Yesterday I’ve got my new Thinkpad T61 laptop and I had to spend some time installing a GNU/Linux distribution on it, so doing all those related tasks that are a must: partitioning, installing linux, installing emacs… and besides to all those tasks a very important one: encrypting some disk partitions.
To do that, I just followed the instructions that Berto had posted some months ago in his blog, either for encrypting full regular partitions with LUKS as for encrypting temporary filesystems, say, /tmp and swap partitions.
So, once I got those tasks done (quite easy if you follow the steps Berto‘s explained in his posts), only one more task was still left: to make those LUKS encrypted partitions to be automatically mounted when logging into the system with my username.
The idea behind this is just that you use the same password both for logging into the system with your username as for decrypting those LUKS partitions before mounting them. To do this, I’ve just used the pam_mount module so it took care of using the user password to automatically mount those partitions right after the user gets identified in the system. And of course, that pam module also takes care of unmounting those partitions right after you log out and no open sessions with your username remains active.
So, I’d like to share with you a recipe to get all this stuff easily working:
- Follow the steps in Berto‘s post to encrypt a full partition with LUKS.
- When you add a LUKS password for that encrypted partition, use the same password you use to log into your system with your username. LUKS allows you to add more than one password for your partitions, so at least one of them should be the same than your user password.
- Install the pam_mount module:
- Edit your /etc/security/pam_mount.conf file and append there a line like the following one (one for each encrypted partition you’d like to automatically mount):
- Edit /etc/pam.d/login so it looks as follows at the end of the file
- And, if you use GDM (as me), you should also edit /etc/pam.d/gdm in a similar way:
- At last make sure that you have removed (or commented) some lines in /etc/fstab and /etc/crypttab, in order to avoid both asking for the LUKS password at startup (because the crypttab file) as trying to mount a not decrypted partition (because of fstab). For instance, this is how those files would look for the example given:
sudo apt-get install libpam-mount
volume USERNAME crypt – DEV_FILE MOUNTPOINT – – –
For example, to mount a encripted partition present in /dev/sda6 under a /encrypted folder whenever the user ‘mario’ logs into the system, you should append the following line:
volume mario crypt – /dev/sda6 /encrypted – – –
# Standard Un*x account and session
session required pam_limits.so
session optional pam_gnome_keyring.so auto_start
#encrypted /dev/sda6 none luks,check=ext2
cswap /dev/sda8 /dev/urandom swap
ctmp /dev/sda9 /dev/urandom tmp
#/dev/mapper/encrypted /encrypted ext3 defaults 0 2
Once you have followed all those steps, you should be able to reboot and see how the encrypted partition gets mounted right after you login in your system, either by using GDM as by using a text-mode terminal.
And that’s all. I hope you find it useful.