| View previous topic :: View next topic |
| Author |
Message |
BenniTec
n00b
Joined: 20 Feb 2021
Posts: 7
|
 Posted: Thu Apr 15, 2021 2:10 pm Post subject: Encrypting /home with eCryptfs |
 |
|
Hi,
a few months ago I switched from Arch Linux to Gentoo.
Back then I had my /home/$USER directory encrypted with eCryptfs with auto-mounting through PAM.
When I switched to Gentoo I setup my SSD with LVM2 and a single BTRFS partition as root.
I didn't look into full-disk encryption with LUKS, because I thought I could replicate the same setup from Arch.
Now as it stands I tried to follow this guide:
https://wiki.gentoo.org/wiki/ECryptfs
but for some reason it didn't work and I couldn't login, even on a tester account with no password.
Adding the entries and/or changing
| Code: | | auth [success=1 default=ignore] pam_unix.so nullok try_first_pass |
to
| Code: | | auth required pam_unix.so nullok try_first_pass |
broke elogind for some reason.
I had to boot into my recovery OS and manually restore /etc/pam.d/system-auth to make it possible to login again.
Is it even secure to use eCryptfs, since Debian Buster used on my cloud server dropped support for ecryptfs-utils, because it is unmaintained since 2016?
Are there any other alternatives that do the same job?
If no, I could create a separate volume for $HOME.
I explicitly want auto-mounting on login with or without eCryptfs.
Btw, I use OpenRC as my PID 1. |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Thu Apr 15, 2021 2:32 pm Post subject: |
|
|
Hi
Would this work?
| Code: |
auth required pam_env.so
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth optional pam_ecryptfs.so unwrap
auth [default=die] pam_faillock.so authfail
account required pam_unix.so
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password optional pam_ecryptfs.so unwrap
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_ecryptfs.so unwrap
|
_________________
 |
|
| Back to top |
|
|
BenniTec
n00b
Joined: 20 Feb 2021
Posts: 7
|
| Posted: Thu Apr 15, 2021 2:42 pm Post subject: |
|
|
| alamahant wrote: | Hi
Would this work?
| Code: |
auth required pam_env.so
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth optional pam_ecryptfs.so unwrap
auth [default=die] pam_faillock.so authfail
account required pam_unix.so
account required pam_faillock.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password optional pam_ecryptfs.so unwrap
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_ecryptfs.so unwrap
|
|
No unfortunately trying to do
as root fails. |
|
| Back to top |
|
|
Goverp
Veteran
Joined: 07 Mar 2007
Posts: 1993
|
| Posted: Fri Apr 16, 2021 8:47 am Post subject: |
|
|
This may not be any help, but it may be worth reading the relevant part of the fscrypt README, as it does similar stuff with pam.
_________________
Greybeard |
|
| Back to top |
|
|
|
Networking & Security
