# [SOLVED] One password to unlock them all

## ernov

Do you know of any mechanism in Gentoo to have couple of partitions encrypted with dm-crypt, luks and same passwords on them, the mechanism which would require giving that password only 1 time?

There's a thing done such way in Fedora, that seems to use dracut, plymouth and specific scripts for it.

I am not that good to copy and edit Fedora's scripts to work with my Gentoo, but it would be nice to have separate, encrypted partitions and give 1 password to unlock them.

I'd appreciate any tips.Last edited by ernov on Sun Sep 26, 2010 2:05 am; edited 1 time in total

----------

## Anarcho

Would pam-mount be an option for you? This way the partitions will get unlocked during login and locked during logoff.

----------

## ernov

Could you please tell me how to do it? I've tried following docs from Gentoo's wiki but didn't work for me. I need simple explanation of what&how.

----------

## Anarcho

I try to get the things I've done together:

1. You need to install pam_mount with crypt USE-Flag

2. You need to change your pam config:

My new version of /etc/pam.d/system-login looks like the following:

```
auth            required        pam_tally.so onerr=succeed

auth            required        pam_shells.so

auth            required        pam_nologin.so

auth            include         system-auth

auth            optional        pam_mount.so

auth            optional        pam_gnome_keyring.so

account         required        pam_access.so

account         required        pam_nologin.so

account         include         system-auth

account         required        pam_tally.so onerr=succeed

password        include         system-auth

password        optional        pam_gnome_keyring.so

session         required        pam_env.so

session         optional        pam_lastlog.so

session         include         system-auth

session         optional        pam_mount.so

session         optional        pam_ck_connector.so nox11

session         optional        pam_gnome_keyring.so auto_start

session         optional        pam_motd.so motd=/etc/motd

session         optional        pam_mail.so
```

and the file /etc/pam.d/gdm

```
auth       optional             pam_env.so

auth       include              system-login

auth            optional        pam_mount.so

auth       required             pam_nologin.so

account    include              system-login

password   include              system-login

session         optional        pam_mount.so

session    include              system-auth

session    optional             pam_gnome_keyring.so auto_start
```

please note the lines with pam_mount. If you use another login manager (I use gnome with gdm) you need to adjust another file.

3. Configure pam_mount.

My file /etc/security/pam_mount.conf.xml looks like the following:

```
<?xml version="1.0" encoding="utf-8" ?>

<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">

<!--

   See pam_mount.conf(5) for a description.

-->

<pam_mount>

      <!-- debug should come before everything else,

      since this file is still processed in a single pass

      from top-to-bottom -->

<debug enable="0" />

      <!-- Volume definitions -->

<!-- <cryptmount>mount.crypt "%(ifnempty=\"-o\" OPTIONS)" %(OPTIONS) %(VOLUME) %(MNTPT)</cryptmount> -->

<cryptmount>mount.crypt %(VOLUME) %(MNTPT)</cryptmount>

<cryptumount>umount.crypt %(MNTPT)</cryptumount>

      <!-- pam_mount parameters: General tunables -->

<!--

<luserconf name=".pam_mount.conf.xml" />

-->

<!-- Note that commenting out mntoptions will give you the defaults.

     You will need to explicitly initialize it with the empty string

     to reset the defaults to nothing. -->

<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />

<!--

<mntoptions deny="suid,dev" />

<mntoptions allow="*" />

<mntoptions deny="*" />

-->

<mntoptions require="nosuid,nodev" />

<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />

      <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

<volume sgrp="users" mountpoint="/home/%(USER)" path="/dev/vghome/%(USER)" fstype="crypt" />

</pam_mount>
```

What you need to change is the 3rd last line, the one starting with '<volume' and add more lines like that for the other partitions to mount.

Important is that at least one of the passphrases for the LUKS encryption must match your login-password.

I hope this helps, otherwise, please ask.

----------

## Hu

 *ernov wrote:*   

> Do you know of any mechanism in Gentoo to have couple of partitions encrypted with dm-crypt, luks and same passwords on them, the mechanism which would require giving that password only 1 time?

 May I ask what the point of this setup is?  If you have one password that unlocks all the volumes, why not just have a single volume and store all the protected material inside it?

----------

## ernov

Anarcho, thx for gathering it all together, I'll test it on the weekend when I'll have some spare time.

Hu, the main point is to have separate /home and /data and /other-etc-etc stuff on some different physical disks to have an order and flexibility and to keep it safe. I admit that Fedora's solution is original and interesting, but I don't like that distro. Why not add that "freedom" to 1 of the most free distros - Gentoo?

Edit: Phew, finally have some time to test it.

Anarcho - pam is not responsible for creating devices in /dev/mapper, right? If I remove configuration from /etc/conf.d/dmcrypt, mappings are not created. If i add those - dmcrypt asks for password on startup.

----------

## Anarcho

pam_mount should create the device-mapper entries. I don't have anything configured in dmcrypt settings.

----------

## ernov

Doesn't work here.

```
Aug 15 22:53:41 localhost gdm[2206]: pam_mount(mount.c:64): Errors from underlying mount program:                                      

Aug 15 22:53:41 localhost gdm[2206]: pam_mount(mount.c:68): mount.crypt: stat /dev/mapper/sdb2: No such file or directory             

Aug 15 22:53:41 localhost gdm[2206]: pam_mount(pam_mount.c:521): mount of /dev/mapper/sdb2 failed                                      

Aug 15 22:53:41 localhost gdm[2206]: pam_unix(gdm:session): session opened for user erno by (uid=0)
```

----------

## zyko

Doing this with passphrases is painful. It's easy if you accept keyfiles.

