How-to: Debian: Automatically mounted loopback images with dm-crypt, LUKS, pam_mount

How to create encrypted loopback images with dm-crypt and LUKS + automatically mounting them after login with pam_mount

I recommend using debian squeeze for this scenario as lenny includes a very old version of libpam-mount and I had lots of problems when I tried using it.
Using only the libpam-mount package and its dependencies from squeeze maybe (I didn’t try it and I wouldn’t recommend it either) does the job too, but at least has a very bitter after taste if you take a closer look at the dependencies.

1. Make sure you have the required kernel modules loaded. If you use the stock debian kernel, this will be the case. if you don’t, make sure you’ve set the following options:

  • CONFIG_BLK_DEV_DM=y or CONFIG_BLK_DEV_DM=M
  • CONFIG_DM_CRYPT=y or CONFIG_DM_CRYPT=M
  • CONFIG_CRYPTO_CBC=y

Additionally, you need to include support for at least one cipher.

In make menuconfig, you can find the required kernel modules at the following locations:

To avoid a reboot, you can build all of these options as modules. If you chose to do so, you can later load the modules by using modprobe .

2. Install the required packages
apt-get install cryptsetup libpam-mount
…apt-get should take care of all dependencies

3. Generate a random key and assign it to a variable for later use

4. Encrypt the key and save it to a file

5. Create the loopback file and fill it with random data

This will create a 10GB file and fill it with random data taken from /dev/urandom.
Another option (which will be much faster especially on older hardware) is using /dev/zero to fill the loopback file with zeros:

6. Set up a loop device

7. LuksFormat it

8. Open it

9. Make a filesystem of your choice

10. Close it and delete loop

11. Configure pam_mount
Open /etc/security/pam_mount.conf.xml in your favorite text editor and change it to the following:

Using this configuration the image /home/foobar/container.img will get mounted into /home/foobar/containercontents when the user foobar logs in.
Enabling debugging is pretty usefull if something isn’t working as it should. In this case you can take a look at /var/log/auth.log.

12. Include /etc/pam.d/common-pammount in the PAM configuration files of the services that should use it (for example: SSHd)
Open /etc/security/sshd in your favorite text editor. Look for the line “@include common-session” and add a new line after it:

13. If needed, change the configuration of the relevant services (for example: SSHd)
Open /etc/ssh/sshd_config in your favority text editor and make sure you have the following lines in there:

If you disable PasswordAuthentication and use keys instead you have to enter the users password after connecting via SSH.

14. Test if anything works as expected
Open a root session or use sudo and watch the auth log by using tail -f /var/log/auth.log. Then login as the user for which you have configured a volume earlier.
If the encrypted loopback image gets mounted, also test if it gets unmounted again, when the user logs out.
If anything works remove the debug line from /etc/security/pam_mount.conf.xml.

Many thanks go to the users tuxophil and pillgrim from the gentoo forums. Large parts of this howto were taken from their postings at http://forums.gentoo.org/viewtopic-t-274651.html.