Mount encrypted volumes from command line?

If I have an encrypted external disk (or an internal disk that is not in fstab), I see an entry for it in Nautilus -- with an entry like "X GB Encrypted Volume". I can click on this volume, and am prompted for a password to decrypt and mount the device.

But how do I do this from the command line?

This wiki page, and other docs I can find, only refer to GUI methods of decrypting the device; but this won't do in the context of headless servers or SSH logins. Is there a simple way to get devices to mount to automatic locations in /media just like they would with the GUI?

(I'm not asking about encrypted home directories -- I'm aware of ecryptfs-mount-private. This question is about additional encrypted volumes.)

14 Answers

Your volume is probably encrypted with LUKS, here's how to mount it:

You need:

sudo apt-get install cryptsetup

To decrypt the volume:

sudo cryptsetup luksOpen /dev/sda1 my_encrypted_volume

Now you can mount it as usual:

sudo mkdir /media/my_device
sudo mount /dev/mapper/my_encrypted_volume /media/my_device

To lock the container again, it needs to be unmounted first:

sudo umount /media/my_device
sudo cryptsetup luksClose my_encrypted_volume

To automatically put it in the /media location, use the udisks tool

sudo udisks --mount /dev/mapper/my_encrypted_volume

The steps in @Georg Schölly's answer did not work for me at the time, although they might work now, a few Ubuntu releases after. Back then, after the sudo mount /dev/mapper/my_encrypted_volume /media/my_device step I got the error:

mount: unknown filesystem type 'LVM2_member'

Unlocking and mounting the disk with udiskctl

Instead, I used udisksctl, a command-line interface that interacts with the udisksd service.

Here's what worked (/dev/sdb5 is the partition on my hard disk marked as crypt-luks):

udisksctl unlock -b /dev/sdb5
udisksctl mount -b /dev/mapper/ubuntu--vg-root

After typing the first command, you'll be prompted for your encryption passphrase. Once the encrypted partition is unlocked, the second command will mount it. If that's successful, you'll end up with a message similar to this:

Mounted /dev/dm-1 at /media/dpm/e8cf82c0-f0a3-41b3-ab28-1f9d23fcfa72

From there I could access the data :)

Locking the disk with udiskctl

Unmount the device:

udisksctl unmount -b /dev/mapper/ubuntu--vg-root

You'll need to deactivate all logical volumes in the ubuntu-vg volume group first. Otherwise you'll get an error along the lines of 'Device busy' if you try to lock it (more info):

sudo lvchange -an ubuntu-vg

Then you'll be able to lock back the encrypted partition

udisksctl lock -b /dev/sdb5

Notes

The udisksctl commands are executed without sudo.
Device mapper names: the ubuntu--vg-root naming might change across Ubuntu releases (e.g. I've seen it called system-root and ubuntu-root too). An easy way to find out the name is to run the following command after unlocking the LUKS partition:
ls -la /dev/mapper
Then looking at the output of the ls command, the name you'll need will be generally the one symlinked to /dev/dm-1
Device mapper names, alternative: an alternative to the previous command is to run:
lsblk -e7
There you'll be able to see the device name mapping as a tree view. The -e 7 option is used to exclude the loop devices (ID 7) created by installed snaps from the output. Simply to have less clutter.
Logical volume names: you can run the sudo lvs command to find out the names of volume groups and logical volumes
Disks app: the GNOME Disks app does not automatically deactivate the logical volumes before locking the partition. Even if you've successfully unlocked the partition via the GUI, you will need to go to the command line and execute the sudo lvchange -an ubuntu-vg command before you can lock it from the GUI.

If you get this error:

mount: unknown filesystem type 'LVM2_member'

run:

sudo apt-get install lvm2
sudo lvscan

then activate all LVM you see

sudo vgchange -ay

then re-run the mount:

sudo mount /dev/mapper/my_encrypted_volume /media/my_device

One problem i ran into, was duplicate volume groups: Both my recovery system and the drive to be recovered were ubuntu systems with LVM. This is, why I had two ubuntu-vg volume groups (vgdisplay would display both, each with their own UUID, but i couldn't get to their logical volumes).

