I recently did a new Debian install on my laptop after upgrading the NVMe and this time round I set up LUKS disk encryption for my
/home partition. I want this to be as hassle-free as possible, which means having the partition automatically unlocked and mounted when I log in, rather than having to type a separate password on boot.
It’s not as straightforward as you might think, I guess because everyone’s setup and requirements are a little different. So I’ll write my notes here in case it’s useful to someone else. I’m doing this on Debian, but I cribbed a lot of it from the excellent Arch wiki.
When first setting up the encrypted partition make sure that the disk password is the same as your login password. This will be important later.
/etc/crypttab is read early in boot by systemd (see its crypttab map page). Systemd then calls cryptsetup on each entry in this file to unlock the partition. This is where the boot time password prompt that we want to get rid of comes from. Simply add
noauto to options list at the end and systemd will skip it:
nvme0n1p3_crypt UUID=XXXX-XXXX none luks,discard,noauto
/etc/fstab to comment out or remove the entry for
/home: we’ll be using pam_mount to do this directly.
sudo apt install libpam-mount
This is a PAM plugin that can mount arbitrary filesystems whenever a user logs in and unmount them when they log out. We can also use it to unlock and encrypted partition using the user’s password before mounting. This is why the login password and the disk password must be the same. Open
/etc/security/pam_mount.conf.xml and add these lines to it:
<volume user="nick" fstype="crypt" path="/dev/nvme0n1p3" mountpoint="nvme0n1p3_crypt" /> <volume user="nick" fstype="auto" path="/dev/mapper/nvme0n1p3_crypt" mountpoint="/home" options="defaults,relatime,discard" /> <cryptmount>cryptsetup open --allow-discards %(VOLUME) %(MNTPT)</cryptmount> <cryptumount>cryptsetup close %(MNTPT)</cryptumount>
We need to add two
<volume> entries. The first with
fstype="crypt" unlocks the physical LUKS partition (
/dev/nvme0n1p3) and creates a new volume that we can mount as a normal filesystem (
/dev/mapper/nvme0n1p3_crypt). Obviously change the user name and physical device path to match your system.
<cryptumount> entries tell
pam_mount how to open and close the encrypted partition when
fstype="crypt". Note that I’ve added the
--allow-discard option here which enables the SSD TRIM command to reduce wear on the disk, but has some security implications which you might want to read up on.
Reboot and check everything works. If you have problems try adding:
<debug enable="1" />
pam_mount.conf.xml and log in on a text console. This will print some diagnostic messages.