PAM module to unlock self-encrypting drives on user login
git submodule update --init
mkdir build
cd build
cmake ..
makeThis creates build/pam_sed.so.
- Build
pam_sed.so - Place
pam_sed.soin the correct location - Add
/etc/sedtab - Add
pam_sed.soto PAM config files
The location of PAM modules is usually /lib/security or /lib64/security.
Alternatively you can use full paths in config files.
The module supports auth and session types.
auth unlocks drives and session mounts partitions.
auth optional pam_sed.so
session optional pam_sed.so
It is recommended to set the control value to optional
and not required because if something breaks you might get locked out of your system.
The config file contains two types of lines: Drive Lines and Mount Lines.
drive USERNAME /dev/DRIVE
If USERNAME logs in, unlock /dev/DRIVE using his password (unless the drive is already unlocked).
mount USERNAME /dev/PART PATH TYPE
A session for USERNAME is opened by mounting /dev/PART to PATH with filesystem type TYPE.
- After a disk is unlocked it takes a second or two for the OS to recognize its partitions.
If you can unlock your drives using
sedutil-clibut not this module, try increasingSLEEP_AFTER_UNLOCKinlibrary.hpp. - When a
sessionis closed no partitions are unmounted.
This module is released under GPLv3+ and uses code from sedutil.