Securely automount encrypted drive at user login

When I wrote this answer a few years ago this was the best way of implementing the solution. I'd now suggest that you look at the next answer using mount.ecryptfs_private instead.

I was also looking for a way to automatically mount a second eCryptfs volume. The following collection of scripts and configuration modifications will securely and automatically mount your volume on login, either to the GUI or the CLI.

There is a better solution that's in the process of being created (though I think not quite ready for automatic mounting on user login, as such this script will have a limited shelf life.):

ecryptfs on too-small harddrive - how to add links into the encryption?

The security of the scripts depends on your home directory being encrypted with eCryptfs so that the script and files with the password to unwrap your passphrase are encrypted. If you leave your computer unlocked with a root shell open after log in it will be possible to access the passwords, however use of sudo NOPASSWD allows secure mounting of the partition without requiring password entry or leaving the passphrase in a file readable by the user.

One known deficiency of these scripts is that your second volume will not be unmounted on logout, as such it's not particularly suitable for multi user systems.

My solution is implemented with several parts, two shell scripts, one that performs the actual mounting and another that serves as a wrapper for it.

This is the wrapper script that validates if the directory is already mounted, if it isn't then it will call the mounting script using sudo:

/home/johnf/scripts/automount_ecryptfs

#!/bin/bash

MOUNT_POINT=/home/johnf/slow

grep -q $MOUNT_POINT /proc/mounts
if [ $? -eq 1 ]; then
  sudo /home/johnf/scripts/mount_other_ecryptfs
fi

This script calls /home/johnf/scripts/mount_other_ecryptfs which is as follows.

Note that this script assumes that you have file name encryption enabled, if you don't it will be necessary to either modify the script to handle detection (look at ecryptfs-recover-private) or you could remove the ecryptfs_fnek_sig mount option.

The following is the /home/johnf/scripts/mount_other_ecryptfs script:

#!/bin/bash

ENCRYPTED_VOLUME=/vol0/.ecryptfs/johnf/.Private/
MOUNT_POINT=/home/johnf/slow
PASSFILE=/home/johnf/scripts/ecryptfs_passphrase
MOUNT_PASSWORD=secret_passphrase
ECRYPTFS_SIG=`head -1 ${ENCRYPTED_VOLUME}//../.ecryptfs/Private.sig`
ECRYPTFS_FNEK_SIG=`tail -1 ${ENCRYPTED_VOLUME}//../.ecryptfs/Private.sig`

printf "%s" $MOUNT_PASSWORD | ecryptfs-insert-wrapped-passphrase-into-keyring ${ENCRYPTED_VOLUME}/../.ecryptfs/wrapped-passphrase
mount -t ecryptfs -o key=passphrase:passfile=${PASSFILE},ecryptfs_sig=${ECRYPTFS_SIG},ecryptfs_fnek_sig=${ECRYPTFS_FNEK_SIG},ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n ${ENCRYPTED_VOLUME} ${MOUNT_POINT}

You will also need to create a file with your password in it, this file will be used by the eCryptfs mount command:

/home/johnf/scripts/ecryptfs_passphrase:

passwd=secret_passphrase

You need to modify the permissions on several files:

chmod +x /home/johnf/scripts/automount_ecryptfs
sudo chown root:root /home/johnf/scripts/mount_other_ecryptfs /home/johnf/scripts/ecryptfs_passphrase
sudo chmod a=x /home/johnf/scripts/mount_other_ecryptfs
sudo chmod 400 /home/johnf/scripts/ecryptfs_passphrase

Before creating the scripts you need to create a sudoers configuration to permit the execution of the mounting script using sudo without entering your sudo password.

Add the following to /etc/sudoers (or a file in /etc/sudoers.d). You will want to replace johnf with your username. It's necessary to use an absolute path to the mounting script.

johnf   ALL = NOPASSWD: /home/johnf/scripts/mount_other_ecryptfs

The final step is to call the automount_ecryptfs script on login.

On Ubuntu Unity (and probably gnome) use the Startup Applications applet to create a new startup program that calls /home/johnf/scripts/automount_ecryptfs.

To automatically mount the second eCryptfs volume on login into a bash shell you will want to modify your ~/.bashrc file. Add the following:

/home/johnf/scripts/automount_ecryptfs

With this configuration in place you should now automatically mount your second eCryptfs volume.