My solution builds on the answer of Georg:

Boot off a live-linux (so that you don't run into the duplicate volume group name)
sudo cryptsetup luksOpen /dev/sdaX my_encrypted_volume
enter your passphrase when prompted
sudo vgscan should now pick up the contained volumes/groups.
DRAGONS AHEAD: WE'RE NOW CHANGING THE VOLUME GROUP NAME. YOU WILL NOT BE ABLE TO BOOT THAT DRIVE AFTERWARDS!
use sudo vgrename ubuntu-vg ubuntu-vg2 to rename the volume group.
If you need to boot off that drive, you can do these steps again, but rename your volume group back to ubuntu-vg. A different possibility is to alter your boot configuration to the new vg-name.

Now that the duplicate vg-name is resolved, i can boot back into my regular system, redo the cryptsetup..., vgscan and then mount /dev/mapper/ubuntu--vg2-root anywhere you like.

All answers above took the assumption that the user already knows which partition is the encrypted one. Coming from someone that doesn't like the command line so much, I was expecting some user-friendly answer... So my 2cents here.

Open the "disks" application of ubuntu.
Locate your mounted hard disk in the left panel.
Click on the partition that has "LUKS" in its name: this way you can see its mount point in the "Device" text below (in my case: /dev/sdb4).

Then I tried to mount it like adviced above:

$ sudo cryptsetup luksOpen /dev/sdb4 someNameForMyVolume
Enter passphrase for /dev/sdb4:

But got this error:

Cannot use device /dev/sdb4 which is in use (already mapped or mounted).

Ok, so I guess nautilus has already tried to mount it (because it actually prompted me for the password as I connected the USB, even if it didn't end up showing the decrypted tree). However, the error message is not really helpful because it doesn't tell me where it's already mapped/mounted. But this command helps in this case:

$ udisksctl unlock -b /dev/sdb4
Passphrase:
Error unlocking /dev/sdb4: GDBus.Error:org.freedesktop.UDisks2.Error.Failed: Device /dev/sdb4 is already unlocked as /dev/dm-3

Aha! So it's /dev/dm-3.

However when trying to mount it, it doesn't work:

$ udisksctl mount -b /dev/dm-3
Object /org/freedesktop/UDisks2/block_devices/dm_2d3 is not a mountable filesystem.

After much tinkering, I found out that I was running into the duplicate volume groups problem (described above by @amenthes) because the commands sudo vgscan -v and sudo vgdisplay were showing two entries with the same volume group name. However, I found a better way to deal with it than his method (no need to boot into a LiveCD to rename volumegroups!), in this link, which I'll quote above (just in case that link gets broken...):

If you run ls -la /dev/mapper/ you should see a luks-xxxxxx-xxxxx-xxxx or some such file. That's the mapping that was created when Ubuntu prompted for the encryption password with a dialog but failed to open it (all the dialog did was to call luksOpen and map it to that /dev/mapper/luks-xxx file). Now:

Make sure your physical volume is available by running the sudo pvdisplay command. It should be /dev/mapper/luks-xxx-whatever.
Get the uuid of the volume by running sudo pvs -o +vg_uuid. The uuid will be the value displayed all the way to the right, containing 7 dash-delimited values. Copy those somewhere as we'll be using them in the next step. DO NOT CONFUSE UUIDS AND COPY DOWN THE WRONG ONE. Only copy the one for your current /dev/mapper/luks-xxx-whatever device.
Change the volume group for your old disk by running the following command sudo vgrename UUIDOFYOURDISKHERE oldhd You can change the "oldhd" to whatever you want so long as it's differing from the volume group name of your current disk. Performing this step removes the conflict with volume group names which will allow you to now make volumes available.
Run the command vgchange -a y to make the volumes active.
Create a folder for a mountpoint somewhere, e.g.: sudo mkdir /media/<yourUserName>/someDir
Mount it: sudo mount /dev/oldhd/root /mnt/oldhd.
After working with your files, you should rename your volumegroup back to ubuntu-vg if you want the volume to still be bootable.

sdb1 here is an example you should input your device name, none of this commands will require root privileges

unlock encrypted disk

udisksctl unlock -b /dev/sdb1

after inserting the correct passphrase it will output something like this: Unlocked /dev/sdb1 as /dev/dm-3

then mount it to /media/

udisksctl mount -b /dev/dm-3

it should output something like this: Mounted /dev/dm-3 at /media/yourUserName/sdb

to unmount it

udisksctl unmount -b /dev/dm-3

to lock it again

udisksctl lock -b /dev/sdb1

I went into several paths from the previous answers and only combination of the previous answers worked for me. He what I did and what went OK, and what went wrong and my workaround.

