Opening and mounting an encrypted volume at user login in plain mode

Automatically opening one or more partitions at user login has the advantage that only a certain user can access the data.

Before you begin

You must install the pam_mount package. See the web site at http://pam-mount.sourceforge.net/. Some Linux® distributions provide a pam_mount package.

Ensure that the pam_mount package is configured and the pam_mount.so PAM module is used in the auth and session sections of the PAM configuration files. Your Linux distribution might already perform this for you. See also the pam_mount man page for more information.

About this task

In this scenario you create a user called alice. The home directory for this user is stored on an encrypted volume. The encrypted volume is opened when the user logs in and is respectively closed at logout. The encrypted volume in this example is /dev/mapper/disk10.

Procedure

  1. Create a user and set an initial password.
    For example, issue: 
    
# useradd -G users -m -s /bin/bash alice
# passwd alice
Enter new UNIX password: alice
Retype new UNIX password: alice
passwd: password updated successfully
  2. Create a secure key in the secure key repository for user alice with the zkey command. 
    # zkey generate --name user-alice-xts --keybits 256 --xts \
--volumes /dev/mapper/disk10:user-enc-alice --volume-type PLAIN \
--apqns 03.0039,04.0039
    Note: Do not use the --sector-size parameter here, because pam_mount does not support sector sizes other than the default (512 bytes).
  3. Format and open the encrypted volume, /dev/mapper/disk10, and create a file system that is later mounted as home directory for user alice.
    For example:
    
# zkey cryptsetup --volumes /dev/mapper/disk10 --run
Executing: cryptsetup plainOpen --key-file '/etc/zkey/repository/user-alice-xts.skey' 
--key-size 1024 --cipher paes-xts-plain64 /dev/mapper/disk10 user-enc-alice

# mkfs.ext4 -L USER_ALICE /dev/mapper/user-enc-alice  

# cryptsetup close user-enc-alice

    You can optionally mount the file system temporarily to copy or migrate existing files for the user.

  4. Edit the pam_mount configuration file /etc/security/pam_mount.conf.xml. Add a volume definition for alice. 
    
<volume user="alice" path="/dev/mapper/disk10" mountpoint="~"
              fstype="crypt" fskeycipher="none" 
              fskeypath="/etc/zkey/repository/user-alice-xts.skey" 
              cipher="paes-xts-plain64" fskeyhash="plain"/>
    See also the pam_mount.conf man page for details.

Results

Now alice can log in to the Linux instance. The pam_mount PAM module opens the encrypted volume and creates a device under /dev/mapper/ (for example, /dev/mapper/_dev_dm_21) which is then mounted as /home/alice.
# ssh alice@localhost
alice@localhost's password: alice
Welcome to your favourite Linux distribution

Last login: Mon Aug 06 16:28:45 2018 from 127.0.0.1

alice@localhost:~$ df | grep alice
/dev/mapper/_dev_dm_21   20507216 45080 19397384 1% /home/alice

alice@localhost:~$