You are not logged in.
Hello archers,
recently i switched to an encrypted home partition on my laptop.
/dev/sdb2 has been encrypted with
cryptsetup options luksFormat /dev/sdb2
After booting i login as root, and do the following:
cryptsetup --allow-discards luksOpen /dev/sdb2 home
mount -o defaults,nodev,nosuid,noatime,discard /dev/mapper/home /home
I want to use pam_mount to automate the luksOpen and mount commands when i login as user.
The wiki says
It is probably necessary to change both /etc/pam.d/login and the file for your display manager [...]
As the wiki does not say how to change the login file, and i do not use a login manager, i am a bit lost here.
Also i do not know where to add the --allow-discards option.
What i have done so far:
* changed my users password to be identical to the luks passphrase
* edited /etc/security pam_mount.conf.xml as by the wiki
(* encrypted the partition)
If you have already done this, your comments are much appreciated.
Last edited by teateawhy (2013-10-02 14:46:33)
Offline
archwiki wrote:It is probably necessary to change both /etc/pam.d/login and the file for your display manager [...]
As the wiki does not say how to change the login file, and i do not use a login manager, i am a bit lost here.
I'm not on my arch laptop at the moment, but I remember looking at the "login" file and it "includes" other files, which eventually get to "system-auth", so I reckon other files don't need changing.
What I'm looking forward to is when pam_mount can manage to always umount and luksClose when I log out
Offline
You were right, only the "system-auth" file needs to be edited, i did so and rebooted. The pam_mount thing works as intended. Thank you.
Also i edited the wiki to improve this point.
What I'm looking forward to is when pam_mount can manage to always umount and luksClose when I log out
I haven't yet logged out, however i get a lot of error messages already, that seem to be relevant to your problem:
Okt 01 19:30:48 thinkpad login[759]: (mount.c:68): Messages from underlying mount program:
Okt 01 19:30:48 thinkpad login[759]: (mount.c:72): mount: --pass-fd is no longer supported
Okt 01 19:30:48 thinkpad login[759]: (mount.c:72): NOTE: mount.crypt does not support utab (systems with no mtab or read-only mtab) yet. This means that you will temporarily need to call umount.crypt(8) rather than umount(8) to get crypto volumes unmounted.
To me it looks like pam_mount is buggy and not using mount/umount correctly. Any insight on this?
Edit: Also i get an error spilled in the console, when i log in on another tty, because pam_mount tries to run a second time...
Last edited by teateawhy (2013-10-01 18:10:02)
Offline
Is there a specific reason you want to do it via pam-mount and not the normal way to let it automount via crypttab?
Offline
I did not know about crypttab, and can't find a section about it on the wiki either. From what i understood crypttab is meant for unlocking with a keyfile?
EDIT:
Note: Using a passphrase to decrypt LUKS partitions automatically from /etc/crypttab is deprecated.
Thanks for the input.
Last edited by teateawhy (2013-10-01 19:56:00)
Offline
If I understand you correctly then PAM is not what you want.
/etc/crypttab is probably what you're looking for.
-m.
What happened to Arch's KISS? systemd sure is stupid but I must have missed the simple part ...
... and who is general Failure and why is he reading my harddisk?
Offline
Ok. I can not figure out what to write in /etc/crypttab, is there an example in the wiki?
EDIT: Now reading man 5 crypttab.
Last edited by teateawhy (2013-10-01 20:20:34)
Offline
Is there a specific reason you want to do it via pam-mount and not the normal way to let it automount via crypttab?
I'm not the only user on my old laptop so I don't want it stopping to ask for a passphrase if someone else switches it on. Also, I leave it around running transmission overnight, downloading to a shared multimedia directory. Using pam_mount, I can log out leaving my stuff encrypted (though as I said, the umount doesn't always work).
Before when I was the only user, I used lvm on luks - single password to unlock everything on boot, so I didn't use crypttab then either.
Offline
Strike0 wrote:Is there a specific reason you want to do it via pam-mount and not the normal way to let it automount via crypttab?
I'm not the only user on my old laptop so I don't want it stopping to ask for a passphrase if someone else switches it on. Also, I leave it around running transmission overnight, downloading to a shared multimedia directory. Using pam_mount, I can log out leaving my stuff encrypted (though as I said, the umount doesn't always work).
Before when I was the only user, I used lvm on luks - single password to unlock everything on boot, so I didn't use crypttab then either.
Without going in too much detail: pam-mount is user-specific, meaning it will mount something for that one specific user. The OP was about the entire /home partition, which usually holds all of the user directories. And when it comes to LUKS, once unmouned the partition is unaccessible, leaving it "hidden" from all other applications, including a possibly backgrounded transmission (there may be your reason why the unmount did not work sometimes - a partition, in general, cannot be unmounted while there are opened files there).
-m.
What happened to Arch's KISS? systemd sure is stupid but I must have missed the simple part ...
... and who is general Failure and why is he reading my harddisk?
Offline
Without going in too much detail: pam-mount is user-specific, meaning it will mount something for that one specific user. The OP was about the entire /home partition, which usually holds all of the user directories. And when it comes to LUKS, once unmouned the partition is unaccessible, leaving it "hidden" from all other applications, including a possibly backgrounded transmission (there may be your reason why the unmount did not work sometimes - a partition, in general, cannot be unmounted while there are opened files there).
.
I hadn't used pam_mount before sharing my laptop but when I reconfigured the hard drive, I quite liked the idea of having private partitions shut out when not in use.
It's a shame the umount bit isn't 100% reliable. It seems to be an ongoing bug that has been popping up for years (it isn't transmission, transmission-cli installs it's own user with a home of /var/lib/transmission and our downloads are set to /mnt/share/transmission, as separate partition and outside the /home hierarchy. the umount also fails during the day when transmission isn't running).
Offline
Now i switched to using Crypttab instead of Pam mount. With this setup i have to enter the password twice, when opening the encryption and on login. Is it possible to do both in one step?
Last edited by teateawhy (2013-10-01 22:11:43)
Offline
I guess you need to tell us your security circumstances. For instance, I used to have a secure password for unlocking on boot, and a single letter password for logging in/awakening from sleep (so data was secure if the laptop was off e.g. if we ever got burgled).
To answer your question, you could set your system to auto-login your user so that you only have one password on boot if it is just you on this device?
Offline
Now i switched to using Crypttab instead of Pam mount. With this setup i have to enter the password twice, when opening the encryption and on login. Is it possible to do both in one step?
Just to clarify: you have to enter your passphrase to unlock the LUKS container, and your password to login? That is standard without auto-login enabled.
Offline
You might consider https://wiki.archlinux.org/index.php/LU … _partition but this would want you to give the passphrase before you reached login so you couldn't combine it into one step. I am guessing that Fedora does something like this, actually.
I am not sure if anything in https://wiki.archlinux.org/index.php/Sy … _partition could be adapted for /home.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
After some more testing i came to the conclusion to choose Crypttab over Pam mount.
Just to clarify: you have to enter your passphrase to unlock the LUKS container, and your password to login? That is standard without auto-login enabled.
Yes, sorry for mixing up passphrase and password. (In my case they are identical.)
To answer your question, you could set your system to auto-login your user so that you only have one password on boot if it is just you on this device?
There is only one user, so that makes sense.
I will setup the fingerprint reader for login now, so i do not have to type the passphrase / password twice. (In my opinion fingerprint login security-wise is comparable to autologin.)
The wiki page about "dm-crypt with LUKS" has seen some edits, i felt that my use case was not properly documented, so i added a section about it: https://wiki.archlinux.org/index.php/Dm … _partition
Marked as solved.
Offline