This works on Fedora 24 with active SELinux. Feedback on other platforms is welcome. gocryptfs --------- Copy the `gocryptfs` binary into `/usr/local/bin` . Create a gocryptfs filesystem: ``` $ mkdir /home/testuser/cipher /home/testuser/plain $ gocryptfs -init /home/testuser/cipher ``` pam_mount config ---------------- Put the following into `/etc/security/pam_mount.conf.xml`, just before the closing `` tag at the bottom: ``` ``` Replace `testuser` with your user name. PAM config ---------- An example `/etc/pam.d/sshd` on Fedora 24 is shown below. Basically, pam_mount must be called two times: 1. As the last element in "auth" so it gets the password. 2. As the last element in "session", where it performs the actual mount. ``` #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare # vvv insert here # auth optional pam_mount.so # ^^^ insert here # account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare # vvv insert here # session optional pam_mount.so # ^^^ insert here # ``` Encrypting the whole home directory ----------------------------------- Use this volume definition in `/etc/security/pam_mount.conf.xml`: ``` ```