udiskie icon indicating copy to clipboard operation
udiskie copied to clipboard

Published 20 hours ago verified publisher icon coldfix

Locking LUKS device: Not authorized

Open cyberpunkrocker-zero opened this issue 2 years ago • 4 comments

I have an encrypted laptop (Arch Linux), with LUKS encrypted /boot partition on an USB stick. After booting I'm usually removing the USB stick. I can unmount and close the LUKS partition on the USB stick via a root terminal before that, but because I'm lazy, and because udiskie already seems to have the functionality, I'd like to use udiskie tray app for that.

However, when I click the 'Lock /dev/sdb1', I get the following error:

$ udiskie --tray
unmounted /org/freedesktop/UDisks2/block_devices/dm_2d0
failed to lock /org/freedesktop/UDisks2/block_devices/sdb1: GDBus.Error:org.freedesktop.UDisks2.Error.NotAuthorizedCanObtain: Not authorized to perform operation

When I plug the USB stick back in, udiskie mounts it and asks for the LUKS passphrase, and then unlocks the partition. Just as it is supposed to do...

How come udiskie has permissions to unlock a device, but not to lock it? Is this an udiskie issue, or should I make some adjustments somewhere to my system?

cyberpunkrocker-zero avatar Nov 10 '21 12:11 cyberpunkrocker-zero

The permissions are defined using polkit rules, see Permissions. It's possible to give yourself only unlocking but no unlocking authorization. It also plays a role from which seat (ssh/tty/desktop/systemd) you unlock/lock the device. If you lock/unmount a device from a different seat than was used to lock it, you may need the XXX-other-seat permissions.

On the other hand, it could also be that udisks has misjudged whether the unlocked device is e.g. a system-internal device or external device. In any case, it doesn't look like a udiskie issue to me. You can check whether you can lock/unlock using udisksctl:

udisksctl unlock -b /dev/sdX

# later:

udisksctl lock -b /dev/sdX

I expect the same problem will occur. If you need further insight, keep another terminal window open while un-/locking with the following command running:

journalctl -n 20 -f -u udisks2.service

coldfix avatar Nov 10 '21 20:11 coldfix

Oh wait, I didn't fully read through your post.

So your situation is that first you unlock+mount the USB drive as root as part of your boot process, and then later try to lock it as user using udisks? In that case it's not surprising that this won't with default permissions.

You definitely also need at least the org.freedesktop.udisks2.encrypted-lock-others permission, but I can't promise this will be sufficient.

coldfix avatar Nov 10 '21 20:11 coldfix

Another possibility that may prevent locking even in case of sufficient authorizations is if your device is known in /etc/crypttab under a different mapper name than it was opened as. That will completely confuse udisks2 for some reason.

coldfix avatar Nov 15 '21 09:11 coldfix