This article was last edited over 3 years ago. Information here may no longer be accurate. Please proceed with caution, and feel free to contact me.
You can automatically unlock and mount LUKS encrypted volumes at
boot by specifying the volumes and their keys in
For the sake of this article, I am working with non-critical volumes. Volumes for storage. Not volumes required to boot your machine properly. I am not discussing how to mount an encrypted root volume.
I like to keep my keyfiles on USB drives. You do not need to use a USB device to unlock your volumes, but it is a bit silly to keep the key on a permanent disk connected to your machine, right?
You can specify an
/etc/fstab entry for your USB key
# /etc/fstab UUID=1ed7fee7-0ea5-4643-bb0c-a4937da77a3f /mnt/key ext4 defaults,nofail,x-systemd.device-timeout=1
It is less a recommendation, and more a requirement, that you
mount the key using a UUID or some other less flexible identifier.
/dev/sdc1 can vary wildly for a USB
x-systemd.device-timeout because I consider my
encrypted volume non-critical. It is a secondary volume. So if I
forget to put my USB key in my computer, it is fine. It will
1 second and boot normally. Without
these settings, your computer will hang at boot forever or for a
very long time if you forget to connect your USB key before
The system will not wait for the device to show up and be unlocked at boot, and not fail the boot if it does not show up.
Configure how long systemd should wait for a device to show up before giving up on an entry from /etc/fstab. Specify a time in seconds or explicitly append a unit such as “s”, “min”, “h”, “ms”.
Now we can specify in
/etc/crypttab which encrypted
volume(s) to mount at boot, and where the keyfiles are.
# /etc/crypttab storage1 UUID=d719b16d-d9e3-4a7d-97f4-661bc7904a69 /mnt/key/mykey.keyfile luks,nofail
Note above. I have an encrypted volume identified by a UUID that
will be opened using the name
storage1. The keyfile
used to unlock that volume lives at
/mnt/key/ and is
that this is not a critical drive, and if a failure occurs,
booting should continue normally.
There is a bit of a catch here.
/mnt/key will not be available at the right time.
To get around that, we create
/etc/default/cryptdisks like so.
# /etc/default/cryptdisks CRYPTDISKS_MOUNT='/mnt/key'
This tells the crypt software to mount
/mnt/key before processing
With all that in place, when you reboot, the volume should be
available, unencrypted, at
/etc/fstab entry to mount that unencrypted
device to a standard location can be done as you would for any
other unencrypted volume.
# /etc/fstab /dev/mapper/storage1 /mnt/storage1 ext4 defaults,nofail 0 1