You are not logged in.
I've encrypted /var/tmp using encfs and tried to set up automounting using pam_encfs, following the instructions at https://wiki.edubuntu.org/EncryptedHomeFolder, linked on the Arch Wiki. Basically, what I've done is the following:
1. Install pam_encfs
2. Insert the line "auth sufficient pam_encfs.so" into /etc/pam.d/login and append "use_first_pass" to every subsequent line (see below)
3. Change the source and target in am_encfs.conf to /var/.tmp and /var/tmp, and change "allow_other" to "nonempty"
4. Add fuse to the modules array in /etc/rc.conf
5. Add myself to the fuse group
6. Run "sudo encfs /var/.tmp /var/tmp" and set it up with the default options and my login password
When I restart and login, however, /var/tmp is not mounted. I can manually mount it with "sudo encfs /var/.tmp /var/tmp".
Here is my /etc/pam.d/login:
#%PAM-1.0
auth required pam_securetty.so
auth requisite pam_nologin.so
auth sufficient pam_encfs.so
auth required pam_unix.so nullok use_first_pass
auth required pam_tally.so onerr=succeed file=/var/log/faillog use_first_pass
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account required pam_access.so use_first_pass
account required pam_time.so use_first_pass
account required pam_unix.so use_first_pass
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password required pam_unix.so sha512 shadow use_authtok
session required pam_unix.so use_first_pass
session required pam_env.so use_first_pass
session required pam_motd.so use_first_pass
session required pam_limits.so use_first_pass
session optional pam_mail.so dir=/var/spool/mail standard use_first_pass
session optional pam_lastlog.so use_first_pass
session optional pam_loginuid.so use_first_pass
-session optional pam_ck_connector.so nox11 use_first_pass
-session optional pam_systemd.so use_first_pass
and my /etc/security/pam_encfs.conf:
#This file is parsed top to bottom, until the first mount line that matches is found, then it stops.
#Note that I dont support spaces in params
#So if your for example gonna specify idle time use --idle=X not -i X.
#If this is specified program will attempt to drop permissions before running encfs.
#(will not work with --public for example, as that requires encfs to run as root)
drop_permissions
#This specifies which options to pass to encfs for every user.
#You can find encfs options by running encfs without any arguments
encfs_default --idle=1
#Same for fuse, note that allow_root (or allow_other, or --public in encfs) is needed to run gdm/X.
#you can find fuse options with encfs -H
fuse_default allow_root,nonempty
#For a mount line, - = generic, we try to fill in what we need.
#A Mount line is constructed like this:
#USERNAME if "-" or "*" gets replaced with $USER
#SOURCE if USERNAME is -, replace with path + /$USER
# if USERNAME is *, replace with $HOME/ + sourcepath
#TARGET PATH if - replace with $HOME
# if USERNAME is *, replace with $HOME/ + targetpath
#ENCFS OPTIONS encfs options here is encfs_default + encfs_options
#FUSE OPTIONS encfs options here is fuse_default + fuse_options
#Keep in mind that the configuration file is parsed top to bottom, so if you put your generic line on top,
#that will always match before any custom lines under it.
#In this example, with example_user uncommented, the "-" line will never be parsed if you login as example_user.
#In the lines with the USERNAME "*", all paths are relative to $HOME
#USERNAME SOURCE TARGET PATH ENCFS Options FUSE Options
#example_user /mnt/enc/example_user /home/example_user -v,--idle=1 allow_root
#* .private private -v allow_other
- /var/.tmp /var/tmp -v,>/home/ian/log nonempty
The ">/home/ian/log" option at the bottom was an attempt to direct the output of the command pam_encfs runs to a file, but it didn't create a log file when I tried it. If anyone knows how to do this correctly, that would probably be pretty helpful, since it's difficult to debug without knowing what's failing.
Thanks in advance for any advice.
Offline