With that in mind, there are several options, depending in your operating system and security requirements. In this howto I’ll be concentrating on pam_mount, using a LUKS encrypted partition. Probably limited to Linux, then. PAM works in many Unix systems, but LUKS may be restricted.

But before beginning, you have to choose between security and speed. By that, I mean choose an encryption and chaining algorithms. For the most security, I recommend aes-xts-plain, with essiv:sha256 for IV calculation. For speed, though, on my netbook, I use blowfish-ecb-plain. Blowfish is slightly faster than AES, and not much less secure, but the ECB chaining mode is the fastest and very much insecure method. So choose wisely. Personally, my data isn’t that important, and if cryptanalysts are interested in it, there are better methods on getting the data: http://xkcd.com/538/

Now that you have chosen the algorithm, it’s time to encrypt your swap partition. That’s right, never forget the swap partition, where sensitive data may be swapped out to:

echo 'swap /dev/sdaX /dev/urandom swap,cipher=blowfish-ecb-plain'
  >> /etc/crypttab
echo '/dev/mapper/swap    swap    swap    defaults    0 0' >> /etc/fstab

Then reboot. Make sure you correct the swap device and replace the current entry in /etc/fstab.

Make a backup of your current home folder, or start from a clean state. Choose the partition you want your home to reside on, and format it as a LUKS device. First, however, you should zero the first megabyte or two, so that the detection code doesn’t mistake it as other filesystem:

dd if=/dev/zero of=/dev/sdaY bs=16M count=1

Take care to erase the correct device! And if it contained sensitive data, then remove the count=1 and let it zero the full partition. Next, format it as LUKS. I’ll be using the less secure algorithm. When asked for a passphrase, enter your user’s.

cryptsetup luksFormat /dev/sdaY --cipher blowfish-ecb-plain --key-size 128

OK, you now have a device formated for encryption. Next step, activate it, and format a real filesystem on top:

cryptsetup luksOpen /dev/sdaY enc

This will create the device: /dev/mapper/enc

For filesystem, choose what you will. I use ext4:

mkfs.ext4 /dev/mapper/enc

Then mount it, and restore your original data. Or start from scratch:

mount /dev/mapper/enc /mnt
cp -a /etc/skell/.[[:alnum:]]* /mnt/
chown user: /mnt -R
umount /mnt

Your home is ready! Unmount it, the job of mounting and unmounting will be done by pam_mount:

umount /mnt
cryptsetup luksClose enc

The preliminaries are done. You have your home in an encrypted device. Now, to configure pajm_mount for automatically mount and unmount it.

Make sure you have pam_mount installed in your system. The package is called like the name in Fedora, and libpam-mount in Debian/Ubuntu. The configuration file is /etc/security/pam_mount.conf.xml, read it, and disable any limitation you’re interested in. Add a line for your user:

<volume user="luciano" path="/dev/sdaY" mountpoint="~" options="" />

Note the empty options key, otherwise some default options may get in your way. Try either way. If you didn’t zero the device, and it gets detected as something else than a LUKS device, then add fstype="crypt_LUKS" to the line. You can see what it is detected as with:

# blkid /dev/sdaY
/dev/sdaY: UUID=".." SEC_TYPE="ext2" TYPE="ext3"

If it doesn’t say LUKS, then you must add the fstype definition.

pam_mount is now set up. Next, configure PAM to use it. There are some particularities for pam_mount, especially because GDM may try to start daemons as your user before you get your home mounted. Created a configuration file that will be include by other PAM-aware services, defining pam_mount

echo '
auth	optional	pam_mount.so
session	optional	pam_mount.so
' >> /etc/pam.d/system-mount

Now, depending on your current PAM configuration, you may get away with doing the following steps only to the /etc/pam.d/system-auth or other generic file, included by services’ definitions. But that is not the case for Fedora 11, and do make sure all services include the generic file first.
In my case, I changed the files:

• /etc/pam.d/sshd
• /etc/pam.d/login
• /etc/pam.d/gdm-password

Now, add the following line as the first auth definition, or as the definition immediately after an selinux permit or close action:

auth        include       system-mount

Also, for session, respecting the selinux thingy:

session     include       system-mount

Now try logging in as the user in a console, or via ssh. You should see the prompt for password as: pam_mount password:
If it works, then try a graphical login. Console is easier, a graphical login may get dbus or keyring programs running before the pam_mount is run, but you’ll prevent that by having the system-mount lines as the first ones.