I would like to decrypt my LUKS encrypted /home
directory at login on Rocky Linux 9.1. I have been trying to adapt this Arch Linux guide (https://wiki.archlinux.org/title/Dm-crypt/Mounting_at_login; https://wiki.archlinux.org/title/Talk:Dm-crypt/Mounting_at_login) and this GitHub repo (https://github.com/fumiyas/linux-crypthome) for Rocky 9.1. /etc/pam.d/system-login
does not exist for Rocky, so I have updated /etc/postlogin
and /etc/system-auth
with pam_exec.so
calls to a custom script (/usr/local/sbin/pam_cryptsetup.sh
) that will decrypt and mount my encrypted /home
directory. The updates I made to /etc/pam.d/postlogin
and system-auth
allow me to ssh
into my machine but login from the GNOME login screen fails. If I am already logged in from ssh
and then login from the GNOME login screen, that will work. Does anyone know how to update the scripts in /etc/pam.d/
to enable GNOME screen login or have any bright ideas?
# cat /usr/local/sbin/pam_cryptsetup.sh
#!/bin/sh
CRYPT_USER="user"
PARTITION="/dev/vg_alnair/crypthome.$CRYPT_USER"
NAME="decrypthome.$CRYPT_USER"
# PW=$(cat /dev/stdin)
# echo $PW > /tmp/pw.$PAM_USER
if [ "$PAM_USER" = "$CRYPT_USER" ] && [ ! -e "/dev/mapper/$NAME" ]; then
logger "$(basename $0): $PAM_USER: decrypting /dev/mapper/$NAME"
/usr/sbin/cryptsetup open "$PARTITION" "$NAME"
status=$?
if [ $status -eq 0 ]; then
logger "$(basename $0): cryptsetup success for $PAM_USER!: $status"
else
logger "$(basename $0): cryptsetup failed for $PAM_USER!: $status"
fi
else
logger "$(basename $0): $PAM_USER: not decrypting anything!"
fi
Here are some outputs from journalctl after failing to login from the GNOME login screen:
# journalctl -r -t gdm-password]
Mar 20 17:46:59 alnair gdm-password][1851]: pam_unix(gdm-password:session): session closed for user user
Mar 20 17:46:56 alnair gdm-password][1851]: pam_exec(gdm-password:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:46:56 alnair gdm-password][1894]: pam_exec(gdm-password:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:46:56 alnair gdm-password][1851]: gkr-pam: gnome-keyring-daemon started properly
Mar 20 17:46:56 alnair gdm-password][1851]: gkr-pam: unable to locate daemon control file
Mar 20 17:46:56 alnair gdm-password][1851]: pam_unix(gdm-password:session): session opened for user user(uid=1000) by (uid=0)
Mar 20 17:46:56 alnair gdm-password][1851]: pam_systemd(gdm-password:session): Failed to create session: Job 2126 for unit 'session-4.scope' failed with 'dependency'
Mar 20 17:45:26 alnair gdm-password][1860]: pam_exec(gdm-password:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:26 alnair gdm-password][1851]: pam_exec(gdm-password:auth): send password to child
/lib64/security
with all the otherpam
modules on Rocky Linux 9 and I can't find it viadnf
(with EPEL enabled). There also isn't much on usingsystemd-homed
on RHEL 9 derivatives. I would also like to get to the bottom of why this works forssh
login, but not for a GNOME session login.