pam_mount wont work directly with lvm2, RAID & LUKS

[rogge]

Hi,

on my old/other Gentoo setup I was using pam_mount successfully for decrypting my Home directory on login.
Now I've an RAID1 via lvm2 and encryted with luks. Opening via cryptsetup is working well:

Code: Select all

cryptsetup open /dev/raid0vg0/raid0lv0 home

But within pam_mount it's not working at all:

Feb 13 18:42:30 lux login[1936]: (pam_mount.c:522): mount of /dev/raid0vg0/raid0lv0 failed
Feb 13 18:44:59 lux login[1935]: (mount.c:68): Messages from underlying mount program:
Feb 13 18:44:59 lux login[1935]: (mount.c:72): ehd_load: Inappropriate ioctl for device

The corresponding and from the old/other setup adapted line in /etc/security/pam_mount.conf.xml is:

<volume group="wheel" fstype="crypt" path="/dev/raid0vg0/raid0lv0" mountpoint="/home/" />

Searching for "ehd_load: Inappropriate ioctl for device" shows no result. Nowhere.
Switching to UUID doesn't help. But enable debugging was helpful:

Feb 13 20:13:08 lux login[1937]: (mount.c:675): Password will be sent to helper as-is.
Feb 13 20:13:08 lux login[1937]: command: 'mount' '-t' 'crypt' '/dev/disk/by-uuid/*************' '/home'

So, it looks like pam_mount is mainly exec mount here. Trying to exec with verbose mode by hand
results in an error, too:

Code: Select all

mount.crypt -v /dev/disk/by-uuid/************* /home

Password:
(mtcrypt.c:561): keysize=0 trunc_keysize=xy
ehd_load: Invalid argument

Thanks to https://www.reddit.com/r/linuxquestions ... t_logical/
I'm able to use pam_mount as wanted. It's not a bug, but a use case with special needs and maybe what the Gentoo Wiki meaning with "other kind of encrypted file systems".

/etc/security/pam_mount.conf.xml now contains:

Code: Select all

<volume group="wheel" fstype="crypt" path="/dev/disk/by-uuid/aaaaaaaaaaaa mountpoint="/home/" />

<!-- cryptmount>cryptsetup open %(VOLUME) %(MNTPT)</cryptmount><cryptumount>cryptsetup close %(MNTPT)</cryptumount -->
<cryptmount>cryptsetup open %(VOLUME) home</cryptmount><cryptumount>cryptsetup close home</cryptumount>
<volume group="wheel" fstype="auto" path="/dev/disk/by-uuid/bbbbbbbbbbbb" mountpoint="/home/" />

ArchWiki shows this handling for unsupported VeraCrypt only: https://wiki.archlinux.org/title/Pam_mount

Debugging now shows:

lux login: lux
(pam_mount.c:365): pam_mount 2.20: entering auth stage
pam_mount password:
Last login: Sat Feb 14 16:00:33 CET 2026 on tty2
(pam_mount.c:568): pam_mount 2.20: entering session stage
(mount.c:261): Mount info: globalconf, user=lux <volume fstype="crypt" server="(null)" path="/dev/disk/by-uuid/aaaaaaaaaaaaaaaaaaa" mountpoint="/home" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" header="(null)" options="" /> fstab=0 ssh=0
(mount.c:675): Password will be sent to helper as-is.
command: 'cryptsetup' 'open' '/dev/disk/by-uuid/aaaaaaaaaaaaaaaaaaa' 'home'
...
(mount.c:261): Mount info: globalconf, user=lux <volume fstype="auto" server="(null)" path="/dev/disk/by-uuid/bbbbbbbbbbbbbbbbbbb" mountpoint="/home" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" header="(null)" options="" /> fstab=0 ssh=0
(mount.c:675): Password will be sent to helper as-is.
command: 'mount' '-tauto' '/dev/disk/by-uuid/bbbbbbbbbbbbbbbbbbbbbb' '/home'
...
(mount.c:564): 33 18 253:5 / /home rw,relatime - xfs /dev/mapper/home rw,attr2,inode64,logbufs=8,logbsize=32k,noquota
command: 'pmvarrun' '-u' 'lux' '-o' '1'
(pmvarrun.c:261): parsed count value 0
(pam_mount.c:441): pmvarrun says login count is 1
(pam_mount.c:660): done opening session (ret=0)
You have new mail in folder /var/mail/lux.
(pam_mount.c:116): Clean global config (**********)
(pam_mount.c:133): clean system authtok=0x... (*********)

Because I do have still some open questions. Thats why this topic is not in 'Documentation, Tips & Tricks'.

Q1: Why doesn't /dev/raid0vg0/raid0lv0 working directly and pam_mount need this interim stage instead for the combination lvm2, RAId and LUKS?

Q2: %(MNTPT) is /home here. But that's not working withing cryptsetup, because cryptsetup needs a name, not a path/dir. So, is it possible to keep the config dynamicly?


Thanks in advance, rogge.

[zen_desu]

I'm not understanding the goal, is it to have /home as a LUKS volume which is mounted at bootup? You should be able to configure that with the dmcrypt service on openrc without touching PAM

I would prefer UUIDs over paths (even with udev) where possible as well

[rogge]

I wanna know whats the problem to mount an encrypted LVM directly. In other words: Why

Code: Select all

<volume group="wheel" fstype="crypt" path="/dev/raid0vg0/raid0lv0" mountpoint="/home/" />

is not working.

Yes, I know about dmcrypt and using it well on other setup.
In this old post they discuss the same.

[pingtoo]

I wanna know whats the problem to mount an encrypted LVM directly. In other words: Why

Code: Select all

<volume group="wheel" fstype="crypt" path="/dev/raid0vg0/raid0lv0" mountpoint="/home/" />

is not working.

Yes, I know about dmcrypt and using it well on other setup.
In this old post they discuss the same.

I believe this is due to mount.crypt does not support the configuration you have.

effectually your configuration have two layers, one is the physical storage then a logical volume, the two in linux appear in two different path, and the mount.crypt configuration support does not allow you directly express open the first layer but use the second layer path to mount.

have your try to

Code: Select all

<volume 
    path="/dev/sda2" 
    mountpoint="/dev/mapper/my_encrypted_pv" 
    fstype="crypt" />

<volume 
    user="your_user" 
    path="/dev/mapper/vg_name-lv_home" 
    mountpoint="/home/your_user" 
    fstype="ext4" />

May be this will work? (I am just guessing)

[rogge]

With cryptmount it works:

Code: Select all

<volume group="wheel" fstype="crypt" path="/dev/disk/by-uuid/aaaaaaaaaaaa mountpoint="/home/" />
      <cryptmount>cryptsetup open %(VOLUME) home</cryptmount><cryptumount>cryptsetup close home</cryptumount>
<volume group="wheel" fstype="auto" path="/dev/disk/by-uuid/bbbbbbbbbbbb" mountpoint="/home/" />