Mounting An Encrypted USB Drive From the Command Line

Some Background

I have a headless server that I use as sort of a remote heavy-lifter for my code and attached to it is a USB drive that I use for data files. Since USB drives are portable I decided to encrypt it with LUKS, which is easy enough to use on the desktop in ubuntu (the "files" GUI prompts you for the password and handles everything for you after that) but since I use the server headless I have to be able to mount it from the command line. If you search for it there's a Stack Overflow thread that tells you mostly how to do it but:

  • I didn't know the /dev file to use
  • Like many Stack Overflow threads there's a lot of noise that isn't relevant to me
  • I want to be able to remember how to do this without having to search for it and click through different links to figure out which one has the right information for me

So, here's the subset of steps that I did to mount the drive.

Middle

Find the USB Device Name

The first think to do is to make sure that the USB device is recognized by the operating system.

lsusb

Which produced a lot of listings, the most relevant one being:

Bus 001 Device 002: ID 1058:0748 Western Digital Technologies, Inc. My Passport (WDBKXH, WDBY8L)

Which is the drive I wanted to unencrypt and mount. The next thing is to find the file name (in this case I know the name of the device - "My Passport" - so I used grep, otherwise I'd use less).

sudo fdisk -l | grep "My Passport" -B 1

Which currently gives this:

Partition 2 does not start on physical sector boundary.
Disk /dev/sdb: 931.49 GiB, 1000170586112 bytes, 1953458176 sectors
Disk model: My Passport 0748

It might have looked a little different when I originally ran it since the drive is already mounted but whatever is in that second line is what we want.

That is the name we need for the drive, but we're going to mount a partition so you need to know the partition name. lsblk will show it to us.

lsblk -e7

Which gave me the output:

NAME                        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                           8:0    0 931.5G  0 disk  
├─sda1                        8:1    0     1M  0 part  
├─sda2                        8:2    0     1G  0 part  /boot
└─sda3                        8:3    0 930.5G  0 part  
  └─dm_crypt-0              253:0    0 930.5G  0 crypt 
    └─ubuntu--vg-ubuntu--lv 253:1    0   200G  0 lvm   /
sdb                           8:16   0 931.5G  0 disk  
└─sdb1                        8:17   0 931.5G  0 part

Now you can see that the partion for our disk is sdb1 (the last row where it's shown to be a child of sdb and that its TYPE is a partition).

Unlock the Drive

Note: This works, but there's an alternative way to do it with cryptsetup that I find a little easier (but not much). I documented that command as if it continued from this point in this post.

Next unlock the drive. When you do this it will create a file in /dev/mapper/ that you'll need so it would be a good idea to see what's there before you run it.

ls /dev/mapper/

And then do the decrypting, remembering that the partition is sdb1 and like our disk the file is in the /dev directory.

udisksctl unlock -b /dev/sdb1

This will bring up two prompts for you to fill out which are (confusingly) "Passphrase:" and "Password:". The first prompt ("Passphrase") is what you entered when the disk was encrypted so you need to enter whatever you normally enter to decrypt the disk. The second prompt ("Password:") is your admin password so that the program can run as root (assuming you have the right privileges).

Mount the Drive

If the last command went okay you now need to mount it. There's going to be a file in /dev/mapper that you need to know. When I did it there was only one new file (luks-3eea956c-e684-4bcb-a640-97d0c8c5a700) so I didn't have to do anything special to get it.

udisksctl mount -b /dev/mapper/luks-3eea956c-e684-4bcb-a640-97d0c8c5a700

If you run the command lsblk -e7 it will show you a tree with the /dev/mapper/ file mapped to the mount point where you can access it.

sdb                                             8:16   0 931.5G  0 disk  
└─sdb1                                          8:17   0 931.5G  0 part  
  └─luks-3eea956c-e684-4bcb-a640-97d0c8c5a700 253:3    0 931.5G  0 crypt /media/hades/WDData

So in this case the drive is accessible at /media/hades/WDData (it's always the same place but I wanted to document the lsblk -e7 command).

End

So, for my future self, if you need to mount an encrypted USB drive without a GUI, there you go. The two main steps are find the file for the USB drive and then run udisksctl.

sudo fdisk -l
udisksctl unlock -b /dev/sdb1
udisksctl mount -b /dev/mapper/luks-3eea956c-e684-4bcb-a640-97d0c8c5a700

Sources

  • sourcedigit.com - "How To List USB Devices On Ubuntu – Find USB Device Name On Linux Ubuntu"
  • Stack Overflow - "Mount encrypted volumes from command line?"