# How to automagically unlock luks crypted partition?

## ernov

Hi, I've set up encrypted partition to manage it by LUKS, added to /etc/conf.d/dmcrypt. The correct /dev/mapper file is created OK, dmcrypt starts on boot and asks password to unlock partition. Now I need it to be unlocked automatically at boot by some mechanism.

I've tried pam_mount, as in the doc from wiki, but it doesn't work.

How do you make automatic unlocking partitions on your boxes?

----------

## cach0rr0

do it based on an on-disk key rather than a passphrase. I personally keep my keys on a USB thumb drive (rather, it's a micro-sd in a USB adapter - a micro-sd can be swallowed, implanted under the skin, or crushed, if anyone comes banging on my door!)

http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt#Further_tweaks_for_USB_keyfile_authentication

works beautifully for me, full volume crypto

```

$ sudo mount |grep mapper

/dev/mapper/root on / type ext3 (rw)

/dev/mapper/share on /share type xfs (rw,nodev,logbufs=8)

/dev/mapper/kvm on /kvm type btrfs (rw)

/dev/mapper/btrfsvol on /tmp type btrfs (rw,nodev,noatime,subvol=tmp)

/dev/mapper/btrfsvol on /usr type btrfs (rw,nodev,noatime,subvol=usr,compress)

/dev/mapper/btrfsvol on /var type btrfs (rw,noatime,subvol=var,compress)

/dev/mapper/btrfsvol on /opt type btrfs (rw,noatime,subvol=opt)

/dev/mapper/btrfsvol on /home type btrfs (rw,nosuid,nodev,noatime,subvol=home,compress)

```

----------

## lxg

I agree this is a good setup ... However, I would always recommend to have a passphrase setup as a backup. This is one of the key features of LUKS, having more than one key to the same ressource. Because elsewise, if you when your SD card or USB device dies, your data goes with them.

Therefore: Set up the USB/SD stuff and then immediately add another key slot with a passphrase. Then write the passphrase down, and store it in a *very* safe place. (Or don't write it down at all, and memorize it.)

----------

## ernov

I'd rather stay with passphrase(s), so how exactly do you do automatical unlocking of encrypted volume?

----------

## lxg

Er … when you're working with passphrases, you have to do the unlocking manually – namely by entering the passphrase.  :Wink: 

----------

## ernov

So what is this all pam_mount about?

----------

## Hu

 *lxg wrote:*   

> Er … when you're working with passphrases, you have to do the unlocking manually – namely by entering the passphrase. 

 Yes and no.  To secure the system, it must not be possible for the system to boot and mount the encrypted volumes unattended.  Requiring a passphrase satisfies this condition.  The idea of pam_mount is that the user's password allows him to login and also to automatically decrypt the key material that protects the encrypted volume.  This allows the user to enter one password instead of two: account password and container password.  Technically, this means the volume does not mount at boot, but rather mounts when the relevant user logs in.

As I read the documentation, there is no need to involve /etc/conf.d/dmcrypt at all if you want the volume to be managed by pam_mount.  ernov, could you post your pam_mount configuration and elaborate on how it does not work as you desire?

----------

## ernov

 *Quote:*   

> This allows the user to enter one password instead of two: account password and container password.

 

Yes! That's what I need. I can't imagine situation when I would need to give different passwords for every volume I'd like to open...

It's the pam_mount conf: http://pastebin.com/E6u4HxSn (alternative link cause pastebin.com seems to malfunction: http://pastebin.pl/25519). I admit I can't understand pam at all. I just want to secure my harddisk in case of stealing and prevent reading of it contents.

----------

