Debian Lenny and per-user encrypted home directories

Here is a quick howto describing how I set up a Debian system with each user having its own home directory on a separate encrypted file system.

Installation and partitioning

The idea is to have a system where you can add several users and each of them has its own encrypted home directory. To do so I decided to install a standard Debian system with a standard partitioning scheme with a separate partition that I was going to use to hold each encrypted fs.

Using Debian installer I chose to use this partition as a LVM physical volume. Then, I added it to a volume group called "home". This VG contains each home directory as a logical volume. Each LV is encrypted using dm-crypt with the same passphrase as the user's.

$ ls /dev/mapper
control   home-user1   home-user2

Before moving to the next step, make sure users' home directory are empty (no dot files...). Also manually mount your encrypted partitions and set their correct owner. When you are done with this, umount and cryptsetup remove everything.

pam-mount installation and configuration

First of all, you have to install the pam-mount package:

$ sudo aptitude install libpam-mount

Then you have to edit /etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<!-- Volume definitions -->
    <volume
        user="user1"
        fstype="crypt"
        path="/dev/mapper/home-user1"
        mountpoint="/home/user1"
    />
    <volume
        user="user2"
        fstype="crypt"
        path="/dev/mapper/home-user2"
        mountpoint="/home/user2"
    />
<!-- Global configuration -->
    <debug enable="0" />
</pam_mount>

The user parameter indicates that a volume should be mounted only when a particular user logs in.

Finally you have to activate this in pam configuration. Edit all the files in /etc/pam.d that are related to login capabilities (login, sshd, ...) and add the following line at their end:

@include common-pammount

And that sould be it...