Unable to auto mount a LUKS encrypted partion using pam_mount (on KDE)

I have a LUKS encrypted partition (/dev/sda1) which I would like to automount for a specific user at login. The encryption pass phrase is the same as the user’s normal login password. I am using the SDDM login manager on KDE. My /etc/security/pam_mount.conf.xml is:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
    See pam_mount.conf(5) for a description.
-->

<pam_mount>

        <!-- debug should come before everything else,
        since this file is still processed in a single pass
        from top-to-bottom -->

<debug enable="1" />

        <!-- Volume definitions -->


        <!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="2000" hup="no" term="yes" kill="yes" />


        <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>


The user’s .pam_mount.conf.xml file is

<?xml version="1.0" encoding="utf-8" ?>

<pam_mount>

<volume fstype="cifs" server="<servername>" path="<username>" mountpoint="/mnt/smbshare" options="nosuid,nodev" />
<volume fstype="crypt" path="/dev/sda1" mountpoint="/mnt/sda1" options="nosuid,nodev" />

</pam_mount>


So the first entry is a Samba share and the second is the encrypted partition.

I have also edited my /etc/pam.d/sddm to

#%PAM-1.0
auth     optional    pam_mount.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required    pam_loginuid.so    
session  optional    pam_keyinit.so revoke
session  include        common-session
session  optional    pam_mount.so

With this configuration, the Samba mount is successful, but the encrypted drive does not mount. From the command line, I can successfully mount the drive (as superuser) using

mount.crypt /dev/sda1 /mnt/sda1

though obviously I have to supply the password. I have tried searching the system journal but haven’t spotted anything - however I’m not sure how to search effectively.

I feel like I must be missing something obvious. Can anyone give me any clues? Thanks for any help

As far as I can tell, pam_mount is supposed to write password to stdin of mount helper. You may try to enable debug for pam_mount or/and strace sddm to see what various spawned programs do (user strace -f to follow fork).

Thanks for your reply. Not sure how to run strace to capture the login, could you explain?

I enabled debug=2 in the pam_mount config file. I don’t know if pam_mount logs anywhere else, but these two lines in the system journal might be a clue:

Aug 24 15:02:08 linux-wol4 sddm-helper[3044]: (rdconf2.c:127): checking sanity of luserconf volume record (/dev/sda1)
Aug 24 15:02:08 linux-wol4 sddm-helper[3044]: (rdconf2.c:133): user-defined volume (/dev/sda1), volume not owned by user


Is this a udev problem I wonder?

Turns out it is. I created a new file /etc/udev/rules.d/95-custom-hdd.rules with the line

ACTION=="add", ENV{ID_FS_UUID}=="8c5312f4-9d98-48fd-8c86-98f607db93b3", GROUP="users", OWNER="<relevant_user>"

getting the value for ID_FS_UUID from

udevadm info --query=property --name /dev/sda1 | grep ID_FS_UUID

Then rebooted, logged in and the drive was mounted.

This page helped sort me out.

Cheers!

This should really be “add|change”. udev rebuilds device properties from scratch on every event and kernel sometimes generates change events.

I would not call it “udev problem”, rather lack of proper documentation for mount.crypt (what exactly it expects).

You’re right, I probably should have said “is this a problem that can be solved using udev”.

Thanks for this tip.

arvidjaar if you have time, could you also tell me how I can use strace to debug login problems, in case I need this in the future? Presumably running it in a normal terminal won’t work as that would be terminated on logout?