I have an LUKS encrypted hard disk that I need to mount from a live boot USB for Ubuntu 15.10. To do so I started with the following command,

udisksctl unlock -b /dev/sda3

where sda3 is the encrypted partition. This command didn't work with me and I am not sure why, so I used the following command:

sudo cryptsetup luksOpen /dev/sda1 my_encrypted_volume

it worked with me and I didn't need to install it as it was there in the live boot.

Now, I need to mount the HD, and this was not a straight forward thing: I tried:

sudo mkdir /media/my_device
sudo mount /dev/mapper/my_encrypted_volume /media/my_device

But the second command didn't work with me, and hence I have to find a work around which is the following:

sudo udisksctl mount -b /dev/mapper/ubuntu--vg-root

That was my path .. but you can use the path dev/mapper/ubuntu and then double tab to see the rest of options. This mounted the HDD as:

Mounted /dev/dm-1 at /media/root/03cf6b80-fa7c-411f-90b9-42a3398529ce

Then I used the following command to mount it as /media/my_device as following:

sudo mount /dev/dm-1 /media/my_device/

which worked fine.

In Summary

sudo cryptsetup luksOpen /dev/sda1 my_encrypted_volume
sudo mkdir /media/my_device
sudo udisksctl mount -b /dev/mapper/ubuntu--vg-root
sudo mount /dev/dm-1 /media/my_device/

For those of us who don't want to use a GUI tool even to determine which partition is encrypted.

find any encrypted partitions
```
lsblk -lf | grep LUKS
```
-l requests the "list" format - we don't need the tree
-f shows us the name of the file system too
we get something like

sdc2 crypto_LUKS b09d6209-......
unlock the partition that we want (in my case /dev/sdc2)
```
udisksctl unlock -b /dev/sdc2
```
-b means that we are giving the path to a block device
after entering the passphrase we get an affirmative response with the necessary info for the next step:

Unlocked /dev/sdc2 as /dev/dm-6
mount the newly created device (dm stand for device manager)
```
udisksctl mount -b /dev/dm-6
```
Again we get an affirmative response with useful info:

Mounted /dev/dm-6 at /media/g/Data.
(g being my username on this system, Data is the label I used for that partition)
It may be the case that your desktop system/file manager has already automatically mounted the device, or you did it yourself before. Then you get something like

Error mounting /dev/dm-6: GDBus.Error:org.freedesktop.UDisks2.Error.AlreadyMounted: Device /dev/dm-6 is already mounted at '/media/g/Data'.
This is no problem, you can access the data from the encrypted partition anyway.
access the data: ls /media/g/Data
unmount the device again (use the same name you used for mounting, the command is unmount, not umount :-) )
```
udisksctl unmount -b /dev/dm-6
```
If the device is not busy you will get

Unmounted /dev/dm-6.
Now lock the partition again (you have to remember the name of the partition)
```
udisksctl lock -b /dev/sdc2
```
You will get

Locked /dev/sdc2.
optionally power down the complete external disk
```
udisksctl power-off -b /dev/sdc
```
With a graphical desktop you may get an error here:

Error powering off drive: The drive in use: Device /dev/sdc3 is mounted (udisks-error-quark, 14)
In that case you can use udisksctl to unmount the partitions one by one until you succeed. The udisksctl power-off does not return any messages.

You can mount it in two steps, and I have a script example.

Note: the service udiskctl will mount things under /media, it's more designed for desktop users mounting usb sticks. If you want to mount the device somewhere else, it's not the solution you are looking for.

