--- pam_mount-0.48/scripts/mount.crypt	2007-10-20 07:57:03.000000000 -0700
+++ pam_mount-0.48/scripts/mount.crypt.new	2008-02-12 22:27:48.000000000 -0800
@@ -108,6 +108,8 @@
 		(hash)    HASH="$VAL";;
 		(fstype)  FSTYPE="$VAL";;
 		(fsck)    DOFSCK="true";;
+		(sc_key_id) SC_KEY_ID="$VAL";;
+		(sc_key_file) SC_KEY_FILE="$VAL";;
 		(keyfile)
 			keyfile="$VAL";;
 		(loop)
@@ -149,7 +151,10 @@
 # Check for LUKS
 if cryptsetup isLuks "$DEVICE" 2>/dev/null; then
 	LUKS=true;
-	if [ -z "$keyfile" ]; then
+	if [ -n "$SC_KEY_ID" ]; then
+    	pkcs15-crypt --pkcs1 --decipher -k $SC_KEY_ID --raw -i $SC_KEY_FILE -p - | \
+	    cryptsetup luksOpen "$DEVICE" "$DMDEVICE" --key-file /dev/stdin;	
+	elif [ -z "$keyfile" ]; then
 		cryptsetup luksOpen $luks_ro "$DEVICE" "$DMDEVICE";
 	else
 		cryptsetup luksOpen $luks_ro -d "$keyfile" "$DEVICE" "$DMDEVICE";
--- pam_mount-0.48/doc/pam_mount.conf.5~	2008-09-11 04:07:28.000000000 +0200
+++ pam_mount-0.48/doc/pam_mount.conf.5	2008-09-14 04:03:45.000000000 +0200
@@ -402,6 +402,21 @@
 .PP
 <volume path="/home/%(USER).img" mountpoint="~" options="cipher-fskeycipher="aes\-256\-cbc"
 fskeypath="/etc/ehd/%(USER)" />
+.PP
+dm_crypt with smart card support example (need to have opensc installed and configured
+and with pkcs15-crypt supporting reading PIN from <stdin>):
+.PP
+volume user crypt - /dev/sda2 /home/user sc_key_id=45,sc_key_file=/etc/cryptsetup.key - -
+.PP
+.PP
+where:
+.PP
+sc_key_id:   ID of the private key stored in the smart card which will decrypt the key file
+sc_key_file: file which contains the filesystem key. This file is encrypted with the public key associated with the private sc_key_id
+.PP
+sample command to encrypt cryptsetup.clear into cryptsetup.key with the smart card using key id 45:
+openssl rsautl -in cryptsetup.clear -out cryptsetup.key -engine pkcs11 -keyform engine \
+        -encrypt -inkey 45 -pubin
 .SS cryptoloop volumes
 .PP
 cryptoloop mounts require a kernel with CONFIG_BLK_DEV_CRYPTOLOOP enabled.