# User mounted LUKS device

## gabrielg

Hi,

I may be a bit greedy here, but this is what I am trying to achieve: similarly to what truecrypt says it does, I want to be able to have an encrypted file that I can format with LUKS with cryptsetup and mount it somewhere in my home dir. This is a simple task with root, but I can't manage to do it with user privileges.

Is there any way of achieving this? Or am I asking too much? cryptsetup ends up failing saying that device-mapper can't be called with a non-root user, and I need to mount/unmount this encrypted device at will.

I've been using truecrypt until now, but I want to ideally use cryptsetup with LUKS. I don't want to use GPG as I find it a bit less secure for just opening an encrypted file, reading/changing it, and then closing it.

Thanks!

----------

## schorsch_76

Even truecrypt uses sudo to raise the rights.

my script is as following.

```
cat /usr/local/bin/open-extern.sh 

#!/bin/sh

sudo cryptsetup luksOpen /dev/disk/by-uuid/xxxx extern_crypt && sudo vgchange -ay && sudo mount -t ext4 /dev/extern/data /home/me/extern

```

----------

## gabrielg

Thanks - that's what I feared. I'll just use sudo I guess. No encryption for the poor  :Wink: 

----------

## Kompi

Don't know if that is what you want, but if you want the encrypted volume always mounted when you are logged in, you may use pam_mount to mount it at login time. Either have the LUKS password the same as you login pw, or you will be asked twice for a password when you login.

See: gentoo-wiki.info: HOWTO_Encrypt_Your_Home_Directory_Using_LUKS_and_pam_mount

----------

## gabrielg

Thanks, and not really  :Smile: 

OK - I'll expand a bit more on the use case: all I want is to have a volume for a couple of files, which will be password files. I want access to them only when I want to type a password, and I want the underlying OS components to look after me, such as use protected memory, don't leave plain text in any cache, etc..

For the time being, I'll use root privileges.

----------

## Kompi

I found this tool that claims it allows mounting without root privilege. I could not figure out that quick how it does that though:

http://cryptmount.sourceforge.net/

there's an ebuild in a layman overlay, here:

http://gpo.zugaina.org/sys-fs/cryptmount

There may be another way to mount encrypted partitions as a user by using a combination of udisks and polkit. The command line tool udisksctl uses polkit to give a user permissions to mount a file system. 

You can decrypt and then mount the volume by:

```
udisksctl unlock /dev/mapper/<VOLUME>

udisksctl mount /dev/<DM_DEVICE> <MNT_POINT>
```

With the default polkit config this will prompt for the root password to grant the neccessary permissions to perform this actions via polkit. I guess you would just have to add a policy file to /etc/polkit-1/rules.d/ to grant your user these privileges without root password. (something like is done for mounts here http://wiki.gentoo.org/wiki/Polkit#Rules).

One more off topic suggestion that could accomplish what you want in another way: You may have a look at keepassX, which is a GUI to handle and store passwords in an encrypted file: https://www.keepassx.org/. Should do what you described above. However, would not help if you want access from the console as well.

----------

## gabrielg

Thanks, Kompi, I'll try to port this as I'd need it in Gentoo and a device with ARM that runs a Linux based on Mer.

----------

## mhogomchungu

There is this project here[1] that will allow you to do what you want.

The default behavior is to create a mount point in "/run/media/private/$USER" but there is a compile time option to create a mount point in user directory.

The program will allow you to open your encrypted volumes from a normal user account using provided CLI tools or,if you prefer,through provided GUI tools.

If you are to try it out,try the git version.Its practically the new version scheduled to be released on the first of next month.

[1] http://code.google.com/p/zulucrypt/

----------

## 1clue

is it always the same file? maybe you could script it, chown root:you, and chmod 4750.

----------

