You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I tried to use the undocumented setting users.extraUsers.NAME.cryptHomeLuks to have a LUKS-encrypted volume mounted to ~NAME on login via pam_mount (using the login passphrase). It works when I log in on the console or use the login command from the root account. However, when I log in to the machine via ssh the login succeeds but the user's home volume is not mounted. (This general technique works for me on ArchLinux, including during ssh login.)
Also, if cryptHomeLuks generally works for people, I'd like to see it added to the official manual, as an alternative to ecryptFs
Steps to reproduce
Not sure I need to be this detailed, but here's roughly what I did to set up LUKS volume:
lvcreate -L 1.6g -n NAME vg0
cryptsetup luksFormat /dev/vg0/NAME
cryptsetup open /dev/vg0/NAME zz
mkfs.ext4 /dev/mapper/zz
mount /dev/mapper/zz /home/NAME
touch /home/NAME/THIS_IS_CRYPTO
chown -R NAME:users /home/NAME
umount /home/NAME
cryptsetup close /dev/mapper/zz
Then: nixos-rebuild switch && reboot. Then login from a remote machine via ssh.
elsewhere% ssh NAME@NIXHOST
NIXHOST% ls -l THIS_IS_CRYPTO
ls: cannot access 'THIS_IS_CRYPTO': No such file or directory
To compare, from root on NIXHOST:
root@NIXHOST# login NAME
NAME@NIXHOST% ls -l THIS_IS_CRYPTO
-rw-r--r-- 1 NAME users 0 Dec 20 14:49 THIS_IS_CRYPTO
I did the non-working ssh login first because my experience with this technique on Arch is that the user's volume is not always cleanly unmounted on logout. So an ssh after a console login might still see the mounted volume.
Technical details
System: 16.09.1272.81428dd (Flounder)
Nix version: nix-env (Nix) 1.11.4
Nixpkgs version: 16.09.1272.81428dd
The text was updated successfully, but these errors were encountered:
Closing this just in the interest of tidiness. I'm sure the options mentioned have evolved since this was reported, but I'm not using them at the moment.
Issue description
I tried to use the undocumented setting
users.extraUsers.NAME.cryptHomeLuks
to have a LUKS-encrypted volume mounted to~NAME
on login viapam_mount
(using the login passphrase). It works when I log in on the console or use thelogin
command from the root account. However, when I log in to the machine viassh
the login succeeds but the user's home volume is not mounted. (This general technique works for me on ArchLinux, including duringssh
login.)Also, if cryptHomeLuks generally works for people, I'd like to see it added to the official manual, as an alternative to ecryptFs
Steps to reproduce
Not sure I need to be this detailed, but here's roughly what I did to set up LUKS volume:
Edit
/etc/nixos/configuration.nix
, adding:Then:
nixos-rebuild switch && reboot
. Then login from a remote machine via ssh.To compare, from root on NIXHOST:
I did the non-working ssh login first because my experience with this technique on Arch is that the user's volume is not always cleanly unmounted on logout. So an ssh after a console login might still see the mounted volume.
Technical details
The text was updated successfully, but these errors were encountered: