Mount multiple subvolumes of a LUKS encrypted BTRFS through pam_mount
Some days ago, @firstname.lastname@example.org convinced me on Mastodon to give BTRFS a try. That’s actually been a feature on my list for some time already, and now that I need to switch PCs at work I’m going for it. However, this post wouldn’t exist if everything went straight forward.. ;-)
I have a 1TB SSD that I want to encrypt. It should automatically get decrypted and mounted to certain places when I log in. pam_mount can do that for you, and I’ve already been using that a lot in different scenarios. However, with BTRFS it’s a bit different. With any other file systems you would create a partition on the hard drive, which is then LUKS encrypted. This has the drawback, that you need to decide on the partition’s size beforehand!
With BTRFS you can just encrypt the whole drive and use so-called subvolumes on top of it. Thus, you’re a bit more flexible by creating and adjusting quotas as required at any point in time (if at all…), but (or and!) the subvolumes are not visible unless the device is decrypted.
Let’s have a look into that and create the scenario.
I assume that the SSD is available as
Then we can create an encrypted container using LUKS:
You’re not sure which cipher or key-size to choose?
cryptsetup benchmark to see which settings perform best for you.
My CPU, for example, comes with hardware support for AES, thus the AES ciphers show a significantly higher throughput.
If you’re still feeling uncompfortable with that step, I recommend reading the sophisticated article at the
ArchLinux’ wiki on dm-crypt/Device encryption.
We can now open the encrypted device using
This will create a node in
/dev/mapper/mydrive, which represents the decrypted device.
Next, we’ll create a BTRFS on that device:
That’s indeed super fast, isn’t it!? I also couldn’t believe it.. ;-)
We can now mount the device, for example to
So far, the file system is completely empty.
But as it’s a BTRFS, we can create some subvolumes.
Let’s say, we want to create a volume for our
$HOME, and as we’re developing this website, we also want to create a volume called
So we have two subvolumes in that file system:
We could now mount them with
But we want the system to do it automatically for us, as we login.
So unmount everything and close the LUKS container:
PamMount can Decrypt and Mount Automatically
pam_mount already for ages! It is super convenient.
To get your home automatically decrypted and mounted, you would just need to add the following lines to your
Given this, PAM tries to mount the respective subvolumes of the disk (identified by the UUID
/var/www as soon as
YOU logs in.
Here, I am using UUIDs to identify the disks.
You can still use
/dev/sdb (or similar), but there is a chance, that the disks are recognised in a different sequence with the next boot (and
/dev/sdb may become
/dev/sdc or something…).
Plus, the UUID is invariant to the system – you can put the disk in any other machine and it will have the same UUID.
To find the UUID of your disk you can use blkid:
As said above, with BTRFS you’ll have your partitions (called subvolumes) right in the filesystem – invisible unless decrypted.
So, what is PAM doing?
It discovers the first entry in the
pam_mount.conf.xml configuration, which basically says
a1b20e2f-049c-...with some extra options to
PAM is also smart enough to understand that
a1b20e2f-049c-... is a LUKS encrypted device and it decrypts it using your login password.
This will then create a node in
/dev/mapper/_dev_sdb, representing the decrypted device.
And eventually, PAM mounts
So far so perfect.
But as soon as PAM discovers the second entry, it tries to do the same!
Again it detects a LUKS device and tries to decrypt that.
But unfortunately, there is already
Thus, opening the LUKS drive fails and you’ll find something like that in your
First it seems annoying that it doesn’t work out of the box, but at least it sounds reasonable that PAM cannot do what you what it to do..
… is quite easy, even though it took me a while to figure things out…
As soon as the first subvolume is mounted (and the device is decrypted and available through
/dev/mapper/_dev_sdb), we have direct access to the file system!
Thus, we do not neet to tell PAM to mount
/dev/disk/by-uuid/a1b20e2f-049c-..., but we can use
Or even better, we can use the file system’s UUID now, to become invariant to the
If you run
blkid with the device being decrypted you’ll find an entry like this:
You see, the new node
/dev/mapper/_dev_sdb also carries a UUID, actually representing the BTRFS :)
This UUID was by the way also reported by the
mkfs.btrfs call above.
What does that mean for our setup? When we first need a subvolume of an encrypted drive we need to use the UUID of the parent LUKS container. For every subsequent subvolume we can use the UUID of the internal FS.
Transferred to the above scenario, we’d create a
/etc/security/pam_mount.conf.xml like that:
Note the different UUIDs? Even though both mounts origin from the same FS :)
Actually, I wanted to have my home in a raid of two devices, but I don’t know how to tell
pam_mount to decrypt two devices to make BTRFS handle the raid..?
The only option seems to use mdadm to create the raid, but then BTRFS just sees a single device and, therefore, cannot do its extra raid magic…
If anyone has an idea on that issue you’ll have my ears :)
- administration (41) ,
- hardware (15) ,
- software (155) ,
- linuxunix (24) ,
- operatingsystem (14) ,
- howto (25) ,
- debian (26) ,
- university (46) ,
- security (29)
- btrfs (1) ,
- ssd (1) ,
- mastodon (2) ,
- pam (2) ,
- crypt (4) ,
- auth (2) ,
- config (21) ,
- debian (38) ,
- explained (41) ,
- security (31) ,
- university (42)
Leave a comment
There are multiple options to leave a comment:
- send me an email
- submit a comment through the feedback page (anonymously via TOR)
- Fork this repo at GitHub, add your comment to the _data/comments directory and send me a pull request
- Fill the following form and Staticman will automagically create a pull request for you:
Thank you for this! All the guides I could find were for LUKS drives, or BTRFS, but not for the both.
The solution is not difficult, but it is specific and needs to be done in the proper order. Thank you for saving my skin (and family’s data) with this guide!
Hi, I actually have a solution for home on btrfs raid 1 on luks devices: just use pam_exec:
auth include system-auth auth optional pam_exec.so expose_authtok /etc/pam_home.sh #< Add this line in /etc/pam.d/system-login
in /etc/pam_home.sh you have to write a script which unlocks your dmcrypt devices and mounts the btrfs e.g. the script from Marc: https://marc.merlins.org/perso/btrfs/post_2014-04-27_Btrfs-Multi-Device-Dmcrypt.html