3

Currently, I do this to mount my encrypted thumbdrive:

# Works!
pass thumbdrive-password | # get device password entry from password manager
    head -n 1 | # get the device password itself
    sudo cryptsetup luksOpen /dev/sdb thumbdrive # unlock device
udisksctl mount -b /dev/mapper/thumbdrive # mount device

I'd like to do something like this instead:

# Does not work!
pass thumbdrive-password |
    head -n 1 |
    udisksctl unlock -b /dev/sdb # unlock device
udisksctl mount -b /dev/mapper/luks-foobar # mount device with uuid "foobar"

This would allow semi-privileged users (with permission to org.freedesktop.udisks2.filesystem-mount in polkit) to mount encrypted filesystems without using sudo. Udisks will not accept this piping method, because it uses an interactive password prompt. How can I provide my device password to udisksctl unlock without typing it in manually?

gmarmstrong
  • 1,183
  • 1
  • 15
  • 35
  • 3
    `udisksctl unlock --block-device /dev/sdb --key-file <(printf "%s" "$(pass thumbdrive-password | head -n 1)")` – frostschutz Jun 03 '18 at 12:08
  • I have neither udisks nor pass to test with but manpage suggests it might work like that. I have doubts about head -n 1, certainly there should be a way to make it spit out the password directly... printf is to get rid of newline which might be taken to be part of the passphrase if interpreted as a keyfile. If pass is able to show password without newline you don't need that either. – frostschutz Jun 03 '18 at 12:10
  • 2
    @frostschutz & al. `--key-file` appeared in [v2.6.4](http://storaged.org/doc/udisks2-api/2.6.4/udisksctl.1.html). For eg not available in Debian stretch. OP didn't specify the distribution – A.B Jun 03 '18 at 12:15
  • I'm using NixOS, but I would accept an answer that worked on Debian since I didn't specify. Wanted to make this as generic as possible. My version of udisksctl is 2.1.6, but @frostschutz's comment looks promising for the future. – gmarmstrong Jun 03 '18 at 12:20
  • NixOS should get 2.7.6 soon! https://github.com/NixOS/nixpkgs/pull/35551 and Debian will get it with buster. – gmarmstrong Jun 03 '18 at 12:29

3 Answers3

4

For udisks version 2.6.4 and later

Note: I haven't tested this. I will once I get udisks 2.6.4 (whenever https://github.com/NixOS/nixpkgs/pull/41723 is backported to NixOS stable).

Update: I have udisks 2.8.0 now, so I can test my solution. The only thing I missed was removing the trailing newline from the output of pass (...) | head (...). To trim that, either use the -n flag with echo, or append | tr -d '\n' to the head output . I've reflected this in my two solutions below.

Generic (unsecure) solution

Use the --key-file flag and substitute the password string in place of a keyfile. To unlock /dev/sdb with the password hunter2:

udisksctl unlock --block-device /dev/sdb --key-file <(echo -n "hunter2")

Passing sensitive data directly through the command line is unsafe, so this method should be avoided.

pass implementation

Instead, retrieve the password string with pass thumbdrive-password | head -n 1, trim the trailing newline, and substitute it in place of a keyfile:

udisksctl unlock \
    --block-device /dev/sdb \
    --key-file <(pass thumbdrive-password | head -n 1 | tr -d '\n')
gmarmstrong
  • 1,183
  • 1
  • 15
  • 35
3

The problem is that the data is not read from stdin but from the controlling terminal:

unlock
Unlocks an encrypted device. The passphrase will be requested from the controlling terminal and upon successful completion, the cleartext device will be printed to standard output.

You can either use the work-around frostschutz suggested or use tricks to make the pipeline input appear on the controlling terminal, e.g. with expect or socat.

pass thumbdrive-password |
    head -n 1 |
    socat - EXEC:'udisksctl unlock -b /dev/sdb',pty,setsid,ctty
Hauke Laging
  • 88,146
  • 18
  • 125
  • 174
-2

never is too late to contribute. I simply run #sudo apt-get install udisks2-lvm2 And it got mounted automatically. Kubuntu 20.4 - usb adapter to 1TB SATA disk.

Eder Miranda
  • 1