[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Difference between LUKS drives with cryptsetup and Disks?



Hi,

Joerg Desch writes:
> I've created a LUKS partition which I mount on demand. This partition was
> created using cryptsetup. While mounting the partition, GNOME asks me
> first for the passphrase and than for the "admin" password.
>
> A while ago, I've created a LUKS partition on an USB thumb drive using
> GNOME Disks. In this case, mounting requires only the passphrase. And
> that doesn't depend on the used computer!
>
> What is the difference? Can I change the behavior of my older LUKS
> partition too?

GNOME uses udisks2 to manage devices.  udisks2 treats removable devices
(can mount as regular user) and system devices (can only mount as admin)
differently.

One can find the actions udisks2 uses PolicyKit for in
/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy: the
interesting ones probably are:

  org.freedesktop.udisks2.filesystem-mount
  org.freedesktop.udisks2.filesystem-mount-system
  org.freedesktop.udisks2.filesystem-fstab

  org.freedesktop.udisks2.encrypted-unlock
  org.freedesktop.udisks2.encrypted-unlock-system
  org.freedesktop.udisks2.encrypted-unlock-crypttab

The default permissions allow the active user to use 'filesystem-mount'
(that is mount removable devices) and 'encrypted-unlock' (unlock
removable devices).  The other actions are only allowed for
administrators with a password prompt (`auth_admin` or
`auth_admin_keep`).

As you only want to manage a single partition, I would try to use the
'filesystem-fstab' and 'encrypted-unlock-crypttab' actions which should
only apply to specific devices instead of the '*-system' actions: add
the 'x-udisks-auth' option to the /etc/fstab and /etc/crypttab entries
and allow using them by the active user without a password prompt:

+---
| [Allow active user to mount x-udisks-auth filesystems]
| Action=org.freedesktop.udisks2.filesystem-fstab;org.freedesktop.udisks2.encrypted-unlock-crypttab
| ResultActive=yes
+---[ /etc/polkit-1/localauthority/50-local.d/x-udisks-auth.pkla ]

See man:pklocalauthority(8) for documentation of the *.pkla files.

Note that I haven't used PolicyKit that much, so some details might not
be quite correct.

Ansgar


Reply to: