Talk:TIP Run cryptsetup from xdm
From Gentoo Linux Wiki
How about using pam_mount ? I wrote a howto on my website: http://manuelseeger.de/code/encrypted-home-partition
- Because of some differences between the two:
- pam_mount..
- assumes that each user has his/her own home partition
- uses the user's login as a passphrase
- unmounts file systems after logout
- while this approach
- assumes that all users share one home partition
- mounts the volume once and does not unmount it again
- Somewhat like comparing apples and oranges. It's meant for a different situation. :)
- -- Pberndt 21:35, 27 May 2007 (UTC)
[edit] pam_mount
I removed the box "i strongly advice.." from the top of the page but re-added the information as a tip in the first paragraph. See discussion above for explanation. --Pberndt 13:13, 25 March 2008 (UTC)
Quote from the article:
Quote: One thing which really annoys me is that I have to go to my PC twice during bootup
Hmmm.. I really doubt that you would share your password to mount the crypto partition for /home with anybody. So to have an encrypted shared home partition as you advertise you have to be the one to boot the machine AND to login graphically for the first time to enable /home for other users. That's just no option for 99.9% of the users out there. Besides what added protection apart from physical theft of the device does the encryption provide here in your opinion? IMHO this solution just plain makes no sense at all. pam_mount does it all in the right place using the right mechanisms. It's even possilbe to have multiple passwords to unlock the container using different passwords from different users.
- The most common application of block device encryption is protection from physical theft on single-user notebook machines. Within that use case it's even more flexible than pam_mount as it allows users to choose different passphrases for their account / the partition.
- -> The solution suggested here is meant for your workstation or notebook, not for a multiuser pc at the university. (I wouldn't store sensible data on those anyway :)
- --Pberndt 19:03, 29 March 2008 (UTC)
