Mount encrypted volumes from command line?

Your volume is probably encrypted with LUKS, here's how to mount it:

You need:

sudo apt-get install cryptsetup

To decrypt the volume:

sudo cryptsetup luksOpen /dev/sda1 my_encrypted_volume

Now you can mount it as usual:

sudo mkdir /media/my_device
sudo mount /dev/mapper/my_encrypted_volume /media/my_device

To lock the container again, it needs to be unmounted first:

sudo umount /media/my_device
sudo cryptsetup luksClose my_encrypted_volume

To automatically put it in the /media location, use the udisks tool

sudo udisks --mount /dev/mapper/my_encrypted_volume

The steps in @Georg Schölly's answer did not work for me at the time, although they might work now, a few Ubuntu releases after. Back then, after the sudo mount /dev/mapper/my_encrypted_volume /media/my_device step I got the error:

mount: unknown filesystem type 'LVM2_member'

Unlocking and mounting the disk with udiskctl

Instead, I used udisksctl, a command-line interface that interacts with the udisksd service.

Here's what worked (/dev/sdb5 is the partition on my hard disk marked as crypt-luks):

udisksctl unlock -b /dev/sdb5
udisksctl mount -b /dev/mapper/ubuntu--vg-root

After typing the first command, you'll be prompted for your encryption passphrase. Once the encrypted partition is unlocked, the second command will mount it. If that's successful, you'll end up with a message similar to this:

Mounted /dev/dm-1 at /media/dpm/e8cf82c0-f0a3-41b3-ab28-1f9d23fcfa72

From there I could access the data :)

Locking the disk with udiskctl

Unmount the device:

udisksctl unmount -b /dev/mapper/ubuntu--vg-root

You'll need to deactivate all logical volumes in the ubuntu-vg volume group first. Otherwise you'll get an error along the lines of 'Device busy' if you try to lock it (more info):

sudo lvchange -an ubuntu-vg

Then you'll be able to lock back the encrypted partition

udisksctl lock -b /dev/sdb5

Notes

• The udisksctl commands are executed without sudo.

• Device mapper names: the ubuntu--vg-root naming might change across Ubuntu releases (e.g. I've seen it called system-root and ubuntu-root too). An easy way to find out the name is to run the following command after unlocking the LUKS partition:

  ls -la /dev/mapper

  Then looking at the output of the ls command, the name you'll need will be generally the one symlinked to /dev/dm-1

• Device mapper names, alternative: an alternative to the previous command is to run:

  lsblk -e7

  There you'll be able to see the device name mapping as a tree view. The -e 7 option is used to exclude the loop devices (ID 7) created by installed snaps from the output. Simply to have less clutter.

• Logical volume names: you can run the sudo lvs command to find out the names of volume groups and logical volumes
• Disks app: the GNOME Disks app does not automatically deactivate the logical volumes before locking the partition. Even if you've successfully unlocked the partition via the GUI, you will need to go to the command line and execute the sudo lvchange -an ubuntu-vg command before you can lock it from the GUI.

If you get this error:

mount: unknown filesystem type 'LVM2_member'

run:

sudo apt-get install lvm2
sudo lvscan

then activate all LVM you see

sudo vgchange -ay

then re-run the mount:

sudo mount /dev/mapper/my_encrypted_volume /media/my_device

One problem i ran into, was duplicate volume groups: Both my recovery system and the drive to be recovered were ubuntu systems with LVM. This is, why I had two ubuntu-vg volume groups (vgdisplay would display both, each with their own UUID, but i couldn't get to their logical volumes).

My solution builds on the answer of Georg:

• Boot off a live-linux (so that you don't run into the duplicate volume group name)
• sudo cryptsetup luksOpen /dev/sdaX my_encrypted_volume
• enter your passphrase when prompted

• sudo vgscan should now pick up the contained volumes/groups.

• DRAGONS AHEAD: WE'RE NOW CHANGING THE VOLUME GROUP NAME. YOU WILL NOT BE ABLE TO BOOT THAT DRIVE AFTERWARDS!

  use sudo vgrename ubuntu-vg ubuntu-vg2 to rename the volume group.

  If you need to boot off that drive, you can do these steps again, but rename your volume group back to ubuntu-vg. A different possibility is to alter your boot configuration to the new vg-name.

