I have a LUKS encrypted partition (/dev/sda1) which I would like to automount for a specific user at login. The encryption pass phrase is the same as the user’s normal login password. I am using the SDDM login manager on KDE. My /etc/security/pam_mount.conf.xml is:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="1" />
<!-- Volume definitions -->
<!-- pam_mount parameters: General tunables -->
<luserconf name=".pam_mount.conf.xml" />
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="2000" hup="no" term="yes" kill="yes" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
The user’s .pam_mount.conf.xml file is
<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
<volume fstype="cifs" server="<servername>" path="<username>" mountpoint="/mnt/smbshare" options="nosuid,nodev" />
<volume fstype="crypt" path="/dev/sda1" mountpoint="/mnt/sda1" options="nosuid,nodev" />
</pam_mount>
So the first entry is a Samba share and the second is the encrypted partition.
I have also edited my /etc/pam.d/sddm to
#%PAM-1.0
auth optional pam_mount.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session optional pam_keyinit.so revoke
session include common-session
session optional pam_mount.so
With this configuration, the Samba mount is successful, but the encrypted drive does not mount. From the command line, I can successfully mount the drive (as superuser) using
mount.crypt /dev/sda1 /mnt/sda1
though obviously I have to supply the password. I have tried searching the system journal but haven’t spotted anything - however I’m not sure how to search effectively.
I feel like I must be missing something obvious. Can anyone give me any clues? Thanks for any help