Here is what I worked out. In this example, my encrypted device is a partition made with lvm, but this doesn't really matter. It is an ext4-formatted partition. In its encrypted form, it lives at

/dev/myvg/opt1

an encrypted partion is "opened" (decrypted) like this

 STEP 1: sudo cryptsetup luksOpen /dev/myvg/opt1 opt1_opened

(this is where you enter the passphrase)

the last argument is a temporary reference to the decrypted block device. The 'mapping' disappears when you reboot so you can choose a different name each time, if you want.

it is now visible as a device:

ls /dev/mapper
control myvg-opt1 myvg-root opt1_opened

You can mount this device: we now have an ext4 device. To make it convenient, add a line in /etc/fstab

/dev/mapper/opt1_opened /opt1 ext4 noauto,users 0 0

and make the mount point (in my case: sudo mkdir /opt1, and then setup permissions as you wish) If you used the name opt1_opened in Step 1, then this is the second step to mount it:

STEP 2: mount /opt1 #the fstab line lets users mount, so no need for sudo

and it's mounted.

Hence, a bash script:

#!/bin/bash
#needs to be run sudo
read -s -p "Enter LUKS password: " luks_password
printf $luks_password | cryptsetup luksOpen /dev/myvg/opt1 opt1_opened --key-file -
sudo -u tim mount /opt1

The correct answer is gio mount -d /dev/dm-x (no sudo).

Previous answers show a disconnect with the Nautilus or Nemo way of mounting, since you need to enter the LUKS passphrase even though it is previously cached in the user keyring from the GUI. Using gio automatically uses the passphrase previously stored by Nautilus or Nemo.

For a more detailed answer, see

Was looking for the same...

The mkdir steps were my reason to look further, also I've modified policykit to allow my user to mount without asking first for the root passwd and then for the encrypted volume password, so the sudo was also over kill.

My solution I found was the use of gvfs-mount from the gvfs-bin package. Now with a gvfs-mount -d /dev/sda7 I'm asked for the encrypted password only and it's mounted under /media/VOLUME_LABEL.

Ok, so i have a working solution guys, as discussed previously the reason you're getting mount: unknown filesystem type 'LVM2_member' error is because by default your linux machine assigns the same VG name to external hard drive, hence all the partition on external HDD are inactive.

This is what you need to do:

unplug your external hard-drive and take note of your internal VG UUID using (sudo vgdisplay command),
now plug in your external hard drive and rename the VG group of your EXTERNAL HDD (not internal, this will break your box) (vgrename UUID_Number [new-group]).
Check that new name is updated in VGdiplay, now activate new VGroup (vgchange [new_group] -a y), check all partitions are activated (lvscan).
Now you should see all your partitions under ls /dev/mapper/[new_group], all you need to do is mount the partition (mount -t ext4 /dev/mapper/[new_group]-data /zez)

On my chromebook with (crouton) Ubuntu Xenial 16.04 I find that when I issue:

sudo cryptsetup luksOpen /dev/sda1 my_encrypted_volume

per the above posting and enter my passphrase, I get "No key available with this passphrase." However, by accident I've found (and very strange it is!) the whole thing works when I add "--debug" to the cryptsetup command! I am then able to mount the volume and access the files.

Asking the file manager Thunar to do the mounting results "Not authorized to perform operation." error. I am unable to figure a way around that, but since I can do the mount at the command line, that's somewhat acceptable.

It's an LVM issue, which (mentioned above/below) needs to be installed.

From Unix/Linux community:

$ sudo apt-get install lvm2 #This step may or may not be required.
$ sudo pvscan #Use this to verify your LVM partition(s) is/are detected.
$ sudo vgscan #Scans for LVM Volume Group(s)
$ sudo vgchange -ay #Activates LVM Volume Group(s)
$ sudo lvscan #Scans for available Logical Volumes
$ sudo mount /dev/YourVolGroup00/YourLogVol00 /YourMountPoint

Referenced these on route to the above answer:

Clarify: /YourMountPoint can be anything, e.g. /media/user/external

Mount encrypted volumes from command line?

14 Answers

Unlocking and mounting the disk with udiskctl

Locking the disk with udiskctl

Notes

It's an LVM issue, which (mentioned above/below) needs to be installed.

Your Answer

Sign up or log in

Post as a guest

You Might Also Like

Do all Pokemon B/W Wifi features work with WPA2?

Where can I farm Boar Prime in warframe?

Can Vette be corrupted?