x2d1.service
mount /mountpoint