I am setting up my USB external disk for backup use. I did set the encrypted disk with the btrfs format, following the guide[1]. I am masking the uuid with "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX" on the working log.

The command took more than 13 hours. Maybe I didn't work on a sleep mode. I need to adjust the setting.

$ sudo badblocks -c 10240 -s -w -t random -v /dev/sdb1

$ sudo cryptsetup luksFormat /dev/sdb1

$ sudo cryptsetup luksOpen /dev/sdb1 luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
Enter passphrase for /dev/sdb1:

I formatted the disk with the btrfs, and renamed the label name from "BACKUP" to "backup" later.

$ sudo mkfs.btrfs -L BACKUP /dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX

$ sudo btrfs filesystem label /dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX backup

Here is the current status.

$ lsblk -r -p -o NAME,TYPE,FSTYPE,UUID,SIZE,LABEL | grep -v "^/dev/loop"
NAME TYPE FSTYPE UUID SIZE LABEL
...
/dev/sdb disk   931.5G 
/dev/sdb1 part crypto_LUKS XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX 931.5G 
/dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX crypt btrfs XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX 931.5G backup
...

Then I tested to know the behaviors.

On the command below, the root password was required to lock.

$ udisksctl lock --block-device /dev/sdb1
==== AUTHENTICATING FOR org.freedesktop.udisks2.encrypted-lock-others ====
Authentication is required to lock the encrypted device WD My Passport 082A (/dev/sdb1) unlocked by another user
Authenticating as: Jun Aruga (jaruga)
Password: #
==== AUTHENTICATION COMPLETE ====
Locked /dev/sdb1.

On the command below, the password of the luks was required.

$ udisksctl unlock --block-device /dev/sdb1
Passphrase: 
Unlocked /dev/sdb1 as /dev/dm-1.

Then I could mount the disk with user permission.

$ udisksctl mount -b /dev/mapper/luks-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
Mounted /dev/dm-1 at /run/media/jaruga/backup

$ df -h | grep dm-1
/dev/dm-1       932G  3.8M  930G   1% /run/media/jaruga/backup

I failed to create a file. I need to check why.

$ ls -dl /run/media/jaruga/backup
drwxr-xr-x. 1 root root 0 Nov  8 17:14 /run/media/jaruga/backup/

$ touch /run/media/jaruga/backup/BACKUP.txt
touch: cannot touch '/run/media/jaruga/backup/BACKUP.txt': Permission denied

I mounted another disk that is not encrypted, vfat format USB external disk. It was mounted with the user permission.

$ udisksctl mount -b /dev/sda1
Mounted /dev/sda1 at /run/media/jaruga/1A53-9E55

$ ls -dl /run/media/jaruga/1A53-9E55
drwxr-xr-x. 2 jaruga jaruga 32768 Jan  1  1970 /run/media/jaruga/1A53-9E55/

I asked on the Ask Fedora forum. And I did the following workaround.

$ df -h | grep dm-1
/dev/dm-1       932G  3.8M  930G   1% /run/media/jaruga/backup

$ cd /run/media/jaruga/backup

$ sudo mkdir framework

$ sudo chown jaruga:jaruga framework

$ cd framework/

$ touch BACKUP.txt

$ ls -l
total 0
-rw-r--r--. 1 jaruga jaruga 0 Nov  8 20:39 BACKUP.txt

Then I added a new entry to this disk. I am not sure if it is necessary even when I connect the disk temporarily.

$ sudo vi /etc/crypttab

References

• [1] https://fedoraproject.org/wiki/Disk_Encryption_User_Guide - Creating Encrypted Block Devices on the Installed System After Installation
• [2] https://ask.fedoraproject.org/t/mounting-luks-encrypted-external-drive-with-user-write-permission/28327/3?u=jaruga