# [HOW?] Mount an encrypted partition at login

## RemcoNL

I'd like to create an encrypted partition of 10 GB on my laptop (to simlink my .thunderbird, .mozilla, .ooo, .licq, and just some sensitive documents). Ideally, it should be mounted when I log in (using GDM).

The most promising information I found so far is this tutorial: Gentoo encryption with dm-crypt and luks, but it assumes manual mounting using a passphrase.

Most other howto's are years old. Does anybody use the setup I want, and/or can someone point me into the right direction?

For the record: I will not use a swapfile, and /tmp is simlinked to /dev/shm (ramdrive), so having only one directory encrypted within my homedirectory should be sufficient. I always lock my display when I leave my computer, the encryption is mainly to secure my data in case of theft (or if I ever just forget my laptop in a train  :Crying or Very sad:  )

----------

## alex.blackbit

i am not sure about this, but you can have a look at sys-auth/pam_mount.

----------

## RaraRasputin

The tutorial shows you how to create an encrypted volume. To mount it at login, just read the man pages of pam_mount and pam_mount.conf.

Basically your have to add two lines to your /etc/pam.d/system-auth file:

Add this as the last line of the "auth"-section:

```
auth            optional        pam_mount.so try_first_pass
```

And this as the last line of the "session"-section:

```
session         optional        pam_mount.so
```

try_first_pass means that pam tries to use your user's password to mount the encrypted partition, so your login password and the encryption password should be the same.

Additionally you have to add a line like the following to /etc/security/pam_mount.conf.xml:

```
<volume user="john" fstype="crypt" path="/dev/my_encrypted_device" mountpoint="/home/john" />
```

-rasp

----------

## RemcoNL

Thank you very much RaraRasputin ! This solved it completely, on login I now nicely get my shiny new 10 GB encrypted partition mounted!

And apparently it does not mount (or try to mount but failes because of using the wrong password?) when another user connects, so this is perfect!

Update: "try_first_pass" gives an error at login (or su -), but everything seems to work just fine without it!

I've noticed that the partition does not unmount when I logout, but since it's mounted inside my home directory (and I am the only one using this laptop) it is not a problem.

Performance is quite good, CPUFreq hardly increases the cpuspeed when copying files on disk.

----------

## jowr

It'd be a real - REAL - good idea for you to add /etc/pam.d to your CONFIG_PROTECT entry in make.conf, otherwise an update of pam or whatever will make you have to do this again.

----------

