Automatically mounting LUKS encrypted partitions with pam_mount

Yesterday I’ve got my new Thinkpad T61 laptop and I had to spend some time installing a GNU/Linux distribution on it, so doing all those related tasks that are a must: partitioning, installing linux, installing emacs… and besides to all those tasks a very important one: encrypting some disk partitions.

To do that, I just followed the instructions that Berto had posted some months ago in his blog, either for encrypting full regular partitions with LUKS as for encrypting temporary filesystems, say, /tmp and swap partitions.

So, once I got those tasks done (quite easy if you follow the steps Berto‘s explained in his posts), only one more task was still left: to make those LUKS encrypted partitions to be automatically mounted when logging into the system with my username.

The idea behind this is just that you use the same password both for logging into the system with your username as for decrypting those LUKS partitions before mounting them. To do this, I’ve just used the pam_mount module so it took care of using the user password to automatically mount those partitions right after the user gets identified in the system. And of course, that pam module also takes care of unmounting those partitions right after you log out and no open sessions with your username remains active.

So, I’d like to share with you a recipe to get all this stuff easily working:

  1. Follow the steps in Berto‘s post to encrypt a full partition with LUKS.
  2. When you add a LUKS password for that encrypted partition, use the same password you use to log into your system with your username. LUKS allows you to add more than one password for your partitions, so at least one of them should be the same than your user password.
  3. Install the pam_mount module:
  4. sudo apt-get install libpam-mount

  5. Edit your /etc/security/pam_mount.conf file and append there a line like the following one (one for each encrypted partition you’d like to automatically mount):
  6. volume USERNAME crypt – DEV_FILE MOUNTPOINT – – –

    For example, to mount a encripted partition present in /dev/sda6 under a /encrypted folder whenever the user ‘mario’ logs into the system, you should append the following line:

    volume mario crypt – /dev/sda6 /encrypted – – –

  7. Edit /etc/pam.d/login so it looks as follows at the end of the file
  8. […]
    # Standard Un*x account and session
    @include common-account
    @include common-session
    @include common-pammount
    @include common-password

  9. And, if you use GDM (as me), you should also edit /etc/pam.d/gdm in a similar way:
  10. […]
    @include common-account
    session required
    @include common-session
    @include common-pammount
    session optional auto_start
    @include common-password

  11. At last make sure that you have removed (or commented) some lines in /etc/fstab and /etc/crypttab, in order to avoid both asking for the LUKS password at startup (because the crypttab file) as trying to mount a not decrypted partition (because of fstab). For instance, this is how those files would look for the example given:
      • /etc/crypttab:

        #encrypted /dev/sda6 none luks,check=ext2
        cswap /dev/sda8 /dev/urandom swap
        ctmp /dev/sda9 /dev/urandom tmp

      • /etc/fstab:

        #/dev/mapper/encrypted /encrypted ext3 defaults 0 2

    Once you have followed all those steps, you should be able to reboot and see how the encrypted partition gets mounted right after you login in your system, either by using GDM as by using a text-mode terminal.

    And that’s all. I hope you find it useful.