Commit 7317f532 authored by ivanbrennan's avatar ivanbrennan
Browse files

pam_fde_boot_pw: init at 0-unstable-2025-02-14 

Add pam_fde_boot_pw, a PAM module that transfers a password from the
kernel keyring (for example, the passphrase used to unlock an encrypted
disk) into the PAM session. This enables user-space keyrings, such as
gnome-keyring, to be automatically unlocked.

Unlike pam_systemd_loadkey, which operates in the authentication phase
via an auth rule, pam_fde_boot_pw integrates into the session phase via
a session rule. This makes it effective for greetd auto-login setups,
where the authentication stack is skipped entirely.

An example configuration could contain:

    # Enable a systemd-based initrd so the LUKS passphrase entered at boot
    # is stored in the kernel keyring.
    boot.initrd.systemd.enable = true;

    # Configure the login PAM stack to unlock the user’s default GNOME
    # keyring when a password is available.
    security.pam.services.login.enableGnomeKeyring = true;

    # Configure greetd’s PAM stack to:
    #  - delegate most operations to login's PAM stack
    #  - transfer the LUKS passphrase into the PAM session during auto-login
    #  - inject the passphrase for use by gnome-keyring
    security.pam.services.greetd.text = ''
      auth      substack      login
      account   include       login
      password  substack      login
      session   optional      ${pkgs.pam_fde_boot_pw}/lib/security/pam_fde_boot_pw.so inject_for=gkr
      session   include       login
    '';

    services.greetd = {
      enable = true;
      settings = {
        # Automatically start a user session on boot.
        initial_session = {
          command = "sway";
          user = "john";
        };

        # Start a greeter after the initial session exits.
        default_session = {
          command = "${pkgs.cage}/bin/cage -s -d -- gtkgreet";
        };
      };
    };
parent 18cc0e8e

pkgs/by-name/pa/pam_fde_boot_pw/package.nix

0 → 100644
+51 −0
Original line number Diff line number Diff line 
{

  lib,

  stdenv,

  fetchFromSourcehut,

  meson,

  ninja,

  pkg-config,

  pam,

  keyutils,

}:



stdenv.mkDerivation {

  pname = "pam_fde_boot_pw";

  version = "0-unstable-2025-02-14";



  src = fetchFromSourcehut {

    owner = "~kennylevinsen";

    repo = "pam_fde_boot_pw";

    rev = "49bf498fd8d13f73e4a24221818a8a5d2af20088";

    hash = "sha256-dS9ufryg3xfxgUzJKDgrvMZP2qaYH+WJQFw1ogl1isc=";

  };



  nativeBuildInputs = [

    meson

    ninja

    pkg-config

  ];



  buildInputs = [

    pam

    keyutils

  ];



  mesonFlags = [

    (lib.mesonOption "pam-mod-dir" "${placeholder "out"}/lib/security")

  ];



  meta = {

    description = "PAM module for leveraging disk encryption password in the PAM session";

    longDescription = ''

      pam_fde_boot_pw transfers a password from the kernel keyring (for example,

      the passphrase used to unlock an encrypted disk) into the PAM session.

      This enables user-space keyrings, such as gnome-keyring, to be

      automatically unlocked.

    '';

    homepage = "https://git.sr.ht/~kennylevinsen/pam_fde_boot_pw";

    license = lib.licenses.mit;

    platforms = lib.platforms.linux;

    maintainers = with lib.maintainers; [ ivanbrennan ];

  };

}