* How to create /home/user backed by LUKS device decrypted on login
@ 2021-03-01 1:39 Dr. Arne Babenhauserheide
2021-03-01 8:36 ` Guillaume Le Vaillant
0 siblings, 1 reply; 2+ messages in thread
From: Dr. Arne Babenhauserheide @ 2021-03-01 1:39 UTC (permalink / raw)
To: help-guix
[-- Attachment #1: Type: text/plain, Size: 831 bytes --]
Hi,
The manual describes how to setup an encrypted root[1], but I got lost
trying to find out how to setup a user such that the device is opened at
login (with a prompt for the password) and closed at logout.
I need the --allow-discards option to cryptsetup open, to be
equivalent to the following:
sudo cryptsetup open --allow-discards --type luks /dev/nvmeXnXp1 my-user
I need the user-home to be encrypted, i.e.
mount LABEL=my-user /home/my-user
I’d like to set this in my /etc/config.scm but currently I have to
decrypt before logging in.
[1]: https://guix.gnu.org/manual/en/html_node/Keyboard-Layout-and-Networking-and-Partitioning.html
https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein
ohne es zu merken
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1125 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: How to create /home/user backed by LUKS device decrypted on login
2021-03-01 1:39 How to create /home/user backed by LUKS device decrypted on login Dr. Arne Babenhauserheide
@ 2021-03-01 8:36 ` Guillaume Le Vaillant
0 siblings, 0 replies; 2+ messages in thread
From: Guillaume Le Vaillant @ 2021-03-01 8:36 UTC (permalink / raw)
To: Dr. Arne Babenhauserheide; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 1374 bytes --]
Dr. Arne Babenhauserheide <arne_bab@web.de> skribis:
> Hi,
>
> The manual describes how to setup an encrypted root[1], but I got lost
> trying to find out how to setup a user such that the device is opened at
> login (with a prompt for the password) and closed at logout.
>
> I need the --allow-discards option to cryptsetup open, to be
> equivalent to the following:
>
> sudo cryptsetup open --allow-discards --type luks /dev/nvmeXnXp1 my-user
>
> I need the user-home to be encrypted, i.e.
>
> mount LABEL=my-user /home/my-user
>
> I’d like to set this in my /etc/config.scm but currently I have to
> decrypt before logging in.
>
> [1]: https://guix.gnu.org/manual/en/html_node/Keyboard-Layout-and-Networking-and-Partitioning.html
> https://guix.gnu.org/manual/en/html_node/Mapped-Devices.html
>
> Best wishes,
> Arne
Hi,
You can use the pam-mount service[1] to decrypt a user's home at login,
but it will not create the encrypted volume automatically if it does not
exist; you have to create it yourself.
Also, if you create a LUKS2 volume, you can activate the discard feature
with "cryptsetup --allow-discards --persistent open /dev/xxx path", and
then you won't need to pass the "--allow-discards" option when mounting
the volume anymore.
[1]: https://guix.gnu.org/manual/en/html_node/PAM-Mount-Service.html
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-03-01 8:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-01 1:39 How to create /home/user backed by LUKS device decrypted on login Dr. Arne Babenhauserheide
2021-03-01 8:36 ` Guillaume Le Vaillant
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).