I encrypted an external USB with cryptsetup using both, a password and a keyfile, on Kubuntu 24.04 and added a corresponding entry to crypttab, but when mounting via GUI I am still asked for a password. How can I fix this?
The drive was encrypted using the following commands:
# Preconditions:
# - USB is available as /dev/sda
# - Folder ~/.keyfiles exists
sudo cryptsetup luksFormat /dev/sda
sudo dd if=/dev/urandom of=~/.keyfiles/setup_32g.dat bs=512 count=294
sudo chmod 0400 ~/.keyfiles/setup_32g.dat
sudo chown root:root ~/.keyfiles/setup_32g.dat
sudo cryptsetup luksAddKey /dev/sda ~/.keyfiles/setup_32g.dat
sudo cryptsetup config /dev/sda --label sandisk_32g
sudo cryptsetup luksOpen /dev/sda sandisk_32g
sudo mkfs.ext4 /dev/mapper/sandisk_32g
sudo e2label /dev/mapper/sandisk_32g sandisk_32g
sudo mount /dev/mapper/sandisk_32g /media/$USER/sandisk_32g
sudo chmod 777 /media/$USER/sandisk_32g/.
sudo umount /media/$USER/sandisk_32g
After this I have a password (keyslot 0) and a keyfile ~/.keyfiles/setup_32g.dat (keyslot 1). luksDump shows:
$ sudo cryptsetup luksDump /dev/sda
LUKS header information
Version: 2
Epoch: 5
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 172ea93c-7383-44da-8255-ce7d46856dc8
Label: sandisk_32g
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 6
Memory: 1048576
Threads: 4
Salt: d6 0f b7 bc 68 c5 fc 65 14 56 16 b7 3f e8 f2 f6
91 eb d6 ff bf b8 6d eb de bb e9 59 2f 65 35 be
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 6
Memory: 1048576
Threads: 4
Salt: ea 01 89 dd 26 ea 45 3b c5 20 90 c9 01 d9 9d 65
3e 56 df e4 28 b4 81 ce ea e0 6e ae f4 0b c1 50
AF stripes: 4000
AF hash: sha256
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
Digests:
0: pbkdf2
Hash: sha256
Iterations: 260321
Salt: b9 cf bc 7b da 79 0d a3 5a d8 e2 ea 45 32 c1 7a
75 18 a6 2e 66 28 7c 49 c3 10 99 e8 84 05 b2 2f
Digest: b6 7b 7d 94 78 19 41 6c 2a 6c b4 9c e9 e5 47 26
cb ee 19 1d 95 7c d2 d1 97 f6 1f 77 ae 63 38 59
The key file has the following permissions:
-r-------- 1 root root 150528 Dez 29 16:16 setup_32g.dat
After that, I added the following entry in crypttab:
sandisk_32g UUID=<removed> /home/<myname>/.keyfiles/setup_32g.dat luks,noauto
I didn't add any related entry in fstab so far.
I can run sudo cryptdisks_start sandisk_32g without any password (given I already have sudo rights) and the drive becomes available in the file manager (KDE dolphin), so I assume the keyfile is used correctly.
However, when I instead try to access the drive from the file manager (KDE dolphin) or from the "Disks & Devices" icon in the task bar directly (i.e. without calling cryptdisks_start first), I am unexpectedly prompted for a password. If I enter the password it opens correctly.
How can I get the GUI mounting process to use the keyfile from crypttab instead of prompting for the password?
Attempt: keyfile permissions
At first, I was suspecting missing permissions to the keyfile, but even giving it 777 didn't change anything.
Attempt: fstab
/dev/mapper/sandisk_32g /media/<myname>/sandisk_32g auto noatime,users,nofail 0 0
or
/dev/mapper/sandisk_32g /media/<myname>/sandisk_32g ext4 noatime,users,nofail,x-systemd.device-timeout=100ms,x-systemd.automount,x-systemd.idle-timeout=20min 0 0
If I add one of the above entries to fstab, the behavior is inconsistent and annoying. After attaching the usb drive, I am still asked for a password on every first attempt in the KDE dolphin file manager. Sometimes when I cancel the dialog and access the drive again, it opens without any other prompt (thus using the keyfile!). Sometimes it doesn't work though and the password dialog keeps showing. Also the "Mount & Open" option from the task bar popping up always asks for the password. When I try to unmount the drive via the "Disks & Drives" task bar icon, I am asked for an admin password due to missing permissions to unmount. Unmounting via KDE dolphin seems to work sometimes, but it keeps showing as mounted in the task bar, where the "Safely remove" button doesn't seem to respond anymore, so I can never be sure whether it is safe to unplug now.
Attempt: log analysis
NEED ADVICE HERE!
I was hoping to find anything related using sudo journalctl --since "1min ago" or sudo dmesg, but I didn't.
I would very much appreciate if someone could point me to more relevant logs!
Attempt: Workaround
Interestingly, whenever I enter the password, no matter whether I used the task bar or KDE dolphin, everything works flawlessly including unmount permissions. I wonder why there is any difference? Therefore, I thought I could activate the KDE wallet, then select "Remember password" when prompted and skip the entire keyfile thing. When I tested this though, it kept asking for the password. Also I would like to avoid using KDE wallet and manage all my passwords in Keepass.
