Hi, Joerg Desch writes: > I've created a LUKS partition which I mount on demand. This partition was > created using cryptsetup. While mounting the partition, GNOME asks me > first for the passphrase and than for the "admin" password. > > A while ago, I've created a LUKS partition on an USB thumb drive using > GNOME Disks. In this case, mounting requires only the passphrase. And > that doesn't depend on the used computer! > > What is the difference? Can I change the behavior of my older LUKS > partition too?
GNOME uses udisks2 to manage devices. udisks2 treats removable devices (can mount as regular user) and system devices (can only mount as admin) differently. One can find the actions udisks2 uses PolicyKit for in /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy: the interesting ones probably are: org.freedesktop.udisks2.filesystem-mount org.freedesktop.udisks2.filesystem-mount-system org.freedesktop.udisks2.filesystem-fstab org.freedesktop.udisks2.encrypted-unlock org.freedesktop.udisks2.encrypted-unlock-system org.freedesktop.udisks2.encrypted-unlock-crypttab The default permissions allow the active user to use 'filesystem-mount' (that is mount removable devices) and 'encrypted-unlock' (unlock removable devices). The other actions are only allowed for administrators with a password prompt (`auth_admin` or `auth_admin_keep`). As you only want to manage a single partition, I would try to use the 'filesystem-fstab' and 'encrypted-unlock-crypttab' actions which should only apply to specific devices instead of the '*-system' actions: add the 'x-udisks-auth' option to the /etc/fstab and /etc/crypttab entries and allow using them by the active user without a password prompt: +--- | [Allow active user to mount x-udisks-auth filesystems] | Action=org.freedesktop.udisks2.filesystem-fstab;org.freedesktop.udisks2.encrypted-unlock-crypttab | ResultActive=yes +---[ /etc/polkit-1/localauthority/50-local.d/x-udisks-auth.pkla ] See man:pklocalauthority(8) for documentation of the *.pkla files. Note that I haven't used PolicyKit that much, so some details might not be quite correct. Ansgar
