auto_unlock_disk.sh

#!/bin/bash

PENDRIVE_UUID="1a62326e-a62a-42d7-8836-50717257008a"
PENDRIVE_MOUNTPOINT="/mnt/pendrive"
LUKS_KEY_FILE="luks.key"
LUKS_UUID="e499077a-7040-4a4f-a668-60bcdfbc1a06"
LUKS_MOUNTPOINT="/mnt/storage"
DEVICES_FOLDER="/dev/disk/by-uuid/"

# check if pendrive is attached
if [ ! -L "${DEVICES_FOLDER}${PENDRIVE_UUID}" ]; then
        echo "PENDRIVE IS NOT ATTACHED. exiting..."
        exit 1
fi

# check if encrypted disk is attached
if [ ! -L "${DEVICES_FOLDER}${LUKS_UUID}" ]; then
        echo "ENCRYPTED DEVICE IS NOT ATTACHED. exiting..."
        exit 1
fi

# mount pendrive with key first
mkdir -p "${PENDRIVE_MOUNTPOINT}"
if grep -qs "${PENDRIVE_MOUNTPOINT}" /proc/mounts; then
        echo "pendrive is mounted already."
else
        echo "mounting pendrive..."
        mount "${DEVICES_FOLDER}${PENDRIVE_UUID}" "${PENDRIVE_MOUNTPOINT}"

        # verify if key is present
        if [ ! -f "${PENDRIVE_MOUNTPOINT}/${LUKS_KEY_FILE}" ]; then
                echo "KEY NOT FOUND. exiting..."
                exit 1
        fi
fi

# open and mount encrypted disk
if [ -L "/dev/mapper/storage" ]; then
        echo "encrypted disk already open."
else
        echo "opening encrypted disk..."
        cryptsetup luksOpen "${DEVICES_FOLDER}${LUKS_UUID}" storage --key-file "${PENDRIVE_MOUNTPOINT}/${LUKS_KEY_FILE}"
fi

mkdir -p "${LUKS_MOUNTPOINT}"
if grep -qs "${LUKS_MOUNTPOINT}" /proc/mounts; then
        echo "BTRFS is mounted already."
else
        echo "mounting BTRFS..."
        mount "/dev/mapper/storage" "${LUKS_MOUNTPOINT}"
fi

echo "done"

automount.service

[Unit]
Description=automount

[Service]
Type=oneshot
ExecStart=/root/auto_unlock_disk.sh
#ExecStop=/opt/foo/teardown-foo.sh
StandardOutput=journal

[Install]
WantedBy=multi-user.target

/etc/systemd/system/automount.service

---

disable automount on gnome

apt install dconf-editor
dconf-editor

org > gnome > desktop > media-handling