Building on @johnf's answer but using mount.ecryptfs_private instead:

• encrypted /home/bob/ (eg. on a SSD), using Ubuntu's normal encrypted home dir magic.
• encrypted /media/hdd/bob_extra/ (eg. on a HDD), to be mounted to /home/bob/extra. This should automount on login, just like the home dir does.
• use the same keys/credentials for both.

create it

mkdir /media/hdd/bob_extra
cp /home/bob/.ecryptfs/Private.sig /home/bob/.ecryptfs/extra.sig
echo "/media/hdd/bob_extra /home/bob/extra ecryptfs none 0 0" > /home/bob/.ecryptfs/extra.conf

test it

mount.ecryptfs_private extra

running mount, you should see:

...
/media/hdd/bob_extra on /home/bob/extra type ecryptfs (ecryptfs_check_dev_ruid,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=12345678abcdef,ecryptfs_fnek_sig=abcdef12345678)

to unmount:

sudo umount /media/hdd/bob_extra

setup automount

Create /home/bob/bin/automount_ecryptfs.extra, which will mount it if it hasn't been mounted already.

#!/bin/bash

MOUNT_POINT=/home/bob/extra

grep -q $MOUNT_POINT /proc/mounts
if [ $? -eq 1 ]; then
  mount.ecryptfs_private extra
fi

Make it executable (chmod +x), then add it into /home/bob/.bashrc:

...
/home/bob/bin/automount_ecryptfs.extra

Then add it to Gnome's Startup Applications as well.

You no longer need the solutions above.

Prerequisites:

• an Ubuntu 14.04 LTS install
• an encrypted home directory (see https://help.ubuntu.com/community/EncryptedHome)
• a desire to automatically mount a secondary encrypted drive [edit] when you log in.

Note: this method is less secure than mounting an encrypted drive manually. If someone has physical access to your computer, you are careless with your root password, or your computer has multiple users/guest accounts, this method is not secure; the secondary drive stays mounted when you log out but do not shut down the system, so its contents are visible to other users.

Part 1: Encrypt the secondary drive.

1. In the Unity dash type "disks" and hit enter.
2. Below "Devices" click on the hard drive you want to encrypt.
3. Below "Volumes" click on the cog/more actions button.
4. Click "Format Volume". For type, choose "Encrypted, compatible with Linux systems." Name your drive and give it a strong pass phrase.
5. Click "Format"

Part 2: Automatically mount the HDD on system start-up.

1. Keep the "Disks" application open, and click on the cog.
2. Click "Edit Encryption Options."
3. "Automatic Encryption Options" will be turned on, and the menu below greyed out. Turn automatic encryption options off.
4. Enter the pass phrase from when you formatted the disk. Click "Ok".

You now have an encrypted hard drive that will automatically mount when your computer boots.

Create a script in your encrypted home directory: ~/scripts/mount_storage.sh:

#!/bin/bash

sudo cryptsetup open --type luks UUID=12e26119-0ee2-4eb4-bd40-d8a3547ecf0c storage --key-file ~/keys/storage_keyfile
sudo mount /dev/mapper/storage /storage

Add to "Startup Applications":

sh ~/scripts/mount_storage.sh

Add to /etc/sudoers:

%sudo   ALL= NOPASSWD: /sbin/cryptsetup open --type luks UUID=12e26119-0ee2-4eb4-bd40-d8a3547ecf0c storage --key-file *
%sudo   ALL= NOPASSWD: /bin/mount /dev/mapper/storage /storage

You need to have created the /storage mount point and change UUID in the above script (find it with blkid).

Proceeding as follows should be secure. Requiring the passphrase stops other users from getting access to the volume, even though it is mounted.

1.Open Disks, choose the drive and click on the LUKS volume. Click on the cogwheels and unchoose "User Session Defaults". Choose "Unlock at system startup" and "Require additional authorization to unlock":

2.Click on the disk volume (below the LUKS volume). Click on the cogwheels and unchoose "User Session Defaults". Choose "Mount at system startup" and "Show in user interface":

You could also choose to require additional authentication to mount the volume, but in that case the mounting would not be automatic for the user in question.

I'm afraid that this isn't going to be a popular answer...

It's not going to be possible to automatically mount any encrypted partition, without circumventing the security of the encryption itself.

Think about what "automatically" means, and understand that automatically means that they will get to see your data too.

Updating on rcoup's anwser :

• as per mount.ecryptfs_private manpage, it will do nothing if the folder is already mounted, so it is not useful to check for that ;
• it is probably more suitable to use systemd to auto-run it, as it will be independent from bash or the graphical session, and it also gives a convenient way to explicitly unmount at the end of the session.

So we can do systemctl --user edit --force --full mount-ecryptfs-extra.service : this opens up an editor, in which we can type

[Unit]
Description=Mount ecryptfs folder extra

[Service]
Type=oneshot
ExecStart=mount.ecryptfs_private extra
RemainAfterExit=yes
ExecStop=umount.ecryptfs_private extra

[Install]
WantedBy=default.target

Then systemctl --user install mount-ecryptfs-extra.service.