Basically, you would have one filesystem, probably root, that contains your keyfiles. Those keyfiles are used to automatically (without user interacton) open your other encrypted filesystems. Once your initramfs is active, your root filesystem requires you to enter a passphrase, whereupon init can automatically do the rest.

----------

## Anarcho

 *ernov wrote:*   

> Doesn't work here.
> 
> ```
> Aug 15 22:53:41 localhost gdm[2206]: pam_mount(mount.c:64): Errors from underlying mount program:                                      
> 
> ...

 

Please post your config.

----------

## ernov

It's the same config you've posted above. I've just copied&pasted it with editting line of pam_mount.conf.xml. I added:

```
<volume sgrp="users" mountpoint="/muz" path="/dev/mapper/sdb2" fstype="crypt" />
```

Maybe I've missed some use flags?

```
eix -I gdm

[I] gnome-base/gdm

     Available versions:  2.20.10-r2 (~)2.20.10-r3 2.20.11 [M](~)2.26.1 [M](~)2.28.2-r1 {accessibility afs branding +consolekit debug dmx elibc_glibc gnome-keyring ipv6 pam policykit remote selinux tcpd test xinerama +xklavier}

     Installed versions:  2.20.11(16:57:06 15.08.2010)(consolekit elibc_glibc gnome-keyring pam -accessibility -afs -branding -debug -dmx -ipv6 -remote -selinux -tcpd -xinerama)

     Homepage:            http://www.gnome.org/projects/gdm/

     Description:         GNOME Display Manager

eix -I pam

[I] sys-auth/pam_mount

     Available versions:  (~)0.49[1] (~)1.18[1] (~)1.33 (~)2.0 2.1 (~)2.4 {crypt}

     Installed versions:  2.4(19:29:48 15.08.2010)(crypt)

     Homepage:            http://pam-mount.sourceforge.net

     Description:         A PAM module that can mount volumes for a user session

[I] sys-auth/pambase

     Available versions:  20090620.1-r1!b 20100310!b (~)20100724!b {consolekit cracklib debug gnome-keyring kerberos mktemp passwdqc selinux +sha512 ssh}

     Installed versions:  20100724!b(16:56:20 15.08.2010)(consolekit cracklib gnome-keyring sha512 -debug -kerberos -mktemp -passwdqc -selinux -ssh)

     Homepage:            http://www.gentoo.org/proj/en/base/pam/

     Description:         PAM base configuration files

[I] sys-libs/pam

     Available versions:  1.1.0 1.1.1-r2 {audit berkdb cracklib debug elibc_FreeBSD elibc_glibc nls selinux test vim-syntax}

     Installed versions:  1.1.1-r2(13:13:44 09.08.2010)(cracklib elibc_glibc nls -audit -berkdb -debug -elibc_FreeBSD -selinux -test -vim-syntax)

     Homepage:            http://www.kernel.org/pub/linux/libs/pam/

     Description:         Linux-PAM (Pluggable Authentication Modules)
```

----------

## Anarcho

 *ernov wrote:*   

> It's the same config you've posted above. I've just copied&pasted it with editting line of pam_mount.conf.xml. I added:
> 
> ```
> <volume sgrp="users" mountpoint="/muz" path="/dev/mapper/sdb2" fstype="crypt" />
> ```
> ...

 

You have to enter the path of the unencrypted device, not the target. Should be /dev/sdb2 instead of /dev/mapper/sdb2 in your case.

----------

## ernov

Anarcho, thank you for pointing me into the right path. This setup seems to work and be transparent to the user, so doesn't require more interaction.

I have one doubt tonight. I've tried to configure this two times, now mounted partition looks like this:

```
mount|grep crypt

/dev/sdb1 on /crypt type crypt (rw,noexec,nosuid,nodev,noatime,commit=0)
```

Is it correct? Shouldn't the device be /dev/mapper/sdb1?

```
ls -l /dev/mapper/

razem 0

crw------- 1 root root 10, 62 2010-09-27  control

lrwxrwxrwx 1 root root      7 09-26 22:02 _dev_sdb1 -> ../dm-0
```

I could swear that when I was trying it with sdb2 couple of weeks ago it was /dev/mapper/sdb1 mounted via pam_mount.

Oh, and I should speak of one disadvantage of this setup: doesn't work on remote login.

----------

## p04ty

How do I achieve the same with kdm? When emerged with USE=pam kdm won't allow login into KDE.

----------

## cach0rr0

to answer the original question:

instead of using a passphrase, use a keyfile, for every partition

now, wrap that keyfile inside GPG, password-protected

you enter the passphrase to get past the GPG phase, only once, whereupon your key file is used to unlock the volumes.

----------

## p04ty

I need a setup that works exactly as described above: auto unlocking and mounting encrypted partition on user logging into KDE. So... basically I now need pam_gnome_keyring.so equivalent for KDE4.

Seems that mount options are ignored. I've tried following line:

```
<volume sgrp="users" mountpoint="/crypt" path="/dev/sdb1" options="defaults,nodev,nosuid,noatime" fstype="crypt" />
```

but /crypt is mounted with defaults:

```
mount|grep crypt

/dev/sdb1 on /crypt type crypt (defaults)
```

----------

