Skip to main content
Topic: PAM eCryptFS setup (for encrypting home directory) (Read 958 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

PAM eCryptFS setup (for encrypting home directory)

I am trying to encrypt my home directory on a fresh install on a fresh install if Artix on my laptop, and to do that I am following the ArchWiki. I am stuck there because part of the setup in /etc/pam.d/system-auth as shown in the ArchWiki requires SystemD to work. Has anyone gotten automatic mounting of encrypted home directories to work? How do you set up PAM?

I tried with help from the Gentoo Forums, but that ends up not allowing anyone to log on, with the error Login incorrect, even with a correct login.

Sorry if this is in the wrong forum subsection. My account may not be new here, but I am.

EDIT: I didn't think I would have to say this, but it appears I do. I DO NOT NEED HELP WITH AUTOMOUNTING A HOME PARITION. I DO NOT HAVE A SEPARATE HOME PARITION. MY ISSUE IS WITH DECRYPTING AN ECRYPTFS ENCRYPTED DIRECTOY ON LOGIN. THIS HAS NOTHING TO DO WITH EDITING /etc/conf.d/dmcrypt OR /etc/fstab.
Running Artix Linux OpenRC.

Laptop system is a Lenovo/IBM ThinkPad T580 with an i5-8350U, integrated graphics, 32GB of DDR4-2666 memory, and a 1TB WD SN850.

Desktop system is custom built, with an i9-10900K, RTX3080, 32GB of DDR4-3500 16-19-20-37 memory, and a 2TB Samsung 970 Pro.


Re: PAM eCryptFS setup (for encrypting home directory)

Reply #2

Afraid that won't work. It attempts to use cryptsetup to unlock a home partition with dm-crypt. My system is set up with all files in one partition, and since I have it encrypted using ecryptfs-tools, so using that method will not work.

EDIT: I also would prefer the decryption to occur at user login rather than at boot.
Running Artix Linux OpenRC.

Laptop system is a Lenovo/IBM ThinkPad T580 with an i5-8350U, integrated graphics, 32GB of DDR4-2666 memory, and a 1TB WD SN850.

Desktop system is custom built, with an i9-10900K, RTX3080, 32GB of DDR4-3500 16-19-20-37 memory, and a 2TB Samsung 970 Pro.


Re: PAM eCryptFS setup (for encrypting home directory)

Reply #4
I don't think you understand what I'm doing.... /home is not in its own partition. It's with /. It's already mounted. The only thing is, /home/<username>/ is encrypted with eCryptFS. It's mounted, just needs the decryption password as inputted already (it's the same as the user's password). This has nothing to do with dm-crypt, and has everything to do with setting up /etc/pam.d/system-auth correctly in order to take the user's password to decrypt the files in the already-mounted home partition.

Also, everything linked here requires SystemD. I want to be able to do it running OpenRC with EloginD. I can't have it with a SystemD dependency.
Running Artix Linux OpenRC.

Laptop system is a Lenovo/IBM ThinkPad T580 with an i5-8350U, integrated graphics, 32GB of DDR4-2666 memory, and a 1TB WD SN850.

Desktop system is custom built, with an i9-10900K, RTX3080, 32GB of DDR4-3500 16-19-20-37 memory, and a 2TB Samsung 970 Pro.

Re: PAM eCryptFS setup (for encrypting home directory)

Reply #5
I am trying to encrypt my home directory on a fresh install on a fresh install if Artix on my laptop, and to do that I am following the ArchWiki. I am stuck there because part of the setup in /etc/pam.d/system-auth as shown in the ArchWiki requires SystemD to work. Has anyone gotten automatic mounting of encrypted home directories to work? How do you set up PAM?

I tried with help from the Gentoo Forums, but that ends up not allowing anyone to log on, with the error Login incorrect, even with a correct login.

Sorry if this is in the wrong forum subsection. My account may not be new here, but I am.

You don't need to mess up with PAM in order to configure your home partition automounting.

With OpenRC, /etc/crypttab has no effect, you must edit the /etc/conf.d/dmcrypt file instead. Just add there something as following:
Code: (/etc/conf.d/dmcrypt) [Select]
target=MyHomePartition
source=UUID=<the UUID of your home partition CONTAINER>

This will tell dmcrypt to mount the unencrypted home partition to /dev/mapper/MyHomePartition. Use any identifier you like.

Then just add to /etc/fstab something like that:
Code: (/etc/fstab) [Select]
/dev/mapper/MyHomePartition /home ext4 defaults,noatime 0 0
(adjust mounting options to your actual configuration)

Then, add the encrypt hook to your /etc/mkinitcpio.conf file and regenerate the initramfs. Of course, add the dmcrypt service to the boot runlevel.

With this configuration, you'll be prompted to enter the password for your home partition during the boot, and it will be mounted automatically.

Re: PAM eCryptFS setup (for encrypting home directory)

Reply #6
You don't need to mess up with PAM in order to configure your home partition automounting.


How many times do I need to say that I already have /home mounted. That's not the issue, never was my issue? My issue is decrypting eCryptFS, which is a form of encrypting an already mounted home or data partition. There is no messing around is unmou ted partitions as I already have them mounted.

Home partition is already mounted. I just need to decrypt it.



EDIT: I've been very clear in the original post that I've been talking about individual directories and not partitions. The partition is not encrypted. The /home/<username>/ directory is encrypted. I do not need help in automounting as it's already done by my fstab, which I already generated while installing Artix Linux OpenRC.
Running Artix Linux OpenRC.

Laptop system is a Lenovo/IBM ThinkPad T580 with an i5-8350U, integrated graphics, 32GB of DDR4-2666 memory, and a 1TB WD SN850.

Desktop system is custom built, with an i9-10900K, RTX3080, 32GB of DDR4-3500 16-19-20-37 memory, and a 2TB Samsung 970 Pro.

 

Re: PAM eCryptFS setup (for encrypting home directory)

Reply #7
Maybe it is too late still I`d like to share my experience.
I have "ecrypted" my /home/user when I had been using Devuan. After I have migrated this got me too. After reading some articles my "/etc/pam.d/system-auth" have become like this:
Code: [Select]
#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
auth       required                    pam_ecryptfs.so      unwrap

# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so
password   optional                    pam_ecryptfs.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so
session    optional                    pam_ecryptfs.so      unwrap

Be sure to have in your "/home/user/" :  ".ecryptfs/" and ".Private/" . These two directories in my case was in "/home/user/Backup/". I am not sure how they got there. It took me some time to understand that the config above is correct and I just need to move the dirs.

EDIT: Actually I made softlinks instead of moving. The INIT I use is OpenRC.