How to Auto-Mount LUKS Partition

encryptionluksmountpartitioning

How do I automount a LUKS encrypted partition in a secure way? Ideally either when I log on (and therefore my password in at the log in screen), or once I get to desktop have Ubuntu ask for my password and then auto mount the partition?

The contents of my fdisk is below

The encrypted partition is /dev/sdb7, my root and home partition is /dev/sdb5 (which isn't encrypted).

Disk /dev/loop0: 14 MiB, 14647296 bytes, 28608 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/loop1: 81.7 MiB, 85692416 bytes, 167368 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x0006d9d9

Device     Boot     Start        End    Sectors   Size Id Type
/dev/sda1            2048  524646399  524644352 250.2G  7 HPFS/NTFS/exFAT
/dev/sda2  *    524646400 1953523711 1428877312 681.4G 83 Linux


Disk /dev/sdb: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x1ffae910

Device     Boot     Start       End   Sectors   Size Id Type
/dev/sdb1       214892542 976773119 761880578 363.3G  5 Extended
/dev/sdb2  *         2048   2150399   2148352     1G 83 Linux
/dev/sdb5       214892544 257558559  42666016  20.4G 83 Linux
/dev/sdb6       300716032 318294015  17577984   8.4G 82 Linux swap / Solaris
/dev/sdb7       318296064 976773119 658477056   314G 83 Linux

Partition table entries are not in disk order.

Best Answer

Using pam-mount

You can use pam-mount to do this. It will hook into the login process and thus be able to use the entered password for mounting a luks partition. Here's how to set it up:

Create a test luks image

Skip this section if you have a LUKS-encrypted partition or image already

Create a file called .priv in your home directory with size 1GB:

truncate -s 1G ~/.priv

Format the image using LUKS and set a password (use the same as your login password):

cryptsetup luksFormat ~/.priv

Enable the image:

sudo cryptsetup luksOpen ~/.priv priv

Create a file system on the new device:

sudo mkfs.ext4 /dev/mapper/priv

Disable the image again:

sudo cryptsetup luksClose priv

Install and set up pam-mount

Install the package:

sudo apt install libpam-mount

Edit the configuration file /etc/security/pam_mount.conf.xml and add the following line to it:

<volume path="~/.priv" mountpoint="~/priv" />

Add this right after where it says <!-- Volume definitions -->. Notice the subtle but important difference in the path and mountpoint arguments. In your particular case you would use path="/dev/sdb7".

Now login to your machine and you should notice that it takes a little longer than usual. After successful login you can check, using the mount command, that there is now a new file system mounted in your home. It should look similar to this:

/dev/mapper/_dev_loop3 on /home/seb/priv type ext4 (rw,relatime,data=ordered,helper=crypt)

Use for /home/USER

I am using this setup for mounting my home directory (/home/seb) from a LUKS encrypted image on Ubuntu 18.04. pam_mount will also take care of unmounting the image after I log out. As such it is a nice way to get at least some encryption if during installation you did not choose full disk encryption.

Related Question