Dm-crypt/Mounting at login
This tutorial assumes you have already created your encrypted partition, as described in Dm-crypt/Encrypting a non-root file system.
- You need to use the same password for your user account and for LUKS.
- In all the examples, replace
YOURNAMEwith your username,
1000with your user ID and
PARTITIONwith the name of your encrypted partition's device.
Mounting at login
pam_exec can be used to unlock the device at login. Edit
/etc/pam.d/system-login and add the line below emphasized in bold after
auth include system-auth:
sessionas well, see Talk:Dm-crypt/Mounting at login#pam_exec required for session & using script.
... auth include system-auth auth optional pam_exec.so expose_authtok /etc/pam_cryptsetup.sh ...
Then create the mentioned script.
#!/bin/sh CRYPT_USER="YOURNAME" MAPPER="/dev/mapper/home-"$CRYPT_USER if [ "$PAM_USER" == "$CRYPT_USER" ] && [ ! -e $MAPPER ] then tr '\0' '\n' | /usr/bin/cryptsetup open /dev/PARTITION home-YOURNAME fi
chmod +x /etc/pam_cryptsetup.sh to make it executable.
/etc/fstab to mount the unlocked device using systemd.automount:
... /dev/mapper/home-YOURNAME /home/YOURNAME ext4 rw,noatime,noauto,x-systemd.automount 0 2 ...
Your home directory will be mounted automatically on the first access made by your desktop environment or shell.
Unmouting at logout
After you log out of all your sessions, systemd-logind automatically shuts down
email@example.com. Therefore, you can specify that your mountpoint requires it, and systemd will unmount it automatically:
This will however create a circular dependency loop that cannot by resolved automatically by systemd, so you need to describe the dependencies and ordering explicitly:
[Unit] Requires=home-YOURNAME.mount After=home-YOURNAME.mount
After unmounting, the device will still be unlocked, and it will be possible to mount it without re-entering password. You can set up and enable a service that starts when the device gets unlocked (
BindsTo=dev-mapper-home\x2dYOURNAME.device) and dies after the device gets unmounted (
Requires,Before=home-YOURNAME.mount), locking the device in the process (
[Unit] DefaultDependencies=no BindsTo=dev-PARTITION.device After=dev-PARTITION.device BindsTo=dev-mapper-home\x2dYOURNAME.device Requires=home-YOURNAME.mount Before=home-YOURNAME.mount Conflicts=umount.target Before=umount.target [Service] Type=oneshot RemainAfterExit=yes TimeoutSec=0 ExecStop=/usr/bin/cryptsetup close home-YOURNAME [Install] RequiredBy=dev-mapper-home\x2dYOURNAME.device
dev-PARTITIONis the result of
systemd-escape -p /dev/PARTITION