[-- Attachment #1: Type: text/plain, Size: 1374 bytes --]
Dr. Arne Babenhauserheide <arne_bab@web.de> skribis:
> Hi,
>
> The manual describes how to setup an encrypted root[1], but I got lost
> trying to find out how to setup a user such that the device is opened at
> login (with a prompt for the password) and closed at logout.
>
> I need the --allow-discards option to cryptsetup open, to be
> equivalent to the following:
>
> sudo cryptsetup open --allow-discards --type luks /dev/nvmeXnXp1 my-user
>
> I need the user-home to be encrypted, i.e.
>
> mount LABEL=my-user /home/my-user
>
> I’d like to set this in my /etc/config.scm but currently I have to
> decrypt before logging in.
>
> [1]: https://guix.gnu.org/manual/en/html_node/Keyboard-Layout-and-Networking-and-Partitioning.html
> https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
>
> Best wishes,
> Arne
Hi,
You can use the pam-mount service[1] to decrypt a user's home at login,
but it will not create the encrypted volume automatically if it does not
exist; you have to create it yourself.
Also, if you create a LUKS2 volume, you can activate the discard feature
with "cryptsetup --allow-discards --persistent open /dev/xxx path", and
then you won't need to pass the "--allow-discards" option when mounting
the volume anymore.
[1]: https://guix.gnu.org/manual/en/html_node/PAM-Mount-Service.html
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]