blob: 9537af6ca466b0a837652e5aeeb61288296f08a6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
This works on Fedora 24 with active SELinux. Feedback on other platforms
is welcome.
gocryptfs
---------
Copy the `gocryptfs` binary into `/usr/local/bin` .
Create a gocryptfs filesystem:
```
$ mkdir /home/testuser/cipher /home/testuser/plain
$ gocryptfs -init /home/testuser/cipher
```
pam_mount config
----------------
Put the following into `/etc/security/pam_mount.conf.xml`, just before
the closing `</pam_mount>` tag at the bottom:
```
<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet"
path="/usr/local/bin/gocryptfs#/home/%(USER)/cipher" mountpoint="/home/%(USER)/plain" />
```
Replace `testuser` with your user name.
PAM config
----------
An example `/etc/pam.d/sshd` on Fedora 24 is shown below. Basically, pam_mount must be called two times:
1. As the last element in "auth" so it gets the password.
2. As the last element in "session", where it performs the actual mount.
```
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
# vvv insert here #
auth optional pam_mount.so
# ^^^ insert here #
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
# vvv insert here #
session optional pam_mount.so
# ^^^ insert here #
```
Encrypting the whole home directory
-----------------------------------
Use this volume definition in `/etc/security/pam_mount.conf.xml`:
```
<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"
path="/usr/local/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
```
|
