User:LEW21/WIP
Back to Dm-crypt/Encrypting a non-root file system
Unlocking
Add
auth optional pam_exec.so expose_authtok quiet /usr/bin/cryptsetup open /dev/PARTITION home-YOURNAME
after
auth include system-auth
in the /etc/pam.d/system-login config file.
/etc/pam.d/system-login EXAMPLE
#%PAM-1.0 auth required pam_tally.so onerr=succeed file=/var/log/faillog auth required pam_shells.so auth requisite pam_nologin.so auth include system-auth auth optional pam_exec.so expose_authtok quiet /usr/bin/cryptsetup open /dev/PARTITION home-YOURNAME account required pam_access.so account required pam_nologin.so account include system-auth password include system-auth session optional pam_loginuid.so session include system-auth session optional pam_motd.so motd=/etc/motd session optional pam_mail.so dir=/var/spool/mail standard quiet -session optional pam_systemd.so session required pam_env.so
Mounting
/etc/fstab
/dev/mapper/home-YOURNAME /home/YOURNAME ext4 rw,noatime,noauto,x-systemd.automount 0 2
That's it! Your home directory will be mounted automatically on the first access made by your Desktop Environment or shell.
However, you might want to describe the dependencies and ordering explicitly, as if you want to set up automatic unmounting on logout - you'll end up with a circular dependency loop that cannot by resolved automatically by systemd:
Explicit dependencies and ordering
/etc/systemd/system/user@1000.service.d/homedir.conf
[Unit] Requires=home-YOURNAME.mount After=home-YOURNAME.mount
Unmouting on logout
After you log out of all your sessions, systemd-logind automatically shuts down user@1000.service. Therefore, you can specify that your mountpoint requires it - and it'll get unmounted automatically by systemd.
/etc/systemd/system/home-YOURNAME.mount.d/logout.conf
[Unit] Requires=user@1000.service
Locking on unmount
After unmounting, the device will still be unlocked, and it'll be possible to mount it without re-entering password. Therefore, you can set up a service that starts when the device gets unlocked (BindsTo=dev-mapper-home\x2dYOURNAME.device) and dies after the device gets unmounted (Requires,Before=home-YOURNAME.mount), locking the device in the process (ExecStop=cryptsetup close).
/etc/systemd/cryptsetup-YOURNAME.service
[Unit] DefaultDependencies=no BindsTo=dev-PARTITION.device After=dev-PARTITION.device BindsTo=dev-mapper-home\x2dYOURNAME.device Requires=home-YOURNAME.mount Before=home-YOURNAME.mount Conflicts=umount.target Before=umount.target [Service] Type=oneshot RemainAfterExit=yes TimeoutSec=0 ExecStop=/usr/bin/cryptsetup close home-YOURNAME [Install] RequiredBy=dev-mapper-home\x2dYOURNAME.device
systemctl enable cryptsetup-YOURNAME.service
Tips
SDDM
SDDM by default tries to display avatars of users by accessing ~/.face.icon file. As your home directory is an autofs, this will make it wait for 60 seconds - until autofs reports that the directory cannot be mounted.
You can disable avatars by editing /etc/sddm.conf:
/etc/sddm.conf
[Theme] EnableAvatars=false