Now that the duplicate vg-name is resolved, i can boot back into my regular system, redo the cryptsetup..., vgscan and then mount /dev/mapper/ubuntu--vg2-root anywhere you like.

sdb1 here is an example you should input your device name, none of this commands will require root privileges

unlock encrypted disk

udisksctl unlock -b /dev/sdb1

after inserting the correct passphrase it will output something like this: Unlocked /dev/sdb1 as /dev/dm-3

then mount it to /media/

udisksctl mount -b /dev/dm-3

it should output something like this: Mounted /dev/dm-3 at /media/yourUserName/sdb

to unmount it

udisksctl unmount -b /dev/dm-3

to lock it again

udisksctl lock -b /dev/sdb1

All answers above took the assumption that the user already knows which partition is the encrypted one. Coming from someone that doesn't like the command line so much, I was expecting some user-friendly answer... So my 2cents here.

1. Open the "disks" application of ubuntu.
2. Locate your mounted hard disk in the left panel.
3. Click on the partition that has "LUKS" in its name: this way you can see its mount point in the "Device" text below (in my case: /dev/sdb4).

Then I tried to mount it like adviced above:

$ sudo cryptsetup luksOpen /dev/sdb4 someNameForMyVolume
Enter passphrase for /dev/sdb4: 

But got this error:

Cannot use device /dev/sdb4 which is in use (already mapped or mounted).

Ok, so I guess nautilus has already tried to mount it (because it actually prompted me for the password as I connected the USB, even if it didn't end up showing the decrypted tree). However, the error message is not really helpful because it doesn't tell me where it's already mapped/mounted. But this command helps in this case:

$ udisksctl unlock -b /dev/sdb4
Passphrase: 
Error unlocking /dev/sdb4: GDBus.Error:org.freedesktop.UDisks2.Error.Failed: Device /dev/sdb4 is already unlocked as /dev/dm-3

Aha! So it's /dev/dm-3.

However when trying to mount it, it doesn't work:

$ udisksctl mount -b /dev/dm-3
Object /org/freedesktop/UDisks2/block_devices/dm_2d3 is not a mountable filesystem.

After much tinkering, I found out that I was running into the duplicate volume groups problem (described above by @amenthes) because the commands sudo vgscan -v and sudo vgdisplay were showing two entries with the same volume group name. However, I found a better way to deal with it than his method (no need to boot into a LiveCD to rename volumegroups!), in this link, which I'll quote above (just in case that link gets broken...):

If you run ls -la /dev/mapper/ you should see a luks-xxxxxx-xxxxx-xxxx or some such file. That's the mapping that was created when Ubuntu prompted for the encryption password with a dialog but failed to open it (all the dialog did was to call luksOpen and map it to that /dev/mapper/luks-xxx file). Now:

1. Make sure your physical volume is available by running the sudo pvdisplay command. It should be /dev/mapper/luks-xxx-whatever.
2. Get the uuid of the volume by running sudo pvs -o +vg_uuid. The uuid will be the value displayed all the way to the right, containing 7 dash-delimited values. Copy those somewhere as we'll be using them in the next step. DO NOT CONFUSE UUIDS AND COPY DOWN THE WRONG ONE. Only copy the one for your current /dev/mapper/luks-xxx-whatever device.
3. Change the volume group for your old disk by running the following command sudo vgrename UUIDOFYOURDISKHERE oldhd You can change the "oldhd" to whatever you want so long as it's differing from the volume group name of your current disk. Performing this step removes the conflict with volume group names which will allow you to now make volumes available.
4. Run the command vgchange -a y to make the volumes active.
5. Create a folder for a mountpoint somewhere, e.g.: sudo mkdir /media/<yourUserName>/someDir
6. Mount it: sudo mount /dev/oldhd/root /mnt/oldhd.
7. After working with your files, you should rename your volumegroup back to ubuntu-vg if you want the volume to still be bootable.

I went into several paths from the previous answers and only combination of the previous answers worked for me. He what I did and what went OK, and what went wrong and my workaround.

I have an LUKS encrypted hard disk that I need to mount from a live boot USB for Ubuntu 15.10. To do so I started with the following command,

udisksctl unlock -b /dev/sda3

where sda3 is the encrypted partition. This command didn't work with me and I am not sure why, so I used the following command:

sudo cryptsetup luksOpen /dev/sda1 my_encrypted_volume

it worked with me and I didn't need to install it as it was there in the live boot.

Now, I need to mount the HD, and this was not a straight forward thing: I tried:

sudo mkdir /media/my_device
sudo mount /dev/mapper/my_encrypted_volume /media/my_device

But the second command didn't work with me, and hence I have to find a work around which is the following:

sudo udisksctl mount -b /dev/mapper/ubuntu--vg-root

That was my path .. but you can use the path dev/mapper/ubuntu and then double tab to see the rest of options. This mounted the HDD as:

Mounted /dev/dm-1 at /media/root/03cf6b80-fa7c-411f-90b9-42a3398529ce

Then I used the following command to mount it as /media/my_device as following:

sudo mount /dev/dm-1 /media/my_device/

which worked fine.

