Truecrypt pam_mount

Hello,

could you help me how to automatically mount “truecrypted” container via pam_mount? I’ve tried this: https://wiki.archlinux.org/index.php/Talk:TrueCrypt#Automatic_mount_home_on_login and it didn’t work.

I have not used truecrypt, so I don’t know whether this will help.

People using LUKS mounted containers for the home directory were having a similar problem. It turns out that you have to force the “loop” module to be loaded. To test, just use:


# modprobe loop

and see if you can then get pam_mount to work. If that does the trick, then you will need to force that module to be loaded during boot. For that, see the man page for “modules-load.d(5)”.

My home is encrypted with LUKS and it works properly. But when I add the new truecrypt volume into /etc/security/pam_mount.conf.xml it stop working (also the home directory).

When I tried to log as root and I tried to mount the truecrypt volume manually, it didn’t work. I run modrobe loop and I was able to mount the truecrypt volume.

So I create a new file in /etc/modules-load.d/loop.service and reboot PC. The file has been moved to /etc/modprobe.d and when I run

modprobe loop

I get error:

WARNING: /etc/modprobe.d/loop.conf line 2: ignoring bad line starting with ‘loop’

So it seem to me like it is not good. Could you be so kind and help me a bit how to mount two encrypted containers via pam_mount?

That, at least, looks good.

That’s strange. “/etc/modules-load.d” is supposed to give modules to be loaded. And “/etc/modprobe.d” is supposed to give any additional parameters needed. Moving the file does not see right.

I’m not much up on the details of managing module loading. I hope someone else can provide some help.

Man page says

Each
configuration file is named in the style of
/etc/modules-load.d/program.conf.

Where have you got “.service” from?

The file has been moved to /etc/modprobe.d

Moved by whom?

WARNING: /etc/modprobe.d/loop.conf line 2: ignoring bad line starting with 'loop'

You need file /etc/modules-load.d/loop.conf with single line “loop”.

I’ve fixed the problem with loop.conf, but I can’t mount home via LUKS and backup image via TrueCrypt. Here is the pam_mount.conf.xml:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
        See pam_mount.conf(5) for a description.
-->
<pam_mount>

                <!-- debug should come before everything else,
                since this file is still processed in a single pass
                from top-to-bottom -->

<debug enable="0"/>

                <!-- Volume definitions -->


                <!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"/>
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev"/>

<!-- requires ofl from hxtools to be present -->
<logout wait="2000" hup="0" term="1" kill="1"/>


                <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true"/>


<volume fstype="crypt" user="john" path="/home/john.img" fskeypath="/home/john.key" fskeycipher="aes-256-cbc" fskeyhash="md5" cipher="aes-cbc-essiv:sha256" options="loop" mountpoint="/home/john"/>

<cryptmount>bash -c "grep -q %(MNTPT) /etc/mtab || truecrypt --text --protect-hidden=no --keyfiles='' -m=nokernelcrypto %(VOLUME) %(MNTPT)"</cryptmount>
<cryptumount>truecrypt -d</cryptumount>
<volume fstype="crypt" path="/media/voyager/.Volume/backup.tc" mountpoint="/media/backup"/>
</pam_mount>

Could it be problem, that once fstype=crypt is LUKS and later it corresponds to TrueCrypt ?