fscrypt icon indicating copy to clipboard operation
fscrypt copied to clipboard
verified publisher icon google

Encrypt user's home directory automatically

Open Fnoily opened this issue 5 years ago • 3 comments

I wonder that whether fscrypt support format(a fscrypt format) a user's home directory automatically when the user be created, and decrypt/encrypt the home directory when the user log in / log out

just like ecryptfs , i can do these things with 'adduser --encrypt-home $username ' and its pam module

Fnoily avatar Nov 24 '20 11:11 Fnoily

especially, use custom protector instead of login pass

Fnoily avatar Nov 25 '20 08:11 Fnoily

Re-opening this issue because there should be a way to do this. (There might already be a way, but it needs to be documented.)

ebiggers avatar Jun 27 '21 21:06 ebiggers

I think this would be a great addition to the project if it's not already possible. This can probably be done with an additional pam module to create the home directory, similar to pam_mkhomedir.

I've tried to emulate this my own pam module using the pam_exec library

Name: Create encrypted home directories for users on login
Default: yes
Priority: 0
Conflicts: pam_mkhomedir
Auth-Type: Additional
Auth:
	optional	pam_exec.so stdout expose_authtok seteuid /usr/local/bin/fscrypt_home.sh

The module simply runs a script and exposes the user password to it. The script itself creates the home directory and fscrypt accepts the password from stdin to create a user login protector.

jamesps-ebi avatar Jun 06 '23 07:06 jamesps-ebi