# Encrypt /home: cannot emerge pam_mount

## Ruffman

Hi, 

I have installed Gentoo and now I want to encrypt my /home folder following this desciption. 

First time I have to add some Use Flags (static-libs, lock, session, startup-notifivation thunar) and also have to enable ~x86 Keyword.

after that the emerge begins. It stops compiling on 'sys-apps/util-linux-2.21' and has this error log

Can someone give me a hint, what I have done wrong?

----------

## Ruffman

ok I could emerge util-linux-2.20 if I take away the ~x86 keyword. Unfortunately it stops compiling pam_mount-2.11 itself. I have to add the Keyword again to my make.conf to emerge pam_mount-2.13 without problems. I know I can add package specific use-flags inside  /etc/portage/package.use, but this doesn't seem to work for keywords. Is there a package-level ACCEPT_KEYWORDS anywhere?

----------

## Dont Panic

Simple, add

```
~pam_mount-2.13 ~x86
```

to the /etc/portage/package.keywords file.

If your /etc/portage/package.keywords is a directory instead of a file, check this forum post:

https://forums.gentoo.org/viewtopic-t-871807-start-0.html

----------

## SamuliSuominen

Disable USE="loop-aes" which is making your util-linux fail. Why do you have that USE flag enabled?

----------

## Dont Panic

To elaborate on ssuominen's post, the newer way to implement encryption is with dm-crypt/luks.

The support for loop-aes in util-linux is becoming intermittent, on it's way to being deprecated (if not already).

It's cooler to learn dm-crypt/luks anyways.  You can use that to encrypt your whole root partition.

----------

## Ruffman

thx for the info of the package Use-Flag.

Am I right if I assume that luks forces me to insert an additional password for any encrypted partition (maybe except swap) ?

currently I'm on 4 partitions (root, boot, home, swap) and I want to avoid to enter at least 4 passwords on startup. 

But I have a finger-print-reader on my Thinkpad T420. If there Is a possibility to wrap these passwords inside a simple finger-detection, I could live with it. There are several "Intel-Security-Modes" inside Bios, but I assume that most of them work on Windows-Systems only. Please correct me if I'm wrong.

----------

## Hu

Each LUKS volume requires a password or passphrase to unlock.  However, there is no requirement that the passphrase come from the keyboard.  You could arrange for one volume to have keys which unlock the others.  You could place an LVM inside a LUKS container, so that unlocking the container gives you access to all the LVM volumes.  Both of these trade some security for the convenience of entering fewer passwords.

----------

## Dont Panic

According to the Arch Wiki entry for the ThinkPad T420, your finger print reader should be supported under Linux.

https://wiki.archlinux.org/index.php/Lenovo_ThinkPad_T420#FingerPrint_Reader

There are ebuilds for fingerprint-gui in various overlays.

Re-reading the thread, I think I may have inadvertently confused things somewhat, and I'd like to clarify that loop-aes support in sys-apps/util-linux is not necessary for implementing ecryptfs.

If you want to implement ecrtyptfs, just build sys-apps/util-linux without the "loop-aes" USE flag.

If you want to manage everything with pam authentication, this might be a simpler route.

If your /home directory is in it's own partition, you can encrypt the entire partition with dm-crypt, and you'll only be prompted once for that password.  If you wanted to encrypt all of your partitions with dm-crypt, you can set up keys, as Hu mentioned.

There are trade-offs with either approach.

With ecryptfs, there's still a lot of information in your directory structure that is visible to a sophisticated attacker.

With a dm-crypt encrypted partition, all an attacker see's is one big blob.

However, with ecryptfs, it's easier to back up your information without decrypting it.

Either approach is probably sufficient for most normal cases of theft or loss of your laptop.  If built correctly with proper password practices, it would take a very sophisticated entity to access your data either way.

----------

## Ruffman

I give up with ecrypt-fs because of the pam-mount module, which didn't want to mount the ecryptfs .Private folder. And If I have to mount my /home with ecryptfs manually, I prefer to use dm-crypt and type-in a Encryption password.

----------

## Dont Panic

I've been using dm-crypt for a while now on my netbook, and have had good success.

I added dm-crypt keys later so I could mount subsequent dm-crypt partitions after mounting the first encrypted partition.

I haven't run across much about ecryptfs.  It reinforces my impression that dm-crypt is more popular right now.

----------

