In this howto we will make it so your encrypted home directory will get automatically mounted and unmounted when you log in and out.

There are many options, for this we will use dmcrypt with LUKS. For ubuntu, the preferred default method is to use eCryptfs instead.

Make sure you have encrypted swap before starting this tutorial.

Related reading

  • Two level laptop encryption by Bruce Schneier. This method advocates encrypting your entire hard drive, and then also keeping a smaller encrypted store for sensitive documents.

Install cryptsetup

If cryptsetup is not already installed:

# apt-get install cryptsetup
# modprobe -a aes dm_mod dm_crypt sha256

The modprobe line will force the crypt module to get loaded. You only have to do this the first time (or restart after installing cryptsetup).

Create an encrypted partition

If you do not already have an encrypted partition, follow these steps:

Create and format encrypted partition:

cryptsetup luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX crypt-home
mkfs.ext4 /dev/mapper/crypt-home

sync old data:

mount /dev/mapper/crypt-home /mnt
rsync -tarv /home/username /mnt

Change your passphrase

If you want to be able to type your passphrase once on login, then the encryption needs to be done with the same passphrase as your user authentication.

To add a passphrase to an existing dmcrypt partition:

# cryptsetup luksAddKey /dev/sdaX

Where /dev/sdaX is the raw device for the encrypted partition. Make sure you run this as root. If you type the password wrong or use a non-root user, the error messages don’t make any sense.

You can also remove the old key, if you want, and set an external key file. For now, lets just get it working.

Install libpam-mount

pam-mount lets you mount remote directories or encrypted partitions as your home when you login and out.

apt-get install libpam-mount

Make it so that pammount is required:

codetitle. /etc/pam.d/common-pammount

- auth       optional use_first_pass
- session    optional use_first_pass
+ auth       required use_first_pass
+ session    required use_first_pass
note: i think it might be better to leave this optional, then perhaps if it fails then you can still login.

To active pam-mount, you need to include this line in the pam service configs that you want pammount to apply to:

@include common-pammount

This must come after common-session is included.

You will likely want these services to use pam-mount:

  • /etc/pam.d/gdm
  • /etc/pam.d/gdm-session
  • /etc/pam.d/login

Configure /etc/security/pam_mount.conf.xml

There are lots of options for specifying the encrypted mount, but if you followed this how-to, you can just use the defaults. At a minimum, you need an entry that looks like this:

<volume fstype="crypt" path="/dev/sda3" mountpoint="/home" />

If that doesn’t work, cryptsetup luksDump /dev/sda3 should tell you the information you need for the cipher options.

Configure /etc/security/pam_mount.conf

This is the old non-XML file format.

volume <user> <type> <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>
  • user: your username
  • type: the filesystem type, or crypt for dmcrypt.
  • server: used for remote mountings, unused in our case.
  • volume: the source device to mount
  • mount point: where the device gets mounted
  • mount options: all sorts of options can be passed here, but we will just use defaults.
  • fs key cipher: used if it cannot autodetect the correct cipher
  • fs key path: if you have a separate key file (although I think luks does not use this method of key files).

In practice, mount options for crypt can be left at the default

volume myuser crypt - /dev/sda3 /home/myuser - - -

If that doesn’t work, cryptsetup info {name} should tell you the information you need for the cipher options.


Login via the console, it should spit out errors.

Comment out old options

remove lines from /etc/fstab and /etc/crypttab


If you get this:

pam_mount(pam_mount.c:100): unknown pam_mount option "use_first_pass"

comment out this line:

codetitle. /etc/pam.d/common-auth

auth	optional use_first_pass

There is a bug in the package


An alternative approach could be using ecryptfs to store your ~, it uses a per file encryption and sits on top of some existing fs (eg ext3). Can be practical if for example you don’t want to repartition your drives or don’t use LVM. You could also use the ecryptfs to achieve so called 2-level laptop encryption.
I personally don’t like ecryptfs, just stating it as an alternative option.


Yeah, this tutorial was written before ecryptfs was available. I think that is the preferred method now.


ecryptfs is the preferred method? i still prefer LUKS myself.


dkg: in fact i use both on some systems; e.g. luks on a partition or device, and then ecryptfs for /homes inside that.


me too! luks then ecryptfs then luks again!