Dr. Arne Babenhauserheide skribis: > Hi, > > The manual describes how to setup an encrypted root[1], but I got lost > trying to find out how to setup a user such that the device is opened at > login (with a prompt for the password) and closed at logout. > > I need the --allow-discards option to cryptsetup open, to be > equivalent to the following: > > sudo cryptsetup open --allow-discards --type luks /dev/nvmeXnXp1 my-user > > I need the user-home to be encrypted, i.e. > > mount LABEL=my-user /home/my-user > > I’d like to set this in my /etc/config.scm but currently I have to > decrypt before logging in. > > [1]: https://guix.gnu.org/manual/en/html_node/Keyboard-Layout-and-Networking-and-Partitioning.html > https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html > > Best wishes, > Arne Hi, You can use the pam-mount service[1] to decrypt a user's home at login, but it will not create the encrypted volume automatically if it does not exist; you have to create it yourself. Also, if you create a LUKS2 volume, you can activate the discard feature with "cryptsetup --allow-discards --persistent open /dev/xxx path", and then you won't need to pass the "--allow-discards" option when mounting the volume anymore. [1]: https://guix.gnu.org/manual/en/html_node/PAM-Mount-Service.html