How do I automount a LUKS encrypted partition in a secure way? Ideally either when I log on (and therefore my password in at the log in screen), or once I get to desktop have Ubuntu ask for my password and then auto mount the partition?
The contents of my fdisk is below
The encrypted partition is /dev/sdb7, my root and home partition is /dev/sdb5 (which isn't encrypted).
Disk /dev/loop0: 14 MiB, 14647296 bytes, 28608 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop1: 81.7 MiB, 85692416 bytes, 167368 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sda: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x0006d9d9
Device Boot Start End Sectors Size Id Type
/dev/sda1 2048 524646399 524644352 250.2G 7 HPFS/NTFS/exFAT
/dev/sda2 * 524646400 1953523711 1428877312 681.4G 83 Linux
Disk /dev/sdb: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x1ffae910
Device Boot Start End Sectors Size Id Type
/dev/sdb1 214892542 976773119 761880578 363.3G 5 Extended
/dev/sdb2 * 2048 2150399 2148352 1G 83 Linux
/dev/sdb5 214892544 257558559 42666016 20.4G 83 Linux
/dev/sdb6 300716032 318294015 17577984 8.4G 82 Linux swap / Solaris
/dev/sdb7 318296064 976773119 658477056 314G 83 Linux
Partition table entries are not in disk order.
Using pam-mount
You can use pam-mount to do this. It will hook into the login process and thus be able to use the entered password for mounting a luks partition. Here's how to set it up:
Create a test luks image
Skip this section if you have a LUKS-encrypted partition or image already
Create a file called .priv in your home directory with size 1GB:
Format the image using LUKS and set a password (use the same as your login password):
Enable the image:
Create a file system on the new device:
Disable the image again:
Install and set up pam-mount
Install the package:
Edit the configuration file
/etc/security/pam_mount.conf.xmland add the following line to it:Add this right after where it says
<!-- Volume definitions -->. Notice the subtle but important difference in the path and mountpoint arguments. In your particular case you would usepath="/dev/sdb7".Now login to your machine and you should notice that it takes a little longer than usual. After successful login you can check, using the
mountcommand, that there is now a new file system mounted in your home. It should look similar to this:Use for /home/USER
I am using this setup for mounting my home directory (
/home/seb) from a LUKS encrypted image on Ubuntu 18.04. pam_mount will also take care of unmounting the image after I log out. As such it is a nice way to get at least some encryption if during installation you did not choose full disk encryption.To answer @Falc about why setting the mount point as
<volume path="/dev/sdb7" mountpoint="/home" />didn't work and instead prevented him from logging in. By setting the mount point as home you actually replaced your home directory with your encrypted partition. The reason why you could not log in is that the/homedirectory is needed by Linux to work. Whats more, the home directory contains many important hidden files such as .config, .bashrc, .profile and .bash_profile. These files and others in your home folder include gnome-session-properties which initiate programs to start when you log in. When you mount your encrypted drive on your home directory applications needed for the graphical session cannot start.