Contents[Hide]

1. Scenario

In this Linux config we are going to create encrypted partition for user "linuxconfig" and use pam_mount to mount it under /home/linuxconfig directory. For this config we have used Debian Linux, however the very same principle for creating encrypted partitions can be applied also for any other Linux distributions such as SuSe, RedHat, Gentoo, Ubuntu.

2. Prerequisites

First and the most important one is to make sure that on partition on which you are going to encrypt, is empty. If you have some important data there move them NOW to some save place. When creating encrypted partition all data will be removed. Secondly we need to satisfied software prerequisite so you need to install packages for:

  • cryptsetup ( Ubuntu, Debian package: cryptsetup )
  • pam_mount ( Ubuntu, Debian package: libpam-mount )

3. Create Encrypted Partition

This command will create Encrypted partition /dev/sdb1 by formating it with LUKS Encryption:

# cryptsetup luksFormat /dev/sdb1 

Create Encrypted Partition

Open Encrypted partition:
This command will create an entry in /dev/mapper for sdb1 partition.

# cryptsetup luksOpen /dev/sdb1 sdb1 

will create an entry in /dev/mapper for sdb1 partition

4. Create Filesystem

Now we can create filesystem as on any other partition. The only difference is that we create filesystem via mapper. If you try to create filesystem on /dev/sdb1 you will get this error message:

mke2fs 1.40-WIP (14-Nov-2006)
/dev/sdb1 is apparently in use by the system; will not make a filesystem here!

Instead we will use command:

# mkfs.ext3 /dev/mapper/sdb1 

create filesystem on encrypted partition

5. Edit pam_mount.conf

Because we want new encrypted partition to be mounted every time user "linuxconfig" log in we need to alter /etc/security/pam_mount.conf file and add this line:

volume linuxconfig crypt - /dev/sdb1 /home/linuxconfig - - - 

Edit pam_mount.conf

6. Configure pam authentication

On Debian or Ubuntu system, you will need to edit two files:
/etc/pam.d/common-auth :

auth       optional     pam_mount.so 

Configure pam authentication common-auth

/etc/pam.d/common-session

session    optional     pam_mount.so 

Configure pam authentication common-session
Please NOTE: Some distributions have only one file with both auth and session.

7. Testing encrypted partition

Let's try login as a "linuxconfig" user, please note that you will be prompted to enter password two times, first time it will be your UNIX password and second time it will be your passphrase for your encrypted partition:
passphrase for encrypted partition


Now we need to confirm that we are using our new encrypted partition:
new encrypted partition



Free Linux eBooks

Do you have the right skills?

Our IT Skills Watch page reflects an up to date IT skills demand leaning towards the Linux and Unix environment. We have considered a number of skills and operating systems.

See the result...

Linux Online Training

Learn to run Linux servers and prepare for LPI certification with Linux Academy. 104 available video lessons with PDF course notes with your own server!

Go to top