dm-crypt/Mounting at login

From ArchWiki
Jump to navigation Jump to search

It is possible to configure PAM and systemd to automatically mount a dm-crypt encrypted home partition when its owner logs in, and to unmount it when they log out.

This tutorial assumes you have already created your encrypted partition, as described in Dm-crypt/Encrypting a non-root file system.

Note:
  • You need to use the same password for your user account and for LUKS.
  • In all the examples, replace username with your username, 1000 with your user ID and PARTITION with the name of your encrypted partition's device.

Unlocking at login

pam_exec can be used to unlock the device at login. Edit /etc/pam.d/system-login and add the line below emphasized in bold after auth include system-auth:

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: GDM, LightDM, and maybe other display managers might require pam_exec for session as well, see Talk:Dm-crypt/Mounting at login#pam_exec required for session & using script. (Discuss in Talk:Dm-crypt/Mounting at login#)
/etc/pam.d/system-login
...

auth       include    system-auth
auth       optional   pam_exec.so expose_authtok /etc/pam_cryptsetup.sh

...

Then create the mentioned script.

/etc/pam_cryptsetup.sh
#!/usr/bin/env bash

CRYPT_USER="username"
PARTITION="/dev/sdXY"
NAME="home-$CRYPT_USER"

if [[ "$PAM_USER" == "$CRYPT_USER" && ! -e "/dev/mapper/$NAME" ]]; then
    /usr/bin/cryptsetup open "$PARTITION" "$NAME"
fi

Make the script executable.

Mounting and unmounting automatically

systemd-logind maintains user@1000.service for as long as at least one session is active for the user. It is started automatically after a first successful login and stopped after a logout from the last session. Hence, we can create and enable a systemd.mount(5) unit for the mapped volume and connect it to user@1000.service in order to make it mount and unmount automatically:

/etc/systemd/system/home-username.mount
[Unit]
Requires=user@1000.service
Before=user@1000.service

[Mount]
Where=/home/username
What=/dev/mapper/home-username
Type=btrfs
Options=defaults,relatime,compress=zstd

[Install]
RequiredBy=user@1000.service

Locking after unmounting

After unmounting, the device will still be unlocked, and it will be possible to mount it without re-entering password. You can create and enable a service that starts when the device gets unlocked (BindsTo=dev-mapper-home\x2dusername.device) and dies after the device gets unmounted (Requires,Before=home-username.mount), locking the device in the process (ExecStop=cryptsetup close):

/etc/systemd/system/cryptsetup-username.service
[Unit]
DefaultDependencies=no
BindsTo=dev-PARTITION.device
After=dev-PARTITION.device
BindsTo=dev-mapper-home\x2dusername.device
Requires=home-username.mount
Before=home-username.mount
Conflicts=umount.target
Before=umount.target

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStop=/usr/bin/cryptsetup close home-username

[Install]
RequiredBy=dev-mapper-home\x2dusername.device
Note: dev-PARTITION is the result of systemd-escape -p /dev/PARTITION