Bug 510584

Summary: KDE 6 fails to mount unlocked LUKS-encrypted NTFS drive (mount step missing after successful unlock)
Product: [Frameworks and Libraries] frameworks-solid Reporter: Jonathan Farley <jsf>
Component: generalAssignee: Unassigned bugs <unassigned-bugs-null>
Status: NEEDSINFO WAITINGFORINFO    
Severity: normal CC: kdelibs-bugs-null, lukas, nate
Priority: NOR    
Version First Reported In: 6.19.0   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Jonathan Farley 2025-10-14 06:45:59 UTC 
Summary:
In KDE Plasma 6.4.5 (with Frameworks 6.18.0), plugging in a LUKS-encrypted NTFS drive and unlocking it through the Device Notifier or Dolphin prompt succeeds, but the drive is not mounted afterward. Clicking the device again triggers the unlock dialog a second time and then shows an error:

Device is already unlocked as /dev/dm-0

However, the unlocked device is not mounted or accessible via the GUI. In Plasma 5.x, the drive was mounted immediately after a successful unlock.

Steps to reproduce:

Plug in a LUKS-encrypted NTFS external drive

Click on the device name in Dolphin or Device Notifier

Enter the passphrase in the unlock dialog

Observe that nothing happens after unlock

Click the device again

Observe the error:
"Device /dev/sdX is already unlocked as /dev/dm-0"

What should happen:
After unlocking, the decrypted device (e.g. /dev/dm-0) should be automatically mounted and accessible through Dolphin.

What happens instead:
Unlocking succeeds, but KDE does not detect or attempt to mount the resulting block device. Manual mounting via udisksctl mount -b /dev/dm-0 works without issue. This was not a problem in Plasma 5.x.

System details:

KDE Plasma Version: 6.4.5

KDE Frameworks Version: 6.18.0

Filesystem: NTFS (using ntfs-3g)

UDisks2 is installed and functioning

Manual unlock (udisksctl unlock) and mount (udisksctl mount) work

Polkit rule allows mounting via UDisks

mount.ntfs-3g is correctly installed and executable

Encrypted device unlocks to /dev/dm-0, but KDE does not proceed to mount

Workaround:
Mounting manually with udisksctl mount -b /dev/dm-0 works as expected.
Comment 1 Nate Graham 2025-10-14 16:11:12 UTC 
I have a LUKS-encrypted EXT4 drive that gets mounted as expected here. Perhaps the filesystem is relevant.

Are you clicking on the "Mount and Open" button in the Disks & Devices popup?
Comment 2 Jonathan Farley 2025-10-16 07:57:31 UTC 
(In reply to Nate Graham from comment #1)
> I have a LUKS-encrypted EXT4 drive that gets mounted as expected here.
> Perhaps the filesystem is relevant.
> 
> Are you clicking on the "Mount and Open" button in the Disks & Devices popup?

If you cick on 'Mount and Open' in the taskbar the response after the password dialog is "You are not authorised to mount this device". 

If you click on the drive in the 'Places' section of dolphin, it brings up the password dialog, then says the same. However at this point the drive is unlocked, but not mounted. If you click on the drive in 'places', it just brings up the enter password dialog each time.  - In KDE5, it would unlock and mount and clicking on it again would open the drive.

To mount it after unlocking I have created this script:

#!/bin/bash

usage() {
    cat <<EOF
EncMount - Manage mounting and unmounting of unlocked LUKS-encrypted drives.

Usage:
  EncMount             Mount all unlocked but unmounted LUKS drives.
  EncMount -m          Explicitly mount all unlocked but unmounted LUKS drives.
  EncMount -u          Unmount and lock all currently mounted LUKS drives.
  EncMount -h          Show this help message.

Details:
  - Devices must already be unlocked (e.g., via Dolphin or manually).
  - Uses udisksctl to mount/unmount/lock without root permissions.
  - Only affects devices under /dev/mapper that are actual block devices.
  - Skips system devices like /dev/mapper/control.
  - Mounted volumes appear under /media/<user>/ as usual.

Examples:
  EncMount         # Automatically mount all decrypted but unmounted drives
  EncMount -u      # Unmount and lock all decrypted drives
  EncMount -h      # Show this help

EOF
    exit 0
}

mount_unlocked() {
    for dev in /dev/mapper/*; do
        if [ ! -b "$dev" ] || [[ "$dev" == *control ]]; then
            continue
        fi

        if mount | grep -q "$dev"; then
            echo "$dev is already mounted."
            continue
        fi

        echo "Attempting to mount $dev..."
        udisksctl mount -b "$dev"
    done
}

unmount_and_lock() {
    for dev in /dev/mapper/*; do
        if [ ! -b "$dev" ] || [[ "$dev" == *control ]]; then
            continue
        fi

        if mount | grep -q "$dev"; then
            echo "Unmounting $dev..."
            udisksctl unmount -b "$dev"
        fi

        echo "Locking $dev..."
        udisksctl lock -b "$dev"
    done
}

# Parse CLI options
case "$1" in
    ""|-m)
        mount_unlocked
        ;;
    -u)
        unmount_and_lock
        ;;
    -h)
        usage
        ;;
    *)
        echo "Unknown option: $1"
        usage
        ;;
esac

Which mounts the disc, but I have to navigate to /media to use them.

I have tried altering polkit rule (cat 10-udisks2-mount.rules) to:
/* Allow members of the 'plugdev' group to mount removable and system volumes without auth */
polkit.addRule(function(action, subject) {
    if (subject.isInGroup("plugdev") && subject.local && subject.active) {
        if (action.id == "org.freedesktop.udisks2.filesystem-mount" ||
            action.id == "org.freedesktop.udisks2.filesystem-mount-system"
        ) {
            return polkit.Result.YES;
        }
    }
});
and added another rule (80-udisks2-user-unlock.rules):
/* Allow active local users to authenticate as themselves to unlock system encrypted volumes */
polkit.addRule(function(action, subject) {
    if (subject.local && subject.active) {
        if (action.id == "org.freedesktop.udisks2.encrypted-unlock-system") {
            // Require authentication from the current user
            return polkit.Result.AUTH_SELF;
        }
    }
});

which I thought would cure it, but alas, no - I am still not authorised. I suspect it is probably ntfs inside the encrypted disc, and I will try and make up an ext4 disc at some point to try. But that doesn't get round my needing to use encrypted ntfs on occasions.