Andy Stanish

July 2, 2026

Point crypttab at a UUID, not /dev/sdX

If you're LUKS-encrypting an external drive on a Raspberry Pi and want it to unlock at boot, the setup to start from is this tutorial, which walks through encrypting the drive and wiring up auto-mount via /etc/crypttab and /etc/fstab. It's a solid guide and I'd recommend it — this is just the one thing I'd do differently.

The tutorial references the drive by its device node — /dev/sdX — in crypttab. That works right up until it doesn't. /dev/sdX names are assigned in order of discovery, not pinned to a physical port or to a particular device. So the moment you plug in another USB device, or the kernel enumerates things in a different order on the next boot, sda can become sdb, and your crypttab entry is now pointing at the wrong disk — or nothing. I hit exactly this after unplugging an SD-card reader and rebooting: the mapper entry was gone and the boot-time unlock had nothing to grab.

The fix is to key the unlock off the LUKS partition's UUID instead. The UUID lives in the partition's crypto metadata, so it's the same no matter where the drive lands in the enumeration order.

Find it with blkid:

sudo blkid

Look for the partition whose TYPE is crypto_LUKS and copy its UUID. Then in /etc/crypttab, swap the device path for UUID=…:

# before
thevault  /dev/sda1  none  luks

# after
thevault  UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  none  luks

That's the whole change. fstab can stay exactly as it was: it mounts /dev/mapper/thevault, and that mapper name is stable because you chose it in crypttab — it never depended on /dev/sdX once the unlock is keyed off the UUID.

Reboot to confirm the drive comes up cleanly, and from then on it mounts at the same place every time, regardless of what else happens to be plugged in.