Debian Lenny and per-user encrypted home directories
Here is a quick howto describing how I set up a Debian system with each user having its own home directory on a separate encrypted file system.
Installation and partitioning
The idea is to have a system where you can add several users and each of them has its own encrypted home directory. To do so I decided to install a standard Debian system with a standard partitioning scheme with a separate partition that I was going to use to hold each encrypted fs.
Using Debian installer I chose to use this partition as a LVM physical volume. Then, I added it to a volume group called "home". This VG contains each home directory as a logical volume. Each LV is encrypted using dm-crypt with the same passphrase as the user's.
$ ls /dev/mapper
control home-user1 home-user2
Before moving to the next step, make sure users' home directory are empty (no dot files...). Also manually mount your encrypted partitions and set their correct owner. When you are done with this, umount and cryptsetup remove everything.
pam-mount installation and configuration
First of all, you have to install the pam-mount package:
$ sudo aptitude install libpam-mount
Then you have to edit /etc/security/pam_mount.conf.xml:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<!-- Volume definitions -->
<volume
user="user1"
fstype="crypt"
path="/dev/mapper/home-user1"
mountpoint="/home/user1"
/>
<volume
user="user2"
fstype="crypt"
path="/dev/mapper/home-user2"
mountpoint="/home/user2"
/>
<!-- Global configuration -->
<debug enable="0" />
</pam_mount>
The user parameter indicates that a volume should be mounted only when a particular user logs in.
Finally you have to activate this in pam configuration. Edit all the files in /etc/pam.d that are related to login capabilities (login, sshd, ...) and add the following line at their end:
@include common-pammount
And that sould be it...