3

Currently, I do this to mount my encrypted thumbdrive:

# Works! pass thumbdrive-password | # get device password entry from password manager head -n 1 | # get the device password itself sudo cryptsetup luksOpen /dev/sdb thumbdrive # unlock device udisksctl mount -b /dev/mapper/thumbdrive # mount device

I'd like to do something like this instead:

# Does not work! pass thumbdrive-password | head -n 1 | udisksctl unlock -b /dev/sdb # unlock device udisksctl mount -b /dev/mapper/luks-foobar # mount device with uuid "foobar"

This would allow semi-privileged users (with permission to org.freedesktop.udisks2.filesystem-mount in polkit) to mount encrypted filesystems without using sudo. Udisks will not accept this piping method, because it uses an interactive password prompt. How can I provide my device password to udisksctl unlock without typing it in manually?

Improve this question
5
  • 3
    udisksctl unlock --block-device /dev/sdb --key-file <(printf "%s" "$(pass thumbdrive-password | head -n 1)") Commented Jun 3, 2018 at 12:08
  • I have neither udisks nor pass to test with but manpage suggests it might work like that. I have doubts about head -n 1, certainly there should be a way to make it spit out the password directly... printf is to get rid of newline which might be taken to be part of the passphrase if interpreted as a keyfile. If pass is able to show password without newline you don't need that either. Commented Jun 3, 2018 at 12:10
  • 2
    @frostschutz & al. --key-file appeared in v2.6.4. For eg not available in Debian stretch. OP didn't specify the distribution Commented Jun 3, 2018 at 12:15
  • I'm using NixOS, but I would accept an answer that worked on Debian since I didn't specify. Wanted to make this as generic as possible. My version of udisksctl is 2.1.6, but @frostschutz's comment looks promising for the future. Commented Jun 3, 2018 at 12:20
  • NixOS should get 2.7.6 soon! github.com/NixOS/nixpkgs/pull/35551 and Debian will get it with buster. Commented Jun 3, 2018 at 12:29

3 Answers 3

Reset to default
4

For udisks version 2.6.4 and later

Note: I haven't tested this. I will once I get udisks 2.6.4 (whenever https://github.com/NixOS/nixpkgs/pull/41723 is backported to NixOS stable).

Update: I have udisks 2.8.0 now, so I can test my solution. The only thing I missed was removing the trailing newline from the output of pass (...) | head (...). To trim that, either use the -n flag with echo, or append | tr -d '\n' to the head output . I've reflected this in my two solutions below.

Generic (unsecure) solution

Use the --key-file flag and substitute the password string in place of a keyfile. To unlock /dev/sdb with the password hunter2:

udisksctl unlock --block-device /dev/sdb --key-file <(echo -n "hunter2")

Passing sensitive data directly through the command line is unsafe, so this method should be avoided.

pass implementation

Instead, retrieve the password string with pass thumbdrive-password | head -n 1, trim the trailing newline, and substitute it in place of a keyfile:

udisksctl unlock \ --block-device /dev/sdb \ --key-file <(pass thumbdrive-password | head -n 1 | tr -d '\n')
Improve this answer
3

The problem is that the data is not read from stdin but from the controlling terminal:

unlock
Unlocks an encrypted device. The passphrase will be requested from the controlling terminal and upon successful completion, the cleartext device will be printed to standard output.

You can either use the work-around frostschutz suggested or use tricks to make the pipeline input appear on the controlling terminal, e.g. with expect or socat.

pass thumbdrive-password | head -n 1 | socat - EXEC:'udisksctl unlock -b /dev/sdb',pty,setsid,ctty
Improve this answer
-2

never is too late to contribute. I simply run #sudo apt-get install udisks2-lvm2 And it got mounted automatically. Kubuntu 20.4 - usb adapter to 1TB SATA disk.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.