Skip to main content
Topic: Using fscrypt with Artix Linux (Read 601 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Using fscrypt with Artix Linux

There isn't a whole lot I can add to the first steps of installing and configuring fscrypt, you can follow the Arch wiki guide ( https://wiki.archlinux.org/title/Fscrypt ), however ignore the following line when configuring /etc/pam.d/system-login:
Code: [Select]
session    [success=1 default=ignore]  pam_succeed_if.so  service = systemd-user quiet 
This line is meant for systemd only and should not be used for any other init.

Using a separate protector password

If you have encrypted your home directory using fscrypt and have chosen your protector password to be separate from your login password and want your home directory to be automatically unlocked at boot by typing in your password, you need to write two shell scripts.

One will run at boot after all filesystems have been mounted in order to unlock your home directory, and the other will run at shutdown before the unmounting of all filesystems in order to lock your home directory.

This is very init specific and since I only know about Openrc, I am going to write about it here, but the process should be simple enough to be easily adapted to other inits.

We are going to use the local service in /etc/init.d, which executes executable files in /etc/local.d and runs as the last service in the boot process and the first service in the shutdown process, thus fulfilling the criteria of it being there after mounting and before unmounting of all filesystems.

Make sure that the local service is enabled, and if it's not, enable it.

First things first, we must modify the local service file itself so that it does not silence output. This is very important as the boot script will ask the user if they want to unlock their home directory, and then fscrypt will ask them their password.

Open /etc/init.d/local in your favorite text editor and add the following lines before the depend() function:
Code: [Select]
# do not silence output so we can see input prompts
 rc_verbose=YES

Now we can start to write our shell scripts. This step is pretty easy and can be done by yourself ( definitely read /etc/local.d/README if you want to ), or you can copy my script.

Remember to change the “USER” variable to match the home directory of the user you want to unlock.

This is my script ( /etc/local.d/fscrypt-unlock.start ) for unlocking my home directory at boot time:
Code: [Select]
#!/bin/sh
USER=user
printf 'do you want to unlock the home of %s?[y/n] ' "$USER"
read ANSWER
if [ "$ANSWER" = 'y' ]; then
fscrypt unlock /home/"$USER"
else
exit 0
fi

And this is my script ( /etc/local.d/fscrypt-lock.stop ) for locking my home directory at shutdown time:
Code: [Select]
#!/bin/sh
USER=user
if [ "$(fscrypt status /home/"$USER" | grep 'Unlocked' | cut -d' ' -f2)" = 'No' ]; then
ebegin "home directory of user $USER already locked, skipping locking"
else
# if there are any processes left by the user, terminate them
if ps -U "$USER" 1>/dev/null; then
ps -U "$USER" -o pid | tail -n +2 | while read -r pid; do
kill "$pid"
done
sleep 5
fi
ebegin "locking /home/$USER"
fscrypt lock /home/"$USER" 1>/dev/null
exit $?
fi

Now you can unlock your home directory at boot without having to manually log in as root and unlock it, enjoy :)

Give me feedback if you think I should improve something in this guide.