In Summary

sudo cryptsetup luksOpen /dev/sda1 my_encrypted_volume
sudo mkdir /media/my_device
sudo udisksctl mount -b /dev/mapper/ubuntu--vg-root
sudo mount /dev/dm-1 /media/my_device/

For those of us who don't want to use a GUI tool even to determine which partition is encrypted.

• find any encrypted partitions

  lsblk -lf | grep LUKS
  

  -l requests the "list" format - we don't need the tree
  -f shows us the name of the file system too
  we get something like

  sdc2 crypto_LUKS b09d6209-......

• unlock the partition that we want (in my case /dev/sdc2)

  udisksctl unlock -b /dev/sdc2
  

  -b means that we are giving the path to a block device
  after entering the passphrase we get an affirmative response with the necessary info for the next step:

  Unlocked /dev/sdc2 as /dev/dm-6

• mount the newly created device (dm stand for device manager)

  udisksctl mount -b /dev/dm-6
  

  Again we get an affirmative response with useful info:

  Mounted /dev/dm-6 at /media/g/Data.

  (g being my username on this system, Data is the label I used for that partition)

  It may be the case that your desktop system/file manager has already automatically mounted the device, or you did it yourself before. Then you get something like

  Error mounting /dev/dm-6: GDBus.Error:org.freedesktop.UDisks2.Error.AlreadyMounted: Device /dev/dm-6 is already mounted at '/media/g/Data'.

  This is no problem, you can access the data from the encrypted partition anyway.

• access the data: ls /media/g/Data

• unmount the device again (use the same name you used for mounting, the command is unmount, not umount :-) )

  udisksctl unmount -b /dev/dm-6
  

  If the device is not busy you will get

  Unmounted /dev/dm-6.

• Now lock the partition again (you have to remember the name of the partition)

  udisksctl lock -b /dev/sdc2
  

  You will get

  Locked /dev/sdc2.

• optionally power down the complete external disk

  udisksctl power-off -b /dev/sdc
  

  With a graphical desktop you may get an error here:

  Error powering off drive: The drive in use: Device /dev/sdc3 is mounted (udisks-error-quark, 14)

  In that case you can use udisksctl to unmount the partitions one by one until you succeed. The udisksctl power-off does not return any messages.

You can mount it in two steps, and I have a script example.

Note: the service udiskctl will mount things under /media, it's more designed for desktop users mounting usb sticks. If you want to mount the device somewhere else, it's not the solution you are looking for.

Here is what I worked out. In this example, my encrypted device is a partition made with lvm, but this doesn't really matter. It is an ext4-formatted partition. In its encrypted form, it lives at

/dev/myvg/opt1 

an encrypted partion is "opened" (decrypted) like this

  STEP 1:  sudo cryptsetup luksOpen /dev/myvg/opt1 opt1_opened

(this is where you enter the passphrase)

the last argument is a temporary reference to the decrypted block device. The 'mapping' disappears when you reboot so you can choose a different name each time, if you want.

it is now visible as a device:

ls /dev/mapper
control  myvg-opt1  myvg-root  opt1_opened

You can mount this device: we now have an ext4 device. To make it convenient, add a line in /etc/fstab

/dev/mapper/opt1_opened /opt1   ext4    noauto,users    0       0

and make the mount point (in my case: sudo mkdir /opt1, and then setup permissions as you wish) If you used the name opt1_opened in Step 1, then this is the second step to mount it:

STEP 2: mount /opt1   #the fstab line lets users mount, so no need for sudo

and it's mounted.

Hence, a bash script:

#!/bin/bash
#needs to be run sudo
read -s -p "Enter LUKS password: " luks_password
printf $luks_password | cryptsetup luksOpen /dev/myvg/opt1 opt1_opened --key-file -
sudo -u tim mount /opt1

The correct answer is gio mount -d /dev/dm-x (no sudo).

Previous answers show a disconnect with the Nautilus or Nemo way of mounting, since you need to enter the LUKS passphrase even though it is previously cached in the user keyring from the GUI. Using gio automatically uses the passphrase previously stored by Nautilus or Nemo.

For a more detailed answer, see https://unix.stackexchange.com/questions/394320/what-command-does-nemo-use-to-mount-drives/536842#536842