[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to create /home/user backed by LUKS device decrypted on login
From: |
Guillaume Le Vaillant |
Subject: |
Re: How to create /home/user backed by LUKS device decrypted on login |
Date: |
Mon, 01 Mar 2021 09:36:08 +0100 |
User-agent: |
mu4e 1.4.15; emacs 27.1 |
Dr. Arne Babenhauserheide <arne_bab@web.de> skribis:
> Hi,
>
> The manual describes how to setup an encrypted root[1], but I got lost
> trying to find out how to setup a user such that the device is opened at
> login (with a prompt for the password) and closed at logout.
>
> I need the --allow-discards option to cryptsetup open, to be
> equivalent to the following:
>
> sudo cryptsetup open --allow-discards --type luks /dev/nvmeXnXp1 my-user
>
> I need the user-home to be encrypted, i.e.
>
> mount LABEL=my-user /home/my-user
>
> I’d like to set this in my /etc/config.scm but currently I have to
> decrypt before logging in.
>
> [1]:
> https://guix.gnu.org/manual/en/html_node/Keyboard-Layout-and-Networking-and-Partitioning.html
> https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
>
> Best wishes,
> Arne
Hi,
You can use the pam-mount service[1] to decrypt a user's home at login,
but it will not create the encrypted volume automatically if it does not
exist; you have to create it yourself.
Also, if you create a LUKS2 volume, you can activate the discard feature
with "cryptsetup --allow-discards --persistent open /dev/xxx path", and
then you won't need to pass the "--allow-discards" option when mounting
the volume anymore.
[1]: https://guix.gnu.org/manual/en/html_node/PAM-Mount-Service.html
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: How to create /home/user backed by LUKS device decrypted on login,
Guillaume Le Vaillant <=