Automatically mounting LUKS encrypted partitions with pam_mount

Yesterday I’ve got my new Thinkpad T61 laptop and I had to spend some time installing a GNU/Linux distribution on it, so doing all those related tasks that are a must: partitioning, installing linux, installing emacs… and besides to all those tasks a very important one: encrypting some disk partitions.

To do that, I just followed the instructions that Berto had posted some months ago in his blog, either for encrypting full regular partitions with LUKS as for encrypting temporary filesystems, say, /tmp and swap partitions.

So, once I got those tasks done (quite easy if you follow the steps Berto‘s explained in his posts), only one more task was still left: to make those LUKS encrypted partitions to be automatically mounted when logging into the system with my username.

The idea behind this is just that you use the same password both for logging into the system with your username as for decrypting those LUKS partitions before mounting them. To do this, I’ve just used the pam_mount module so it took care of using the user password to automatically mount those partitions right after the user gets identified in the system. And of course, that pam module also takes care of unmounting those partitions right after you log out and no open sessions with your username remains active.

So, I’d like to share with you a recipe to get all this stuff easily working:

  1. Follow the steps in Berto‘s post to encrypt a full partition with LUKS.
  2. When you add a LUKS password for that encrypted partition, use the same password you use to log into your system with your username. LUKS allows you to add more than one password for your partitions, so at least one of them should be the same than your user password.
  3. Install the pam_mount module:
  4. sudo apt-get install libpam-mount

  5. Edit your /etc/security/pam_mount.conf file and append there a line like the following one (one for each encrypted partition you’d like to automatically mount):
  6. volume USERNAME crypt – DEV_FILE MOUNTPOINT – – –

    For example, to mount a encripted partition present in /dev/sda6 under a /encrypted folder whenever the user ‘mario’ logs into the system, you should append the following line:

    volume mario crypt – /dev/sda6 /encrypted – – –

  7. Edit /etc/pam.d/login so it looks as follows at the end of the file
  8. […]
    # Standard Un*x account and session
    @include common-account
    @include common-session
    @include common-pammount
    @include common-password

  9. And, if you use GDM (as me), you should also edit /etc/pam.d/gdm in a similar way:
  10. […]
    @include common-account
    session required pam_limits.so
    @include common-session
    @include common-pammount
    session optional pam_gnome_keyring.so auto_start
    @include common-password

  11. At last make sure that you have removed (or commented) some lines in /etc/fstab and /etc/crypttab, in order to avoid both asking for the LUKS password at startup (because the crypttab file) as trying to mount a not decrypted partition (because of fstab). For instance, this is how those files would look for the example given:
      • /etc/crypttab:

        #encrypted /dev/sda6 none luks,check=ext2
        cswap /dev/sda8 /dev/urandom swap
        ctmp /dev/sda9 /dev/urandom tmp

      • /etc/fstab:

        […]
        #/dev/mapper/encrypted /encrypted ext3 defaults 0 2
        […]

    Once you have followed all those steps, you should be able to reboot and see how the encrypted partition gets mounted right after you login in your system, either by using GDM as by using a text-mode terminal.

    And that’s all. I hope you find it useful.

2 thoughts on “Automatically mounting LUKS encrypted partitions with pam_mount”

  1. Hi!

    I’m pretty much newbie when it comes to *nix things, but I have my own concerns about the security of doing this. As far as I know, Linux doesn’t use specifically advanced hashing algorithms to save passwords. Althought it’s more secure than saving them in plaintext, I would see that as an huge security risk compromising your disk encryption when it comes to the computing power attacker probably has. Bruteforcing MD5/SHA1/SHA512 hashes isn’t that difficult, and definitely a lot easier than doing the same to any good encryption algorithm, AES for example. Am I right? Do you recommend any precautions against this?

    – veepeeh

  2. To be honest, I’m a newbie on these issues as well and I’ve never had thought about this thing before, but I agree it could be a security risk and I’m grateful to you for having noticed that.

    Anyway, I stopped using that one year ago, when I decided to go for a better layout in my laptop, which basically consists on having a small /boot partition and the rest of the disk as a single partition encrypted with LUKS, and inside of it, a LVM group to allow me the flexibility of having logical volumes on it.

    A very common layout nowadays that allows me better security and, at the same time, a lot of flexibility.

Comments are closed.