In this howto we will make it so your encrypted home directory will get automatically mounted and unmounted when you log in and out.

There are many options, for this we will use dmcrypt with LUKS. For ubuntu, the preferred default method is to use eCryptfs instead.

Make sure you have encrypted swap before starting this tutorial.

Related reading

Install cryptsetup

If cryptsetup is not already installed:

# apt-get install cryptsetup
# modprobe -a aes dm_mod dm_crypt sha256

The modprobe line will force the crypt module to get loaded. You only have to do this the first time (or restart after installing cryptsetup).

Create an encrypted partition

If you do not already have an encrypted partition, follow these steps:

Create and format encrypted partition:

cryptsetup luksFormat /dev/sdaX
cryptsetup luksOpen /dev/sdaX crypt-home
mkfs.ext4 /dev/mapper/crypt-home

sync old data:

mount /dev/mapper/crypt-home /mnt
rsync -tarv /home/username /mnt

Change your passphrase

If you want to be able to type your passphrase once on login, then the encryption needs to be done with the same passphrase as your user authentication.

To add a passphrase to an existing dmcrypt partition:

# cryptsetup luksAddKey /dev/sdaX

Where /dev/sdaX is the raw device for the encrypted partition. Make sure you run this as root. If you type the password wrong or use a non-root user, the error messages don’t make any sense.

You can also remove the old key, if you want, and set an external key file. For now, lets just get it working.

Install libpam-mount

pam-mount lets you mount remote directories or encrypted partitions as your home when you login and out.

apt-get install libpam-mount

Make it so that pammount is required:

codetitle. /etc/pam.d/common-pammount

- auth       optional   pam_mount.so use_first_pass
- session    optional   pam_mount.so use_first_pass
+ auth       required   pam_mount.so use_first_pass
+ session    required   pam_mount.so use_first_pass
note: i think it might be better to leave this optional, then perhaps if it fails then you can still login.

To active pam-mount, you need to include this line in the pam service configs that you want pammount to apply to:

@include common-pammount

This must come after common-session is included.

You will likely want these services to use pam-mount:

Configure /etc/security/pam_mount.conf.xml

There are lots of options for specifying the encrypted mount, but if you followed this how-to, you can just use the defaults. At a minimum, you need an entry that looks like this:

<volume fstype="crypt" path="/dev/sda3" mountpoint="/home" />

If that doesn’t work, cryptsetup luksDump /dev/sda3 should tell you the information you need for the cipher options.

Configure /etc/security/pam_mount.conf

This is the old non-XML file format.

volume <user> <type> <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>

In practice, mount options for crypt can be left at the default

volume myuser crypt - /dev/sda3 /home/myuser - - -

If that doesn’t work, cryptsetup info {name} should tell you the information you need for the cipher options.

Testing

Login via the console, it should spit out errors.

Comment out old options

remove lines from /etc/fstab and /etc/crypttab

Fixes

If you get this:

pam_mount(pam_mount.c:100): unknown pam_mount option "use_first_pass"

comment out this line:

codetitle. /etc/pam.d/common-auth

auth	optional	pam_mount.so use_first_pass

There is a bug in the package