Beside… if you are looking for an automount, which run after the login, then use udisksctl and add commands to the startup. That is much more feasible for usb flash drives.
As for the tcrypt and tcrypt-veracrypt options, this option always worked before:
tcrypt-veracrypt,tcrypt-keyfile= (guide: Automount VeraCrypt with Crypttab | Delightly Linux)
And it still works, but only if the key file is not on the USB flash drive. crypttab still decrypts if the keyfile is on the local system, such as home/user. But it does not read the key from the USB flash drive.
I wouldn’t want to replace crypttab and fstab with something else. Because it worked for a long time. I just don’t understand what happened after the recent update and it no longer works…
Maybe I’m missing the knowledge here, but logically a decryption key shouldn’t be on an encrypted partition. This is the same as if you throw the key into the apartment, close the door and then try to open the door with the key in the apartment.
Or have I misunderstood something?
If it’s an image and the key is right next to it, then that’s just as smart. In any case, the USB stick should be mounted first (so that it can reach the key), then the image should be unlocked and then the unlocked image should be mounted. Better would storing the key on the system like described on the linked tutorial.
Logically, cryptab runs first and then fstab on boot, but in your case it has to run the other way around. I have no idea why this worked.
The Keyfile is located on an unencrypted USB flash drive. I simply inserted it when I wanted the system to open my containers at startup.
But you are now saying that crypttab starts before fstab. If this is true, then this is even more puzzling… I don’t even know how to check this. I just tried a bunch of options already.
As a temporary measure, I just put the keyfile in a local folder so that I could get my containers. But in the long term this is completely unsuitable, since there is no point in having a lock if you keep the key to the apartment on a nail in front of the door.
I highly doubt that this worked. Logically it cannot. It would only work if it would be a real encrypted partition and not a container and all tutorials I read mention block devices and not containers. crypttab also doesn’t mention the possibility to use container files.
Use veracrypt to unlock and mount your containers after login.
Maybe.
I’m not enough of an advanced user to check. But I will try to roll back certain packages after the backup.
So thanks for the tip to you. Any thoughts would help.
Try increasing the value to, for example 30s, to test the theory; if it works, then try 20s, or whatever may be a more practical delay. Though I imagine you’ve already tried something similar.
I just found the following thread which might be relevant:
I have already communicated with this person. And he tried to help as much as he could, but his problem turned out to be different. So it didn’t work for me.
Also, my /etc/mkinitcpio.conf remained unchanged after the manjaro 09.10 update. Namely, after him everything went to hell.
Or, maybe add a post-start delay to the systemd-cryptsetup@cryptobox.service .
Something like
[Service]
ExecStartPost=/bin/sleep 30
I’ve never had to try this and am unsure of its accuracy, but it’s worth some further investigation. If it works, it should delay starting the service until the USB drive has mounted.
to get serial id (plugin the usb stick). Why a serial? Because it is very unique, it will only work with that usb-stick and is not easy to fake.
A mount script could look like this:
File: /usr/local/bin/mount-script.sh
#!/usr/bin/bash
CONTAINER="/home/user/VeraCrypt/cryptobox"
KEYFILE="/tmp/usb/key-file"
UUID="UUID"
MAPPER="cryptbox"
TARGET="/mnt/decrypted"
mount -o defaults,X-mount.mkdir -U <UUID> /tmp/usb/
cryptsetup open --type tcrypt --key-file "$KEYFILE" open "$CONTAINER" "$MAPPER"
mount -o defaults,ro,X-mount.mkdir,users "/dev/mapper/$MAPPER" "$TARGET"
Don’t forget to make it executable.
Now everytime you plugin the USB Flash Drive with that specfic SERIAL ID (no other), it will mount it and decrypt it automatically, assuming that the key is not password protected.
Not tested myself, so rather a mental prototype, but I guess you get the idea here.
No… the container is in @fedreit60 home folder. Only the key is on the USB-Stick. And here is problem… Crypttab needs the key, but the FS is not mounted yet xD