[dm-crypt] Auto Mounting when file accessed?

Roger rogerx.oss at gmail.com
Thu Jan 13 11:00:38 CET 2011

On Thu, Jan 13, 2011 at 12:39:43AM -0900, Roger wrote:
>On Thu, Jan 13, 2011 at 04:22:17PM +0800, Aaron Lewis wrote:
>>Hash: SHA1
>>I didn't follow this thread , but if you just want an simple device
>>auto-mounter and un-mounter , you should try out kernel auto mounter
>>rather than a simple script.
>I got an email also about using the kernel automounter.  Just haven't had the
>time to test and follow-up on this.

Found something at the following link.  The only issue I now have is
working around not using a keyfile and trying to integrate into using something
like pinentry on CLI on demand.

Thanks for the help!

(Posted by ste (81.174.xx.xx) on Tue 19 Jun 2007 at 18:09)

In order to avoid opening the hotplug box, I just hacked up this autofs script. It meets my needs so someone else may find it of use too. It will automount an encrypted block device at /dev/sdb using whatever name you choose. The key files with a corresponding name in /etc is used to decrypt the device.

I have a set of removable hard drives that are used for backup (RDX QuikStor). With the following configuration I can insert a cartridge and the backup software (Bacula) can just mount it, making the encryption transparent to it.

The mapping for the 'cd' key also appears in this script. That's there because I'm mounting this at /media and hijacking the original, static /etc/auto.media. In /etc/auto.master: 

/media /etc/auto.media

In /etc/auto.media: 


# This is the path beneath this map's root that autofs is looking for

# A static mapping for the key 'cd'
# This is what /etc/auto.media used to do statically
if [ "$key" == "cd" ]; then
  echo -fstype=iso9660,ro,nosuid,nodev / :/dev/cdrom
  exit 0

# The cryptsetup tool from the package of the same name

# This is the raw device that we will mount

# This is the encryption key file

# Options to pass to the cryptsetup tool
luks_opts="--key-file $key_file"

# Mount options for the encrypted fileystem

# The mapped block device

# Give up if there is no key or setup tool
[ -r $key_file ] || exit 0
[ -x $CRYPTSETUP ] || exit 0

# If there is an encrypted device mapped in already, it must be from a
# previous mount. It may be out-of-date so remove it now.
[ -b $crypt_device ] && $CRYPTSETUP remove $key

# Give up if the raw device doesn't have a LUKS header
$CRYPTSETUP isLuks $mount_device || exit 0

# Open the encrypted block device
$CRYPTSETUP luksOpen $mount_device $key $luks_opts >& /dev/null || exit 1

# If we ended up with a block device, echo a mount line for autofs to use
if [ -b $crypt_device ]; then
  echo $mount_opts / $crypt_device


More information about the dm-crypt mailing list