How to set up encrypted partition at /backup that I mount manually as a user and enter password on mount only?

English Install/Boot/Login
#1

Hello,
I’m using yast partitioner on Leap 15.4 to set up my encrypted partition and selected ‘Do not mount at boot time’. (I’m not trying to boot off an encrypted partition, this is just for a data drive formatted with xfs)

When I boot the partition doesn’t mount but I am asked for the encryption password for that disc before I get to the login screen, which I don’t want.

I only want to be prompted for the drive password when I need to mount the drive and supply the password at that point

I know this happens automatically when I click on the drive in Dolphin but then it mounts like an external drive to something like
/run/media/asb/0c37e6ec-523a-4656-a5e7-b5f5daa8340a/

How do I set this drive to mount at /backup ?

I have an fstab line with /backup and the noauto,user options which works to mount the drive manually but I still get asked for the password at boot time.

(Also how best to set the permissions in fstab for user access?)

Thanks very much for the help.
Andy

#2

Show /etc/fstab and /etc/crypttab.

#3

Hello, I have it set it to auto mount at the moment as I had to enter the password anyway.
But I’d like to change it back - all I edited was the /backup line to change the defaults entry to noauto,user

Then it correctly doesn’t mount but it still asks me for the password for that drive between boot and user login.
Thanks

UUID=7c30796f-964f-4247-b76b-a144979138b6  /                       btrfs  defaults                      0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /var                    btrfs  subvol=/@/var                 0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /usr/local              btrfs  subvol=/@/usr/local           0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /tmp                    btrfs  subvol=/@/tmp                 0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /srv                    btrfs  subvol=/@/srv                 0  0
UUID=92ff0b61-27eb-4f8d-9758-aa46c9ecc29d  /sound                  xfs    defaults                      0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /root                   btrfs  subvol=/@/root                0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /opt                    btrfs  subvol=/@/opt                 0  0
UUID=e26d4a28-64f0-46db-a8bc-825b79ee55ce  /home                   xfs    defaults                      0  0
UUID=895f5433-2bdc-4572-8f2f-106f319a1f4c  /data                   xfs    defaults                      0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /boot/grub2/x86_64-efi  btrfs  subvol=/@/boot/grub2/x86_64-efi  0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /boot/grub2/i386-pc     btrfs  subvol=/@/boot/grub2/i386-pc  0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /.snapshots             btrfs  subvol=/@/.snapshots          0  0
UUID=A565-D6FA                             /boot/efi               vfat   utf8                          0  2
/dev/mapper/cr_backup                      /backup                 xfs    defaults                      0  0


cat /etc/crypttab
cr_backup  UUID=b01863b4-97e4-46de-87d4-7adaf0902c49
#4

The password request comes from here, if you do not want device to be unlocked on boot, add noauto option:

cr_backup  UUID=b01863b4-97e4-46de-87d4-7adaf0902c49 - noauto

I do not know if KDE supports unlocking and mounting in one step or even presents encrypted containers in UI to do it.

If you mean “access to filesystem on encrypted container” - you have xfs, so access permissions are stored on the filesystem itself. Set them as needed.

#5

Thanks, no the UI doesn’t mount it but I’m not fussed about that, I can create a script
So from the manual I worked out:

cryptsetup luksOpen /dev/sdb2 cr_backup
mount /backup

This works - thanks.

and to unmount and close again:

umount /backup
cryptsetup luksClose cr_backup

Also the manual says it should now be nofail and 2 like this rather than noauto

/etc/fstab:

/dev/mapper/my_secure_partion /secret ext4 nofail 0 2

I will go and try this but I think I’m there - thanks again

#6

Update - the nofail bit was from here:
https://en.opensuse.org/SDB:Encrypted_filesystems

Known Bugs and Pitfalls

‘noauto’ fstab option

In the past, yast created fstab entries for encrypted volumes with the ‘noauto’ option. This was necessary as boot.crypto ran after boot.localfs and mounted volumes itself. Nowadays, the fstab option ‘nofail’ exists, which allows the boot scripts to mount the volume if possible, but continue boot if the volume fails. Since the sysv scripts are not used with systemd anymore and systemd strictly honors the ‘noauto’ option, old fstab entries must be converted to use ‘nofail’ instead.

It is also recommended to set the fs_passno column in fstab (sixth field) to ‘2’ to enable file system checks.

