This guide explains what is eCryptfs, how to encrypt directories with eCryptfs in Linux, and how to mount and unmount encrypted directories.
Table of Contents
What is eCryptfs?
eCryptfs is a POSIX-compliant enterprise cryptographic "stacked" filesystem for Linux. Please note that eCryptfs is not a Kernel-level full disk encryption subsystems like "dm-crypt".
In full disk encryption mechanism, the entire partition or disk, in which the filesystem resides, is encrypted. But eCryptfs is a stacked filesystem that can be mounted on any directory and on top of the main file system.
Using eCryptfs, we can easily create an encrypted directory to store the confidential data and mount it on any directory.
No separate partition or pre-allocated space is actually required! eCryptfs should work well on local filesystems such as EXT3
, EXT4
, XFS
, JFS
and ReiserFS
etc.
eCryptfs also supports networked filesystems such as NFS
, CIFS
, Samba
and WebDAV
, but not fully functional as it works on local filesystems.
It stores the cryptographic metadata in the headers of files, so the encrypted data can be easily moved between different users and even systems. eCryptfs has been included in Linux Kernel since version 2.6.19.
eCryptfs is derived from Erez Zadok's Cryptfs, and the FiST framework for stacked filesystems.
eCryptfs is originally authored by Michael Halcrow and IBM Linux Technology Center. Now, it has been maintained by Dustin Kirkland and Tyler Hicks of Canonical, the parent company of Ubuntu.
Install eCryptfs on Linux
eCryptfs has been packaged for many Linux operating systems and is available in the default repositories.
To install eCryptfs on Arch Linux and its variants like EndeavourOS and Manjaro Linux, run:
$ sudo pacman -S ecryptfs-utils
On Debian, Ubuntu, Linux Mint:
$ sudo apt-get install ecryptfs-utils
On Fedora:
$ sudo dnf install ecryptfs-utils
On openSUSE:
$ sudo zypper --install ecryptfs-utils
Encrypt Directories With eCryptfs In Linux
For the purpose of this guide, I am going to encrypt a directory named "ostechnix"
.
Please note that you shouldn't encrypt a non-empty directory. If you do, the existing data will still remain unencrypted, or the data can't be accessed.
So if the directory contains any data, move them to a different location, and then encrypt it. Once the directory is encrypted, move the backup to the encrypted directory.
To encrypt the directory ostechnix
with ecryptfs filesystem, run the following command as sudo
or root
user:
$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/
While encrypting a directory for the first time, you will be prompted to answer a couple questions such as choose cipher, key bytes, enable/disable plaintext passthrough, enable/disable filename encryption etc. Read carefully and answer them accordingly. I go with the default values.
[sudo] password for sk: Passphrase: <----- Enter your passphrase here Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: <----- Press ENTER Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: <----- Press ENTER Enable plaintext passthrough (y/n) [n]: <----- Press ENTER Enable filename encryption (y/n) [n]: <----- Press ENTER Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=8567ee2ae5880f2d WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes <----- Type "yes" and press ENTER Would you like to append sig [8567ee2ae5880f2d] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes <----- Type "yes" and press ENTER Successfully appended new sig to user sig cache file Mounted eCryptfs
That's it! The "ostechnix"
directory has been encrypted with eCryptfs and automatically mounted.
Please take a note of the mount passphrase which you've given in the first step. You will need it to unlock the encrypted directory next time.
A signature file named "sig-cache.txt" will be created under "/root/.ecryptfs/" directory. This file is used to identify the mount passphrase in the kernel keyring.
Now open your file manager and you will see that the encrypted directory is mounted.
You can also verify if it is really mounted from command line using "mount" command:
$ mount
You will see an output like below at the end:
/home/sk/ostechnix on /home/sk/ostechnix type ecryptfs (rw,relatime,ecryptfs_sig=8567ee2ae5880f2d,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
Congratulations! We have successfully encrypted a directory using eCryptfs. Now, move all your important files and folders inside the encrypted directory.
You can read and write data saved inside this directory as long as the directory is mounted with eCryptfs. Once the directory is unmounted, you can view what is saved in the directory, but can't read them.
Mount and Unmount encrypted directories
To unmount the eCryptfs directory, simply run:
$ sudo umount ~/ostechnix
To mount it again, run:
$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/
Enter the mount passphrase and then choose cipher, keybyte. Please note that you should input the same values that you entered while you created the encrypted directory.
Passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n) [n]: Enable filename encryption (y/n) [n]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=8567ee2ae5880f2d Mounted eCryptfs
Now the encrypted directory will be remounted.
