dm-crypt/Mounting at login
It is possible to configure PAM and systemd to automatically mount a dm-crypt encrypted home partition when its owner logs in, and to unmount it when they log out.
This tutorial assumes you have already created your encrypted partition, as described in Dm-crypt/Encrypting a non-root file system.
- You need to use the same password for your user account and for LUKS.
- In all the examples, replace
YOURNAME
with your username,1000
with your user ID andPARTITION
with the name of your encrypted partition's device.
Mounting at login
pam_exec can be used to unlock the device at login. Edit /etc/pam.d/system-login
and add the line below emphasized in bold after auth include system-auth
:
pam_exec
for session
as well, see Talk:Dm-crypt/Mounting at login#pam_exec required for session & using script./etc/pam.d/system-login
... auth include system-auth auth optional pam_exec.so expose_authtok /etc/pam_cryptsetup.sh ...
Then create the mentioned script.
/etc/pam_cryptsetup.sh
#!/bin/sh CRYPT_USER="YOURNAME" MAPPER="/dev/mapper/home-"$CRYPT_USER if [ "$PAM_USER" == "$CRYPT_USER" ] && [ ! -e $MAPPER ] then tr '\0' '\n' | /usr/bin/cryptsetup open /dev/PARTITION home-$CRYPT_USER fi
Execute chmod +x /etc/pam_cryptsetup.sh
to make it executable.
Now add your partition to /etc/fstab
:
/etc/fstab
... /dev/mapper/home-YOURNAME /home/YOURNAME ext4 rw,noatime,noauto 0 2 ...
Your home directory will be mounted automatically on the first access made by your desktop environment or shell.
Unmouting at logout
After you log out of all your sessions, systemd-logind automatically shuts down user@1000.service
. Therefore, you can specify that your mountpoint requires it, and systemd will unmount it automatically:
/etc/systemd/system/home-YOURNAME.mount.d/logout.conf
[Unit] Requires=user@1000.service
This will however create a circular dependency loop that cannot by resolved automatically by systemd, so you need to describe the dependencies and ordering explicitly:
/etc/systemd/system/user@1000.service.d/homedir.conf
[Unit] Requires=home-YOURNAME.mount After=home-YOURNAME.mount
KillUserProcesses=yes
in /etc/systemd/logind.conf
.Locking
After unmounting, the device will still be unlocked, and it will be possible to mount it without re-entering password. You can set up and enable a service that starts when the device gets unlocked (BindsTo=dev-mapper-home\x2dYOURNAME.device
) and dies after the device gets unmounted (Requires,Before=home-YOURNAME.mount
), locking the device in the process (ExecStop=cryptsetup close
):
/etc/systemd/system/cryptsetup-YOURNAME.service
[Unit] DefaultDependencies=no BindsTo=dev-PARTITION.device After=dev-PARTITION.device BindsTo=dev-mapper-home\x2dYOURNAME.device Requires=home-YOURNAME.mount Before=home-YOURNAME.mount Conflicts=umount.target Before=umount.target [Service] Type=oneshot RemainAfterExit=yes TimeoutSec=0 ExecStop=/usr/bin/cryptsetup close home-YOURNAME [Install] RequiredBy=dev-mapper-home\x2dYOURNAME.device
dev-PARTITION
is the result of systemd-escape -p /dev/PARTITION