From ArchWiki
Jump to: navigation, search

pam_mount can be used to automatically mount an encrypted home partition (encrypted with, for example, LUKS or ECryptfs) on user log in. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.

Warning: pam_mount can also unmount your partitions when you close your last session but this does not work out of the box due to the use of in the pam stack, see Talk:Pam mount#automatic unmounting and systemd.

General setup

Install the pam_mount package.

Edit /etc/security/pam_mount.conf.xml as follows:

  <!-- Generic encrypted partition example -->
  <volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />
  <!-- Example using CIFS -->
  <mkmountpoint enable="1" remove="true" />



  • Insert 2 new lines at the end of the file, but before the last closing tag, </pam_mount>.
  • USERNAME should be replaced with your user name.
  • /dev/sdaX should be replaced with the corresponding device or container file.
  • fstype="auto" can be changed to any type that is present in /usr/bin/mount.type. "auto" should work fine in most cases. Use fstype="crypt" so that the loop device gets closed at logout for volumes needing it.
  • Add mount options, if needed. Note that mount.cifs does not read smb.conf and so all options must be specified. In the example, uid matches the local smb.conf parameter idmap config ... : range = so that pam_mount is not called for a Unix only user. Kerberos is indicated by krb5, SMB3.0 is specified because the other end may not support SMB1 which is the default. Signing is enabled with the i on the end of krb5i. See mount.cifs(8) for more details.

Veracrypt volumes

pam_mount doesn't support Veracrypt volumes natively, but there is a workaround

<volume user="username" fstype="crypt" path="/dev/disk/by-partuuid/partition_uuid" mountpoint="vcrypt"/>
<volume user="username" fstype="auto" path="/dev/mapper/vcrypt" mountpoint="/media/mountpoint"/>

<cryptmount>cryptsetup --veracrypt open --type tcrypt %(VOLUME) %(MNTPT)</cryptmount>
<cryptumount>cryptsetup close %(MNTPT)</cryptumount>

If you also have LUKS volumes, you can use a different fstype for Veracrypt volume instead of crypt with cryptmount/cryptumount, for example ncpfs with ncpmount/ncpumount. Just make sure you don't use NCP filesystem.

Login manager configuration

In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is necessary to edit /etc/pam.d/system-login as shown below. If you use a display manager make sure its file includes system-login. Example configuration files follow, with the added lines in bold. The pam_succeed line before pam_mount in session skips pam_mount (success=n means skip the next n lines) if the systemd-user service is running through the PAM stack. This avoids double mount attempts and errors relating to dropped privileges.


auth       required         onerr=succeed file=/var/log/faillog
auth       required
auth       requisite
auth       optional
auth       include    system-auth

account    required
account    required
account    include    system-auth

password   optional
password   include    system-auth

session    optional
session    optional       force revoke
session [success=1 default=ignore]  service = systemd-user quiet
session    optional
session    include    system-auth
session    optional          motd=/etc/motd
session    optional          dir=/var/spool/mail standard quiet
-session   optional
session    required


Tango-go-next.pngThis article or section is a candidate for moving to SLiM.Tango-go-next.png

Notes: We are discouraging the use of SLiM in its article, there's not much of a point in highlighting this here. (Discuss in Talk:Pam mount#)

For SLiM:

auth            requisite
auth            required
auth            required
auth            optional
account         required
password        required
password        optional
session         required
session         required
session         optional
session         optional
session         optional