access to mounted luks partition by non-root user

Question

Recently I searched substitute for truecrypt and played a bit with cryptsetup. The steps I did:

1. mkfs -t ext4 /dev/sdb1
2. sudo cryptsetup open --type luks /dev/sdb1 enc_vol
3. sudo mount /dev/mapper/enc_vol /mnt

After that I (non-root user) can chdir to /mnt and can see files but can't write anything there. Only root can write, but that is very inconvenient for me. As ls -l /dev/mapper/enc_vol shows it is symlink owned by root and which points to /dev/dm-1.

Commands like chown "username":"username" and chmod 777 cannot change "root"ness of the beforementioned symlink to /dev/dm-1.

My question: how can I mount LUKS partitions encrypted by cryptsetup to be able to write files in it being non-root user?

Answer 1

TLDR: Mount the filesystem in the user's home directory.

This is not specific to luks since it applies to mounting in general. I have not tested with ext4 but I don't see a reason why it will be different from ext3 (which I have tested).

sudo cryptsetup luksOpen /dev/sdb1 enc_vol
mkdir ~/enc_vol_mnt
sudo mount /dev/mapper/enc_vol ~/enc_vol_mnt

The regular user should now be able to read, write and delete files and directories in ~/enc_vol_mnt.

There are some other solutions to this problem on superuser.

As a side note, you can also use the -o users,rw,umask=0000 mount options when the file system being mounted is FAT or NTFS. The mount man page has more info on this.

Answer 2

For future readers:

Freshly formatted filesystem's root has usually rights of rwxr-xr-x and indeed is writable by root only.

On the first mount, depending on the future use of this partition - either chown the root of the mounted drive (not the device in /dev !) to user intended to use it exclusively or chmod it to rwxrwxrwxt to have it system-wide accessible, in a matter similar to /tmp. Or use any user rights/owner combination in-between (for example writable to members of the specific group, etc).

The setting is persistent across reboots/remounts.

TL;DR:

mount /dev/DEVICE /SOMEWHERE
chown USER:GROUP /SOMEWHERE

or

mount /dev/DEVICE /SOMEWHERE
chmod a+rwxt /SOMEWHERE

Answer 3

Here are a few things to try on your particular system.

You can look at udisksctl per this mailing list article

Assuming you have udisks2, this shouldn't be a problem:

$ udisksctl Usage: udisksctl [OPTION...] COMMAND

Commands:

help Shows this information

info Shows information about an object

dump Shows information about all objects

status Shows high-level status

monitor Monitor changes to objects

mount Mount a filesystem

unmount Unmount a filesystem

unlock Unlock an encrypted device

lock Lock an encrypted device

loop-setup Set-up a loop device

loop-delete Delete a loop device

power-off Safely power off a drive

smart-simulate Set SMART data for a drive

Use "udisksctl COMMAND --help" to get help on each command.

The 'unlock' command seems useful to you.

Alternately, as root, set up fstab correctly, perhaps starting by reading this Superuser answer to Linux - Mount device with specific user rights

To mount a device with certain rights, you can use the -o Option directive while mounting the device. To mount the device you described, run:

mount -t deviceFileFormat -o umask=filePermissons,gid=ownerGroupID,uid=ownerID /device /mountpoint