OpenSUSE eCryptFS PAM

etc_pam.d_common-session

#%PAM-1.0
# 
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session optional        pam_systemd.so
session required        pam_limits.so
session required        pam_unix.so     try_first_pass
session optional        pam_sss.so
session required        pam_winbind.so
session optional        pam_umask.so
session optional        pam_exec.so     expose_authtok /etc/security/ecryptfs.bash
session optional        pam_ecryptfs.so unwrap
session optional        pam_kwallet5.so
session optional        pam_env.so

etc_security_ecryptfs.bash

#!/bin/bash
  
home=`eval echo ~$PAM_USER`
ecryptfs=/home/.ecryptfs/$PAM_USER/.ecryptfs

read password

if [ -d $ecryptfs ];  then
    # ecryptfs is set
    echo "Ecryptfs is already configured"
    exit 0
elif [ `id -u` == 0 ]; then
    # Setup ecryptfs and make home
    umask 077
    mkdir -p $home
    group=`id -gn $PAM_USER`
    chown $PAM_USER:$group $home

    ecryptfs-setup-private -u $PAM_USER -l "$password" -b --nopwcheck
    exit 0
else
    # NOT ROOT
    echo "Cannot login with 'su' for the first time"
    exit 1
fi