Accessing external LUKS HDD with custom user, Ubuntu 14.04

For some esoteric reason you might want to access your dm-crypt/LUKS encrypted harddisk with another user – e.g. perl, php, etc.

When plugging in external devices with automount standard permissions are used. Therefor a user like www-data will not be able to access the data of the drive. A solution is to permanently register the drive with crypttab and fstab and give the drive custom permissions.

  1. Check which user is running your target application. (e.g. user “www-data”)
    ps -aux
  2. Connect the drive manually and check the files /etc/crypttab and /etc/fstab.
    mount -l will help you to check the current fstab permissions.
  3. Disconnect the drive and recheck the permissions. Notice the missing line in /etc/crypttab.
  4. Add the missing line to /etc/crypttab – example given (replace LUKS ID and UUID):
    luks-504c9fa7-d080-4acf-a829-73227b48fb89 UUID=01234567-89ab-cdef-0123-456789abcdef none luks,discard
  5. Create the target mount directory.
    sudo mkdir /archive
  6. Add the line to /etc/fstab:
    /dev/mapper/luks-504c9fa7-d080-4acf-a829-73227b48fb89 /archive ext4 noauto,uid=mainsername,gid=www-data,umask=0027 0 0
    This example configuration will give the user “www-data” read access to the drive.
  7. Mount the drive:
    sudo mount /dev/mapper/luks-50* /archive
    sudo mount -a

To put it in a nutshell, fstab needs the /dev/mapper/luks-… before it can mount the drive.

References