Test encrypted directory
Create a new text file named "encrypt.txt"
in the encrypted directory:
$ nano ~/ostechnix/encrypt.txt
Append some contents in it. I am going to add the following line:
This is an encrypted file saved in ostechnix.com.
Save and close the file.
And then unmount the encrypted directory:
$ sudo umount ~/ostechnix
Now try to view the file using any text editors or using "cat" command:
$ cat ~/ostechnix/encrypt.txt
You will see some distorted and junk characters.
To view the contents of the file, you must remount the directory again.
$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/
Now you can view the actual contents of the file stored in the encrypted directory.
Change mount passphrase
If you want to change the mount passphrase, simply delete the "/root/.ecryptfs/sig-cache.txt" file. It is created while we encrypt the directory for the first time. This file is used to identify the mount passphrase in the kernel keyring.
$ sudo rm /root/.ecryptfs/sig-cache.txt
Now, run the same command that we use to encrypt directory to create a new passphrase:
$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/
Mount encrypted directory automatically on reboot
You may not like to manually mount encrypted directory on every reboot. If so, there is an easy way to automatically mount encrypted directory. We need a USB drive to store the signature and the path of the password file.
Plug your USB drive. Create a mount point and mount the USB drive in the mount point as shown below:
$ sudo mkdir /mnt/usb
$ sudo mount /dev/sdb1 /mnt/usb/
Here, /dev/sdb1
is my USB drive. You can find your drive details as shown in this link.
Next we need the signature file details. Remember a text file named "/root/.ecryptfs/sig-cache.txt"
is created when we encrypt the directory for the first time? Open it and note down the signature:
$ sudo cat /root/.ecryptfs/sig-cache.txt
Sample output:
8567ee2ae5880f2d
Create a new text file called "password.txt"
in the USB mount point directory to store the mount passphrase.
$ sudo nano /mnt/usb/password.txt
Enter your passphrase in this file. I use the following passphrase:
P@ssw0rd123#@!
Save and close the file.
Create a file named "/root/.ecryptfsrc"
to store all required options to mount the encrypted directory:
$ sudo nano /root/.ecryptfsrc
Add the following lines:
key=passphrase:passphrase_passwd_file=/mnt/usb/password.txt ecryptfs_sig=8567ee2ae5880f2d ecryptfs_cipher=aes ecryptfs_key_bytes=16 ecryptfs_passthrough=n ecryptfs_enable_filename_crypto=n
Please note that you must the same values that you given while creating the encrypted directory. Save and close the file.
Next open /etc/fstab
file and add the following lines:
/dev/sdb1 /mnt/usb ext3 ro 0 0 /home/sk/ostechnix /home/sk/ostechnix ecryptfs defaults 0 0
The USB drive should be mounted before the encrypted partition, because it contains the passphrase to mount the encrypted directory. So you should place the usb line before the encrypted directory line in your /etc/fstab
file.
Finally, reboot your system. From now on, the /home/sk/ostechnix
should be mounted automatically.
Conclusion
As you can see, creating encrypted directories with eCryptfs is incredibly easy! If you ever wanted to implement filesystem-level encryption or file-based encryption or file/folder encryption, without much effort, eCryptfs might be a good choice!
Resource:
4 comments
eCryptfs is no longer actively developed, if I am not mistaken. People have moved to either LUKS or FsCrypt. You can check various links that come up with googling “eCryptfs versus FsCrypt” for details.
Thanks for the heads up. Never heard about fscrypt. I will look into it.
Yes, also luks is the more popular option.
Hi,
It is very interesting and straight forward when i read your post, thank you.
I’ve encountered a problem when recovering my user folder on linux mint 20 x64 and am not able to view anything I had in there which was very valuable personally, photos, kids schoolwork, mine too,etc, etc…
It strikes me how linux mint, and other linux distros too, so happily nail a checkbox right at the end of the installation process to opt to encrypt the personal filesystem, just like that, when it turns out to be a holy nightmare to succeed in recovering your files after, as in my case and in many others you’ll find on the web. I would really appreciate it if someone would enlighten me with this process.
The best help I have seen is a post here (where I also posted an answer):
https://askubuntu.com/questions/823218/how-to-recover-ecryptfs-encrypted-data-using-password-after-a-broken-upgrade/1285299#1285299
And this person solved it being an advanced Linux user, by the look of i; otherwise, I haven’t seen any other single success story concerning this issue, yet.
Regards