This article describes basic usage of eCryptfs. It guides us through
the process of creating a private and secure encrypted directory within
$HOME directory, where we can store all our sensitive files and
In implementation eCryptfs differs from dm-crypt, which provides a block device encryption layer, while eCryptfs is an actual file-system – a stacked cryptographic file system to be exact.
In this wiki, I will encrypt a directory
/home/mitesh/Private, which is located in
/home/mitesh/Private is an ordinary directory and does not use a partition of its own.
eCryptfs can be installed as following:
$ sudo apt-get install ecryptfs-utils
$ sudo yum install ecryptfs-utils
As a user, run the following command:
and follow the instructions.
First, we create private directories.
$ mkdir /home/mitesh/Private $ mkdir /home/mitesh/.Private $ chmod 700 /home/mitesh/.Private $ chmod 500 /home/mitesh/Private
Actual encrypted data will be stored in
~/.Privatedirectory (lower directory)
While mounted, decrypted data will be available in
~/Privatedirectory (upper directory)
- While not mounted nothing can be written to this directory
- While mounted it has the same permissions as the lower directory
- Actual encrypted data will be stored in
eCryptfs can now be mounted on top of
$ sudo mount -t ecryptfs /home/mitesh/.Private /home/mitesh/Private Passphrase: <-- some_passphrase Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: <-- ENTER Select key bytes: 1) 16 2) 32 3) 24 Selection : <-- ENTER Enable plaintext passthrough (y/n) [n]: <-- ENTER Enable filename encryption (y/n) [n]: <-- ENTER Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=bd28c38da9fc938b WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : <-- yes Would you like to append sig [bd28c38da9fc938b] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : <-- yes Successfully appended new sig to user sig cache file Mounted eCryptfs
Remember to take backup of
/rootpartition gets reformatted
$ sudo cp -r /root/.ecryptfs /home/mitesh/
Verifying mounting of eCryptfs
$ mount | grep -i private /home/mitesh/.Private on /home/mitesh/Private type ecryptfs (rw,relatime,ecryptfs_sig=e8d08163d274c68f,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
$ cat ~/Private/test.txt Some secret text is present in this file. $ sudo umount /home/mitesh/Private $ cat ~/Private/test.txt cat: /home/mitesh/Private/test.txt: No such file or directory $ cat ~/.Private/test.txt -#@%!*^(junk characters)^*!%@#-
Mounting without interaction (so passphrase must be in some removable device like USB pendrive)
$ sudo mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/mnt/usb/.ecryptfs-pass,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n /home/mitesh/.Private /home/mitesh/Private $ cat /mnt/usb/.ecryptfs-pass passphrase_passwd=ThisIsAWeakPassword
Encrypting Other Directory
We can encrypt multiple directories, by putting those directories into
/home/mitesh/Privateand creating soft-links.
$ mv ~/Documents ~/Private $ ln -s ~/Private/Documents ~/Documents
By following the above 2 steps, we have encrypted directory
$ sudo umount /home/mitesh/Private