=================
So I changed it to nofail and it’s asking for the password again at boot - I’ll change it back to noauto …

#7

OK I changed back to noauto and now no password prompt.

But I’m getting a 20 second delay from user login to seeing the KDE screen while the cog wheel spins - how can I debug what’s going on there?
Thanks

#8

Run journalctl --user -b after logging in. I am not sure if discourse allows attaching long files, so let’s use the old routine - upload to https://susepaste.org/

#9

sudo journalctl --user -b
[sudo] password for root:
No journal files were found.

???
Thanks

#10

I did not say “sudo”.

#11

OK with normal user it said

asb@localhost:~> journalctl --user -b
Hint: You are currently not seeing messages from the system.
Users in the ‘systemd-journal’ group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.

So I’ve now added my user to the systemd-journal group but it still says

asb@localhost:~> journalctl --user -b
No journal files were found.
– No entries –

By the way I have another problem - when I log out (like I had to do to update the user settings) I get a GUI popup asking me to give the password for the encrypted drive. Which I typed in but I didn’t ask to access the /backup encrypted drive. Then it waited for a bit and logged me out !

#12

OK I’ve changed tack, my /backup drive can just be standard xfs without encryption and I’ll just not mount it at login so it’s protected that way - that will have to do.

Once I remove the encryption the login delay goes away and also a 1m:30 wait on reboot waiting for some process to end, that also goes away.

But when I set /backup to be noauto in fstab, kde still pops up when I login asking for the root password to mount it. I want it to stay unmounted normally.

Is there any way to stop this popup? (Other than cancel it each time!)
Thanks

#13

That seems to be a KDE setting. Go to settings, and click on the item for “Removable Storage”. Then select the tab for “Removable Devices” and uncheck all boxes.

By the way, you can also use a “noauto” option in “/etc/crypttab” so that you are not asked for encryption key during boot.

#14

No persistent journal?

Does “/var/log/journal/” exist?

If not then to enable persistent logging create the directory “/var/log/journal/”

#15
#16

Hello @nrickert
I have noauto set in both fstab and had in crypttab and I still got prompted for the encrypted drive password before login

# cat /etc/fstab
UUID=7c30796f-964f-4247-b76b-a144979138b6  /                       btrfs  defaults                      0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /var                    btrfs  subvol=/@/var                 0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /usr/local              btrfs  subvol=/@/usr/local           0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /tmp                    btrfs  subvol=/@/tmp                 0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /srv                    btrfs  subvol=/@/srv                 0  0
UUID=92ff0b61-27eb-4f8d-9758-aa46c9ecc29d  /sound                  xfs    defaults                      0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /root                   btrfs  subvol=/@/root                0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /opt                    btrfs  subvol=/@/opt                 0  0
UUID=e26d4a28-64f0-46db-a8bc-825b79ee55ce  /home                   xfs    defaults                      0  0
UUID=895f5433-2bdc-4572-8f2f-106f319a1f4c  /data                   xfs    defaults                      0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /boot/grub2/x86_64-efi  btrfs  subvol=/@/boot/grub2/x86_64-efi  0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /boot/grub2/i386-pc     btrfs  subvol=/@/boot/grub2/i386-pc  0  0
UUID=7c30796f-964f-4247-b76b-a144979138b6  /.snapshots             btrfs  subvol=/@/.snapshots          0  0
UUID=A565-D6FA                             /boot/efi               vfat   utf8                          0  2
UUID=8278f690-3669-4c4a-a706-f330016c684a  /backup                 xfs    noauto                        0  0

# cat /etc/crypttab.old
cr_backup  UUID=b01863b4-97e4-46de-87d4-7adaf0902c49 - noauto

(The second one being a copy I kept - I don’t have the main crypttab any more as I’ve abandoned having this drive encrypted for this reason so am not able to test this further)

@tannington
no /var/log/journal/ - that seems to be the installation default, I’ve created it

@arvidjaar I have noauto in fstab for this drive (see above) and a dialogue box still pops up wanting to mount it.

Thanks everyone for the help - there seem to me to be at least two different types of unwanted behaviour around prompts for mounting drives that are not mounted at startup - one for the encrypted drive before login and one at kde startup with noauto. The second happens for both encrypted and unencrypted drives I’m not sure where to take this as I don’t have a tumbleweed setup to see if this stuff is still present in the latest build…