From ArchWiki
Revision as of 11:04, 24 May 2017 by Gerdesj (talk | contribs) (→‎General Setup: add cruid= to cifs example which avoids cifs.upcall trying to read root's keytab instead of the user's keytab)
Jump to navigation Jump to search

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: See Help:Style and related. (Discuss in Talk:Pam mount#)

pam_mount can be used to automatically mount an encrypted home partition (encrypted with, for example, LUKS or ECryptfs) on user log in. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.

Warning: Pam_mount can also unmount your partitions when you close your last session but this is currently not working due to the use of in the pam stack.

General Setup

  1. Install pam_mount from the Official repositories.
  2. Edit /etc/security/pam_mount.conf.xml as follows:

Insert 2 new lines at the end of the file, but before the last closing tag, </pam_mount>. Notes:

  • USERNAME should be replaced with your linux-username.
  • /dev/sdaX should be replaced with the corresponding device or container file.
  • fstype="auto" can be changed to any <type> that is present in /usr/bin/mount.<type>. "auto" should work fine in most cases. Use fstype="crypt" so that the loop device gets closed at logout for volumes needing it.
  • Add mount options, if needed. Note that mount.cifs does not read smb.conf and so all options must be specified. In the example, uid matches the local smb.conf parameter idmap config ... : range = so that pam_mount is not called for a unix only user. Kerberos is indicated by krb5, SMB3.0 is specified because the other end may not support SMB1 which is the default. Signing is enabled with the i on the end of krb5i. See man mount.cifs for more details.
<volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />
  <mkmountpoint enable="1" remove="true" />


Login Manager Configuration

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is necessary to edit /etc/pam.d/system-auth as shown below. If you use a display manager (e.g., Slim) edit its file, too. Example configuration files follow, with the added lines in bold.


auth      required
auth      required     try_first_pass nullok
auth      optional
auth      optional

account   required
account   optional
account   required

password  optional
password  required     try_first_pass nullok sha512 shadow
password  optional

session   optional
session   required
session   required
session   required
session   optional


For SLiM:

auth            requisite
auth            required
auth            required
auth            optional
account         required
password        required
password        optional
session         required
session         required
session         optional
session         optional
session         optional


Manual configuration for GDM is not needed, since it relies on /etc/pam.d/system-auth.