Re: Difference between LUKS drives with cryptsetup and Disks?

To: debian-user@lists.debian.org
Subject: Re: Difference between LUKS drives with cryptsetup and Disks?
From: Ansgar Burchardt <"Ansgar Burchardt"@43-1.org>
Date: Fri, 04 Nov 2016 09:46:40 +0100
Message-id: <[🔎] 87y40z1vkf.fsf@deep-thought.43-1.org>
In-reply-to: <[🔎] nvhf92$4iq$1@blaine.gmane.org> (Joerg Desch's message of "Fri, 4 Nov 2016 08:01:38 +0000 (UTC)")
References: <[🔎] nvhf92$4iq$1@blaine.gmane.org>

Hi,

Joerg Desch writes:
> I've created a LUKS partition which I mount on demand. This partition was
> created using cryptsetup. While mounting the partition, GNOME asks me
> first for the passphrase and than for the "admin" password.
>
> A while ago, I've created a LUKS partition on an USB thumb drive using
> GNOME Disks. In this case, mounting requires only the passphrase. And
> that doesn't depend on the used computer!
>
> What is the difference? Can I change the behavior of my older LUKS
> partition too?

GNOME uses udisks2 to manage devices.  udisks2 treats removable devices
(can mount as regular user) and system devices (can only mount as admin)
differently.

One can find the actions udisks2 uses PolicyKit for in
/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy: the
interesting ones probably are:

  org.freedesktop.udisks2.filesystem-mount
  org.freedesktop.udisks2.filesystem-mount-system
  org.freedesktop.udisks2.filesystem-fstab

  org.freedesktop.udisks2.encrypted-unlock
  org.freedesktop.udisks2.encrypted-unlock-system
  org.freedesktop.udisks2.encrypted-unlock-crypttab

The default permissions allow the active user to use 'filesystem-mount'
(that is mount removable devices) and 'encrypted-unlock' (unlock
removable devices).  The other actions are only allowed for
administrators with a password prompt (`auth_admin` or
`auth_admin_keep`).

As you only want to manage a single partition, I would try to use the
'filesystem-fstab' and 'encrypted-unlock-crypttab' actions which should
only apply to specific devices instead of the '*-system' actions: add
the 'x-udisks-auth' option to the /etc/fstab and /etc/crypttab entries
and allow using them by the active user without a password prompt:

+---
| [Allow active user to mount x-udisks-auth filesystems]
| Action=org.freedesktop.udisks2.filesystem-fstab;org.freedesktop.udisks2.encrypted-unlock-crypttab
| ResultActive=yes
+---[ /etc/polkit-1/localauthority/50-local.d/x-udisks-auth.pkla ]

See man:pklocalauthority(8) for documentation of the *.pkla files.

Note that I haven't used PolicyKit that much, so some details might not
be quite correct.

Ansgar

Reply to:

Follow-Ups:
- Re: Difference between LUKS drives with cryptsetup and Disks?
  - From: Ansgar Burchardt <"Ansgar Burchardt"@43-1.org>

References:
- Difference between LUKS drives with cryptsetup and Disks?
  - From: Joerg Desch <news@jdesch.de>

Prev by Date: Re: Difference between LUKS drives with cryptsetup and Disks?
Next by Date: Re: Difference between LUKS drives with cryptsetup and Disks?
Previous by thread: Re: Difference between LUKS drives with cryptsetup and Disks?
Next by thread: Re: Difference between LUKS drives with cryptsetup and Disks?
Index(es):
- Date
- Thread