pam_mount
pam_mount can be used to automatically mount an encrypted home partition (encrypted with, for example, LUKS or ECryptfs) on user log in.
It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
pam_systemd.so in the pam stack, see Talk:Pam mount#automatic unmounting and systemd.Configuration
Install the pam_mount package.
The module is configured in /etc/security/pam_mount.conf.xml, see pam_mount.conf(5) for details. Edit the file as follows:
/etc/security/pam_mount.conf.xml
<!-- Generic encrypted partition example -->
<volume user="''USERNAME''" fstype="auto" path="/dev/''sdaX''" mountpoint="/home" options="fsck,noatime" />
<!-- Example using CIFS -->
<volume
fstype="cifs"
server="''server.example.com''"
path="''share_name''"
mountpoint="~/mnt/''share_name''"
uid="10000-19999"
options="sec=krb5i,vers=3.0,cruid=%(''USERUID'')"
/>
<mkmountpoint enable="1" remove="true" />
</pam_mount>
Notes:
- Insert 2 new lines at the end of the file, but before the last closing tag, .
USERNAMEshould be replaced with your user name.- should be replaced with the corresponding device or container file.
- can be changed to any that is present in
/usr/bin/mount.type. should work fine in most cases. Use so that the loop device gets closed at logout for volumes needing it. - Add mount options, if needed. Note that
mount.cifsdoes not read and so all options must be specified. In the example, matches the local parameter idmap config ... : range = so that pam_mount is not called for a Unix only user. Kerberos is indicated by krb5, SMB3.0 is specified because the other end may not support SMB1 which is the default. Signing is enabled with the i on the end of krb5i. See for more details.
LUKS volumes
LUKS encrypted volumes can be configured simply as follows:
The volume is unlocked and mounted with mount.crypt, see for details about the options.
Veracrypt volumes
pam_mount does not support Veracrypt volumes natively, but there is a workaround:
If you also have LUKS volumes, you can use a different fstype for Veracrypt volume instead of crypt with , for example with . Just make sure you do not use NCP filesystem.
F2FS encryption
There is a trick to make pam_mount add a F2FS decryption key to your session keyring. The salt you chose when encrypting directory(es) with f2fscrypt needs to match the one in /etc/security/pam_mount.conf.xml (0x1111 in below example) and passphrase needs to match the user's login password. This example assumes you are not mounting FUSE filesystems with pam_mount. If you do, choose a different tag pairs instead of <fusemount> and , like .
does not do anything except trigger the commands in <fusemount> and . After login you can verify that your session keyring has a F2FS decryption key:
Login manager configuration
In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is necessary to edit as shown below. If you use a display manager make sure its file includes . Example configuration files follow, with the added lines in bold.
The line before in session skips ( means skip the next lines) if the systemd-user service is running through the PAM stack (i.e. ). This avoids double mount attempts and errors relating to dropped privileges when the instance is starting up. See and for details.