pam_mount can be used to automatically mount an encrypted home partition (encrypted with, for example, LUKS or ECryptfs) on user log in.
It will mount your
/home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
pam_systemd.soin the pam stack. See systemd issue 8598 and Talk:Pam mount#automatic unmounting and systemd.
Global (system) configuration
The module is configured in
/etc/security/pam_mount.conf.xml, see for details. Edit the file as follows:
<!-- Generic encrypted partition example --> <volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" /> <!-- Example using CIFS --> <volume fstype="cifs" server="server.example.com" path="share_name" mountpoint="~/mnt/share_name" uid="10000-19999" options="sec=krb5i,vers=3.0,cruid=%(USERUID)" /> <mkmountpoint enable="1" remove="true" /> </pam_mount>
- Insert 2 new lines at the end of the file, but before the last closing tag,
USERNAMEshould be replaced with your user name.
/dev/sdaXshould be replaced with the corresponding device or container file.
fstype="auto"can be changed to any
typethat is present in
"auto"should work fine in most cases. Use
fstype="crypt"so that the loop device gets closed at logout for volumes needing it.
- Add mount options, if needed. Note that
mount.cifsdoes not read
smb.confand so all options must be specified. In the example,
uidmatches the local
smb.confparameter idmap config ... : range = so that pam_mount is not called for a Unix only user. Kerberos is indicated by krb5, SMB3.0 is specified because the other end may not support SMB1 which is the default. Signing is enabled with the i on the end of krb5i. See for more details.
Local (per-user) configuration
pam_mount also supports allowing users to define their own mounts on login in files inside their home directories. Please consider the potential security implications of this change. To enable it, make sure the following line is present and active in
<luserconf name=".pam_mount.conf.xml" />
It will have the effect of allowing each user to set their mounts in
~/.pam_mount.conf.xml. The per-user config files only support
<volume> keywords, e.g.:
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <pam_mount> <volume user="alex" fstype="tmpfs" path="tmpfs" mountpoint="~/test" options="nodev,nosuid" /> </pam_mount>
There are also some restrictions with regards to the mount options that you can and cannot select and some of them are mandatory (
uid, these can be lifted by editing
/etc/security/pam_mount.conf.xml). Bind mounts appear to be unsupported. Ownership checks are also performed on the mountpoints.
LUKS encrypted volumes can be configured simply as follows:
<volume user="username" fstype="crypt" path="/dev/disk/by-partuuid/partition_uuid" mountpoint="~" options="crypto_name=volume_name,allow_discard,fstype=btrfs,compress=zstd" />
The volume is unlocked and mounted with mount.crypt, seefor details about the options.
pam_mount does not support Veracrypt volumes natively, but there is a workaround:
<volume user="username" fstype="crypt" path="/dev/disk/by-partuuid/partition_uuid" mountpoint="vcrypt"/> <volume user="username" fstype="auto" path="/dev/mapper/vcrypt" mountpoint="/media/mountpoint"/> <cryptmount>cryptsetup --veracrypt open --type tcrypt %(VOLUME) %(MNTPT)</cryptmount> <cryptumount>cryptsetup close %(MNTPT)</cryptumount>
If you also have LUKS volumes, you can use a different fstype for Veracrypt volume instead of
cryptmount/cryptumount, for example
ncpmount/ncpumount. Just make sure you do not use NCP filesystem.
There is a trick to make pam_mount add a F2FS decryption key to your session keyring. The salt you chose when encrypting directory(es) with f2fscrypt needs to match the one in
/etc/security/pam_mount.conf.xml (0x1111 in below example) and passphrase needs to match the user's login password. This example assumes you are not mounting FUSE filesystems with pam_mount. If you do, choose a different
<*mount> tag pairs instead of
<fusemount>f2fscrypt add_key -S 0x1111</fusemount> <fuseumount>f2fscrypt new_session</fuseumount> <volume noroot="1" ssh="0" fstype="fuse" path="/tmp/not-a-real-path-0" mountpoint="/tmp/not-a-real-path-1"/>
<volume> does not do anything except trigger the commands in
<fuseumount>. After login you can verify that your session keyring has a F2FS decryption key:
$ keyctl show
Session Keyring 910133222 --alswrv 1000 100 keyring: _ses 301049775 --alswrv 1000 65534 \_ keyring: _uid.1000 013481035 --alsw-v 1000 100 \_ logon: f2fs:2e64cf4a5bafcd7
Login manager configuration
In general, you have to edit configuration files in
/etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is necessary to edit
/etc/pam.d/system-login as shown below. If you use a display manager make sure its file includes
system-login. Example configuration files follow, with the added lines in bold.
pam_succeed_if line before
pam_mount in session skips
success=n means skip the next
n lines) if the
systemd-user service is running through the PAM stack (i.e.
/etc/pam.d/systemd-user). This avoids double mount attempts and errors relating to dropped privileges when the
systemd --user instance is starting up. See  and  for details.
#%PAM-1.0 auth required pam_shells.so auth requisite pam_nologin.so auth optional pam_mount.so auth include system-auth account required pam_access.so account required pam_nologin.so account include system-auth password optional pam_mount.so password include system-auth session optional pam_loginuid.so session optional pam_keyinit.so force revoke session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet session optional pam_mount.so session include system-auth session optional pam_motd.so motd=/etc/motd session optional pam_mail.so dir=/var/spool/mail standard quiet -session optional pam_systemd.so session required pam_env.so