Difference between revisions of "Dm-crypt/Mounting at login"

From ArchWiki
Jump to navigation Jump to search
m (spanish interlanguage link)
m (Use gender neutral pronoun)
 
(11 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 
[[Category:Disk encryption]]
 
[[Category:Disk encryption]]
[[es:Dm-crypt/Mounting at login]]
+
[[es:Dm-crypt (Español)/Mounting at login]]
 
[[ja:Dm-crypt/ログイン時にマウント]]
 
[[ja:Dm-crypt/ログイン時にマウント]]
 
{{Related articles start}}
 
{{Related articles start}}
Line 6: Line 6:
 
{{Related articles end}}
 
{{Related articles end}}
  
It is possible to configure [[PAM]] and [[systemd]] to automatically mount a [[dm-crypt]] encrypted home partition when its owner logs in, and to unmount it when he logs out.
+
It is possible to configure [[PAM]] and [[systemd]] to automatically mount a [[dm-crypt]] encrypted home partition when its owner logs in, and to unmount it when they log out.
  
 
This tutorial assumes you have already created your encrypted partition, as described in [[Dm-crypt/Encrypting a non-root file system]].
 
This tutorial assumes you have already created your encrypted partition, as described in [[Dm-crypt/Encrypting a non-root file system]].
Line 20: Line 20:
  
 
{{Note|1=GDM, LightDM, and maybe other display managers might require {{ic|pam_exec}} for {{ic|session}} as well, see [[Talk:Dm-crypt/Mounting at login#pam_exec required for session & using script]].}}
 
{{Note|1=GDM, LightDM, and maybe other display managers might require {{ic|pam_exec}} for {{ic|session}} as well, see [[Talk:Dm-crypt/Mounting at login#pam_exec required for session & using script]].}}
 
{{Out of date|These instructions no longer work.|section=pam LUKS partition auto mount on login returning exit code 2}}
 
  
 
{{hc|/etc/pam.d/system-login|2=
 
{{hc|/etc/pam.d/system-login|2=
Line 27: Line 25:
  
 
auth      include    system-auth
 
auth      include    system-auth
'''auth      optional  pam_exec.so expose_authtok quiet /usr/bin/cryptsetup open /dev/''PARTITION'' home-''YOURNAME'''''
+
'''auth      optional  pam_exec.so expose_authtok /etc/pam_cryptsetup.sh
  
 
...
 
...
 
}}
 
}}
  
Now edit {{ic|/etc/fstab}} to mount the unlocked device using [[Fstab#Automount with systemd|systemd.automount]]:
+
Then create the mentioned script.
 +
 
 +
{{hc|/etc/pam_cryptsetup.sh|2=
 +
#!/bin/sh
 +
 
 +
CRYPT_USER="''YOURNAME''"
 +
MAPPER="/dev/mapper/home-"$CRYPT_USER
 +
 
 +
if [ "$PAM_USER" == "$CRYPT_USER" ] && [ ! -e $MAPPER ]
 +
then
 +
  tr '\0' '\n' {{!}} /usr/bin/cryptsetup open /dev/''PARTITION'' home-$CRYPT_USER
 +
fi
 +
}}
 +
 
 +
Execute {{ic|chmod +x /etc/pam_cryptsetup.sh}} to make it executable.
 +
 
 +
{{Out of date|Reconfirmation needed. See Talk.|section=Suggestion: Remove x-systemd.automount}}
 +
Now add your partition to {{ic|/etc/fstab}}:
  
 
{{hc|/etc/fstab|2=
 
{{hc|/etc/fstab|2=
 
...
 
...
  
/dev/mapper/home-''YOURNAME''  /home/''YOURNAME''    ext4            rw,noatime,noauto,x-systemd.automount 0 2
+
/dev/mapper/home-''YOURNAME''  /home/''YOURNAME''    ext4            rw,noatime,noauto 0 2
  
 
...
 
...

Latest revision as of 02:59, 1 December 2019

It is possible to configure PAM and systemd to automatically mount a dm-crypt encrypted home partition when its owner logs in, and to unmount it when they log out.

This tutorial assumes you have already created your encrypted partition, as described in Dm-crypt/Encrypting a non-root file system.

Note:
  • You need to use the same password for your user account and for LUKS.
  • In all the examples, replace YOURNAME with your username, 1000 with your user ID and PARTITION with the name of your encrypted partition's device.

Mounting at login

pam_exec can be used to unlock the device at login. Edit /etc/pam.d/system-login and add the line below emphasized in bold after auth include system-auth:

Note: GDM, LightDM, and maybe other display managers might require pam_exec for session as well, see Talk:Dm-crypt/Mounting at login#pam_exec required for session & using script.
/etc/pam.d/system-login
...

auth       include    system-auth
auth       optional   pam_exec.so expose_authtok /etc/pam_cryptsetup.sh

...

Then create the mentioned script.

/etc/pam_cryptsetup.sh
#!/bin/sh

CRYPT_USER="YOURNAME"
MAPPER="/dev/mapper/home-"$CRYPT_USER

if [ "$PAM_USER" == "$CRYPT_USER" ] && [ ! -e $MAPPER ]
then
  tr '\0' '\n' | /usr/bin/cryptsetup open /dev/PARTITION home-$CRYPT_USER
fi

Execute chmod +x /etc/pam_cryptsetup.sh to make it executable.

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: Reconfirmation needed. See Talk. (Discuss in Talk:Dm-crypt/Mounting at login#Suggestion: Remove x-systemd.automount)

Now add your partition to /etc/fstab:

/etc/fstab
...

/dev/mapper/home-YOURNAME  /home/YOURNAME     ext4            rw,noatime,noauto 0 2

...

Your home directory will be mounted automatically on the first access made by your desktop environment or shell.

Unmouting at logout

After you log out of all your sessions, systemd-logind automatically shuts down user@1000.service. Therefore, you can specify that your mountpoint requires it, and systemd will unmount it automatically:

/etc/systemd/system/home-YOURNAME.mount.d/logout.conf
[Unit]
Requires=user@1000.service

This will however create a circular dependency loop that cannot by resolved automatically by systemd, so you need to describe the dependencies and ordering explicitly:

/etc/systemd/system/user@1000.service.d/homedir.conf
[Unit]
Requires=home-YOURNAME.mount
After=home-YOURNAME.mount
Note: If your desktop environment or some other application does not kill all its processes on logout, you might need to set KillUserProcesses=yes in /etc/systemd/logind.conf.

Locking

After unmounting, the device will still be unlocked, and it will be possible to mount it without re-entering password. You can set up and enable a service that starts when the device gets unlocked (BindsTo=dev-mapper-home\x2dYOURNAME.device) and dies after the device gets unmounted (Requires,Before=home-YOURNAME.mount), locking the device in the process (ExecStop=cryptsetup close):

/etc/systemd/system/cryptsetup-YOURNAME.service
[Unit]
DefaultDependencies=no
BindsTo=dev-PARTITION.device
After=dev-PARTITION.device
BindsTo=dev-mapper-home\x2dYOURNAME.device
Requires=home-YOURNAME.mount
Before=home-YOURNAME.mount
Conflicts=umount.target
Before=umount.target

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStop=/usr/bin/cryptsetup close home-YOURNAME

[Install]
RequiredBy=dev-mapper-home\x2dYOURNAME.device
Note: dev-PARTITION is the result of systemd-escape -p /dev/PARTITION