dm-crypt/Mounting at login

From ArchWiki

Related articles

The factual accuracy of this article or section is disputed.

Reason: Would benefit from instanced units, e.g cryptsetup@.service (Discuss in Talk:Dm-crypt/Mounting at login)

It is possible to configure PAM and systemd to automatically mount a dm-crypt encrypted home partition when its owner logs in, and to unmount it when they log out.

This tutorial assumes you have already created your encrypted partition, as described in Dm-crypt/Encrypting a non-root file system.

Note:
  • You need to use the same password for your user account and for LUKS.
  • In all the examples, replace username with your username, 1000 with your user ID and PARTITION with the name of your encrypted partition's device.

Unlocking at login

pam_exec can be used to unlock the device at login. Edit /etc/pam.d/system-login and add the line below emphasized in bold after auth include system-auth:

This article or section needs expansion.

Reason: GDM, LightDM, and maybe other display managers might require pam_exec for session as well, see Talk:Dm-crypt/Mounting at login#pam_exec required for session & using script. (Discuss in Talk:Dm-crypt/Mounting at login)
/etc/pam.d/system-login
...

auth       include    system-auth
auth       optional   pam_exec.so expose_authtok /etc/pam_cryptsetup.sh

...

Then create the mentioned script. 

/etc/pam_cryptsetup.sh
#!/bin/sh

CRYPT_USER="username"
PARTITION="/dev/sdXY"
NAME="home-$CRYPT_USER"

if [ "$PAM_USER" = "$CRYPT_USER" ] && ! [ -e "/dev/mapper/$NAME" ]; then
    /usr/bin/cryptsetup open "$PARTITION" "$NAME"
fi

Make the script executable.

Mounting and unmounting automatically

systemd-logind maintains user@1000.service for as long as at least one session is active for the user. It is started automatically after a first successful login and stopped after a logout from the last session. Hence, we can create and enable a systemd.mount(5) unit for the mapped volume and connect it to user@1000.service in order to make it mount and unmount automatically: 

/etc/systemd/system/home-username.mount
[Unit]
Requires=user@1000.service
Before=user@1000.service

[Mount]
Where=/home/username
What=/dev/mapper/home-username
Type=btrfs
Options=defaults,relatime,compress=zstd

[Install]
RequiredBy=user@1000.service

Locking after unmounting

After unmounting, the device will still be unlocked, and it will be possible to mount it without re-entering password (shutting down or rebooting will lock the partition because the key is wiped from RAM, but unmounting alone will not). You can create and enable a service that starts when the device gets unlocked (BindsTo=dev-mapper-home\x2dusername.device) and dies after the device gets unmounted (Requires,Before=home-username.mount), locking the device in the process (ExecStop=cryptsetup close): 

/etc/systemd/system/cryptsetup-username.service
[Unit]
DefaultDependencies=no
BindsTo=dev-PARTITION.device
After=dev-PARTITION.device
BindsTo=dev-mapper-home\x2dusername.device
Requires=home-username.mount
Before=home-username.mount
Conflicts=umount.target
Before=umount.target

[Service]
Type=oneshot
RemainAfterExit=yes
TimeoutSec=0
ExecStop=/usr/bin/cryptsetup close home-username

[Install]
RequiredBy=dev-mapper-home\x2dusername.device
Note: dev-PARTITION is the result of systemd-escape -p /dev/PARTITION