Decrypting drives using the command line

Encrypted USB drives are fairly easy to use on most linux desktops. Whatever automount supplier you’re running with will pop up a dialogue window asking for the password to decrypt. But what if you want to use the terminal?

The use case for this is my server/HTPC which has a backup drive permanently attached to it. In order to have some offline backup as well, I want to plug in an encrypted USB pen drive and sync the contents of the backup drive to it. Having physical access but not a very good means of interacting with the desktop (I have bluetooth keyboard in a drawer but at hand the only thing is a controller…) is somewhat unusual so it took me some time to figure this out.

Not that it is complicated, though. You know when you mount a device you have the device node and the mount point. You mount the device onto the mount point and then you access the contents. Decrypting a partition works pretty much the same way. It’s just an extra outer layer to get through before you access the content. First you decrypt the device which gives you a new ‘mapped’ device node which you then proceed to mount as any other partition. Simple as that.

This applies to external drives with partitions formatted as ext4 with LUKS. If you use Gnome Disks (aka ‘Disk Utility’ in Ubuntu, formerly Palimpsest) to create your encrypted partition, this is the standard, pick-from-a-menu choice for encryption.

Again, I have to point out that this is not a very standard use case. Most use cases for deencrypting using the terminal refer to boot partitions or the like that a) are permanently attached and b) must be unlocked for boot to happen. And most google hits for ‘usb key deencrypt’ or the like refer to using a usb pen drive to hold the key to unlock the former kind of drive. What I want is to be able to script the whole operation, from unlock and mount over sync to unmount and re-lock. For this to work efficiently I need to use the terminal all the way.

Assuming we have an encrypted drive, let’s plug it in, hit cancel on any pop-up dialog windows and investigate. At first everything looks normal. The drive and partition show up as any other disk devices on /dev/sdX and /dev/sdX1. Try to mount it using mount, though, and you will get errors. Just putting the UUID into a pseudo-entry in fstab (never meant to be used, just to avoid the dialog pop-up) caused the drive not to register properly and errors in dmesg. What we want to do instead is to decrypt the partition using cryptsetup. Install it if you don’t have it already.

You need to know three things for this to work. 1) What is the encrypted partition’s device node, 2) What name do you want to use to refer to the unencrypted partition (the mapper) and 3) what type is the encryption. For 1 have a look at the usual /dev/disk/by-label or /dev/disk/by-uuid to find the right partition, or check dmesg | tail to see what you just plugged in. As for 2, this is simply your arbitrary choice of name. You can call it exactly the same label as you gave the partition or something else entirely. Maybe [partition name]-decrypted would be most helpful. Finally, 3 should be LUKS if you’re just sticking with defaults (I see no good reason not to but then it’s not a subject I have investigated).

Alright, assuming you have all three, let’s put them to use. As root run

[~] cryptsetup luksOpen /dev/sdc "Backup-Decrypted"
Enter passphrase for /dev/sdc:

luksOpen is the subcommand appropriate for drives encrypted with the LUKS specification.  Here /dev/sdc represents the device node and Backup-Decrypted is our example mapper name. We are asked to enter the passphrase to decrypt just as we would on the desktop.

After that it all becomes very simple and familiar. You’ll find the mapper in the /dev/mapper folder and we simply mount that as we would any other partition:

[~] mount /dev/mapper/Backup-Decrypted /mnt/temp/

And now you have access to your decrypped data on /mnt/temp. Simple. When you’re done, you simply close up again by reversing the order. First unmount the partition, then use the close subcommand from cryptsetup.

[~] umount /mnt/temp/
[~] cryptsetup close "Backup-Decrypted"

And the mapper is gone and you can safely remove your USB drive.


Photo by Latente 囧

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.