Automatically opening one or more partitions at user login has the advantage that only a
certain user can access the data.
Before you begin
You must install the pam_mount package. See the web site at http://pam-mount.sourceforge.net/. Some Linux® distributions provide a pam_mount
package.
Ensure that the pam_mount
package is configured and the
pam_mount.so
PAM module is used in the auth
and
session
sections of the PAM configuration files. Your Linux distribution might already perform this for you. See
also the pam_mount
man page for more information.
About this task
In this scenario you create a user called alice
. The home directory for
this user is stored on an encrypted volume. The encrypted volume is opened when the user logs in and
is respectively closed at logout. The encrypted volume in this example is
/dev/mapper/disk10.
Procedure
-
Create a user and set an initial password.
For example, issue:
# useradd -G users -m -s /bin/bash alice
# passwd alice
Enter new UNIX password: alice
Retype new UNIX password: alice
passwd: password updated successfully
-
Create a secure key in the secure key repository for
user alice with the zkey
command.
# zkey generate --name user-alice-xts --keybits 256 --xts \
--volumes /dev/mapper/disk10:user-enc-alice --volume-type PLAIN \
--apqns 03.0039,04.0039
Note: Do not use the --sector-size parameter here, because
pam_mount
does not support sector sizes other than the default (512 bytes).
-
Format and open the encrypted volume, /dev/mapper/disk10, and create a
file system that is later mounted as home directory for user alice.
For
example:
# zkey cryptsetup --volumes /dev/mapper/disk10 --run
Executing: cryptsetup plainOpen --key-file '/etc/zkey/repository/user-alice-xts.skey'
--key-size 1024 --cipher paes-xts-plain64 /dev/mapper/disk10 user-enc-alice
# mkfs.ext4 -L USER_ALICE /dev/mapper/user-enc-alice
# cryptsetup close user-enc-alice
You
can optionally mount the file system temporarily to copy or migrate existing files for the
user.
-
Edit the
pam_mount
configuration file
/etc/security/pam_mount.conf.xml. Add a volume definition for
alice
.
<volume user="alice" path="/dev/mapper/disk10" mountpoint="~"
fstype="crypt" fskeycipher="none"
fskeypath="/etc/zkey/repository/user-alice-xts.skey"
cipher="paes-xts-plain64" fskeyhash="plain"/>
See also the
pam_mount.conf man page for details.
Results
Now alice can log in to the Linux instance. The pam_mount
PAM module
opens the encrypted volume and creates a device under /dev/mapper/ (for
example, /dev/mapper/_dev_dm_21) which is then mounted as
/home/alice.# ssh alice@localhost
alice@localhost's password: alice
Welcome to your favourite Linux distribution
Last login: Mon Aug 06 16:28:45 2018 from 127.0.0.1
alice@localhost:~$ df | grep alice
/dev/mapper/_dev_dm_21 20507216 45080 19397384 1% /home/alice
alice@localhost:~$