mount encrypted disk with systemd

I would like to share some snippets to have an encrypted HDD mounted when both the cryptdisk and the keyfile stored on a second keydisk are provided. If the keydisk is removed, the cryptdisk will be unmounted and locked automatically.


Before starting, try cryptsetup benchmark, if it makes sense for you to encrypt. It will increase CPU load and probably lower the data rates.

Hands on

To start, we have to identify the drives by attributes that are probed by udev (when the drive is plugged in). We use udevadm to show the attributes and chose one or two which uniquely identify the drive (ATTR{size} or ATTRS{serial} are usually a good measure) to add them to a udev rule file:

~$ sudo udevadm info --attribute-walk --name=/dev/sda1 | grep size

Add those lines to a new *.rules file in /etc/udev/rules.d/ which create a symbolic link for each disk with which we can work more easily. They also trigger the systemd units .

# mount cryptdisk
ACTION=="add", KERNEL=="sd[a-z][0-9]", ATTR{size}=="123456789", SYMLINK+="cryptdisk_crypted", TAG+="systemd", ENV{SYSTEMD_WANTS}+="media-cryptdisk.mount"
# mount cryptkey
ACTION=="add", KERNEL=="sd[a-z][0-9]", ATTR{start}=="3456789", SYMLINK+="cryptkey", TAG+="systemd", ENV{SYSTEMD_WANTS}+="media-cryptdisk.mount"

You can now reload the rules

~$ sudo udevadm control --reload-rules

and test whether the links /dev/cryptkey and /dev/cryptdisk_crypted are created on plugin. To be able to work effectively with systemd you need to keep in mind that the systemd units define a network (without “loops”) of dependencies. In the end we want to mount our cryptdisk (service requested by udev on plugging in the device). To be able to do that we have to unlock the disk with our keyfile. To be able to do that we have to mount the cryptkey drive to a secure location. This automatically leaves us with the task to create three unit files for systemd that set requirements from core (mounting) to shell (device plugged in). Systemd unit files feature numerous parameters that can be found in detail here.

Mount cryptkey drive via  /etc/systemd/system/root-cryptkey.mount.

Description=Mount Cryptkey

# "Where" must match the filename

Unlock the cryptdisk with the keyfile via /etc/systemd/system/cryptdisk-unlock.service.

Description=cryptdisk unlock
BindsTo=media-cryptdisk.mount dev-cryptdisk_crypted.device dev-cryptkey.device
Requires=root-cryptkey.mount dev-cryptdisk_crypted.device
After=root-cryptkey.mount dev-cryptdisk_crypted.device

ExecStart=/sbin/cryptsetup luksOpen -d /root/cryptkey/cryptdisk.key /dev/cryptdisk_crypted intenso
ExecStop=/sbin/cryptsetup luksClose cryptdisk


Finally: mount the cryptdisk via /etc/systemd/system/media-cryptdisk.mount.

BindsTo=cryptdisk-unlock.service dev-cryptdisk_crypted.device root-cryptkey.mount dev-cryptkey.device
After=cryptdisk-unlock.service dev-mapper-cryptdisk.device
# you may specify some unit file that depends on media-cryptdisk.mount
# Wants=cryptdisk-postmount.service


There you go. Reload systemd with

~$ sudo systemctl daemon-reload

and display the logs for testing with

~$ sudo journalctl -f

Your crypted drive should now being mounted at /media/cryptdisk, when you plug both the disk and the keydisk at the same time.


Peter Pan. Kann fliegen mit Feenstaub.

Tagged with: ,
Posted in Linux, Raspberry Pi

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Posts by topic…
…by month
Have a look at…

%d bloggers like this: