implement fscrypt for PAM

NeoTheFox · Oct 24, 2020 · b7e58d7 · b7e58d7
1 parent 05334ad
commit b7e58d7
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
@@ -206,6 +206,14 @@ let
           <command>su</command>)
         '';
       };
+
+      enableFscrypt = mkOption {
+        default = config.security.pam.enableFscrypt;
+	type = types.bool;
+	description = ''
+	  Unlocks fscrypt-encrypted filesystems on user login
+	'';
+      };
 
       pamMount = mkOption {
         default = config.security.pam.mount.enable;
@@ -392,6 +400,8 @@ let
                 "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
               ${optionalString cfg.pamMount
                 "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
+	      ${optionalString cfg.enableFscrypt
+	        "auth optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"}
               ${optionalString cfg.enableKwallet
                 ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
                  " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")}
@@ -421,6 +431,8 @@ let
           password sufficient pam_unix.so nullok sha512
           ${optionalString config.security.pam.enableEcryptfs
               "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
+	  ${optionalString cfg.enableFscrypt
+	      "auth optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"}
           ${optionalString cfg.pamMount
               "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
           ${optionalString use_ldap
@@ -579,6 +591,8 @@ in
 
     security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module";
 
+    security.pam.enableFscrypt = mkEnableOption "fscrypt filesystem encryption PAM module";
+
     security.pam.p11 = {
       enable = mkOption {
         default = false;
@@ -792,6 +806,7 @@ in
       ++ optional config.services.sssd.enable pkgs.sssd
       ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
       ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
+      ++ optionals config.security.pam.enableFscrypt [pkgs.fscrypt-experimental]
       ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
       ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ]
       ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ];