Home eCryptfs How To Encrypt Directories With eCryptfs In Linux

How To Encrypt Directories With eCryptfs In Linux

By sk
Published: Last Updated on 26.8K views

This guide explains what is eCryptfs, how to encrypt directories with eCryptfs in Linux, and how to mount and unmount encrypted directories.

What is eCryptfs?

eCryptfs is a POSIX-compliant enterprise cryptographic "stacked" filesystem for Linux. Please note that eCryptfs is not a Kernel-level full disk encryption subsystems like "dm-crypt".

In full disk encryption mechanism, the entire partition or disk, in which the filesystem resides, is encrypted. But eCryptfs is a stacked filesystem that can be mounted on any directory and on top of the main file system.

Using eCryptfs, we can easily create an encrypted directory to store the confidential data and mount it on any directory.

No separate partition or pre-allocated space is actually required! eCryptfs should work well on local filesystems such as EXT3, EXT4, XFS, JFS and ReiserFS etc.

eCryptfs also supports networked filesystems such as NFS, CIFS, Samba and WebDAV, but not fully functional as it works on local filesystems.

It stores the cryptographic metadata in the headers of files, so the encrypted data can be easily moved between different users and even systems. eCryptfs has been included in Linux Kernel since version 2.6.19.

eCryptfs is derived from Erez Zadok's Cryptfs, and the FiST framework for stacked filesystems.

eCryptfs is originally authored by Michael Halcrow and IBM Linux Technology Center. Now, it has been maintained by Dustin Kirkland and Tyler Hicks of Canonical, the parent company of Ubuntu.

Install eCryptfs on Linux

eCryptfs has been packaged for many Linux operating systems and is available in the default repositories.

To install eCryptfs on Arch Linux and its variants like EndeavourOS and Manjaro Linux, run:

$ sudo pacman -S ecryptfs-utils

On Debian, Ubuntu, Linux Mint:

$ sudo apt-get install ecryptfs-utils

On Fedora:

$ sudo dnf install ecryptfs-utils

On openSUSE:

$ sudo zypper --install ecryptfs-utils 

Encrypt Directories With eCryptfs In Linux

For the purpose of this guide, I am going to encrypt a directory named "ostechnix"

Please note that you shouldn't encrypt a non-empty directory. If you do, the existing data will still remain unencrypted, or the data can't be accessed.

So if the directory contains any data, move them to a different location, and then encrypt it. Once the directory is encrypted, move the backup to the encrypted directory.

To encrypt the directory ostechnix with ecryptfs filesystem, run the following command as sudo or root user:

$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/

While encrypting a directory for the first time, you will be prompted to answer a couple questions such as choose cipher, key bytes, enable/disable plaintext passthrough, enable/disable filename encryption etc. Read carefully and answer them accordingly. I go with the default values.

[sudo] password for sk: 
Passphrase: <----- Enter your passphrase here
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: <----- Press ENTER
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: <----- Press ENTER
Enable plaintext passthrough (y/n) [n]: <----- Press ENTER
Enable filename encryption (y/n) [n]: <----- Press ENTER
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=8567ee2ae5880f2d
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes <----- Type "yes" and press ENTER
Would you like to append sig [8567ee2ae5880f2d] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : yes <----- Type "yes" and press ENTER
Successfully appended new sig to user sig cache file
Mounted eCryptfs
Encrypt directories with eCryptfs in Linux systems
Encrypt directories with eCryptfs in Linux systems

That's it! The "ostechnix" directory has been encrypted with eCryptfs and automatically mounted.

Please take a note of the mount passphrase which you've given in the first step. You will need it to unlock the encrypted directory next time.

A signature file named "sig-cache.txt" will be created under "/root/.ecryptfs/" directory. This file is used to identify the mount passphrase in the kernel keyring.

Now open your file manager and you will see that the encrypted directory is mounted.

View mounted eCryptfs filesystems in file manager
View mounted eCryptfs filesystems in file manager

You can also verify if it is really mounted from command line using "mount" command:

$ mount

You will see an output like below at the end:

/home/sk/ostechnix on /home/sk/ostechnix type ecryptfs (rw,relatime,ecryptfs_sig=8567ee2ae5880f2d,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
View mounted eCryptfs filesystems using mount command
View mounted eCryptfs filesystems using mount command

Congratulations! We have successfully encrypted a directory using eCryptfs. Now, move all your important files and folders inside the encrypted directory.

You can read and write data saved inside this directory as long as the directory is mounted with eCryptfs. Once the directory is unmounted, you can view what is saved in the directory, but can't read them.

Mount and Unmount encrypted directories

To unmount the eCryptfs directory, simply run:

$ sudo umount ~/ostechnix

To mount it again, run:

$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/

Enter the mount passphrase and then choose cipher, keybyte. Please note that you should input the same values that you entered while you created the encrypted directory.

Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=8567ee2ae5880f2d
Mounted eCryptfs
mount directories encrypted with eCryptfs

Now the encrypted directory will be remounted.

Test encrypted directory

Create a new text file named "encrypt.txt" in the encrypted directory:

$ nano ~/ostechnix/encrypt.txt

Append some contents in it. I am going to add the following line:

This is an encrypted file saved in ostechnix.com.

Save and close the file.

And then unmount the encrypted directory:

$ sudo umount ~/ostechnix

Now try to view the file using any text editors or using "cat" command:

$ cat ~/ostechnix/encrypt.txt

You will see some distorted and junk characters.

view contents of files without mounting the encrypted directory
View contents of files without mounting the encrypted directory

To view the contents of the file, you must remount the directory again.

$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/

Now you can view the actual contents of the file stored in the encrypted directory.

view contents of file after remounting encrypted directory
view contents of file after remounting encrypted directory

Change mount passphrase

If you want to change the mount passphrase, simply delete the "/root/.ecryptfs/sig-cache.txt" file. It is created while we encrypt the directory for the first time. This file is used to identify the mount passphrase in the kernel keyring.

$ sudo rm /root/.ecryptfs/sig-cache.txt

Now, run the same command that we use to encrypt directory to create a new passphrase:

$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/

Mount encrypted directory automatically on reboot

You may not like to manually mount encrypted directory on every reboot. If so, there is an easy way to automatically mount encrypted directory. We need a USB drive to store the signature and the path of the password file.

Plug your USB drive. Create a mount point and mount the USB drive in the mount point as shown below:

$ sudo mkdir /mnt/usb
$ sudo mount /dev/sdb1 /mnt/usb/

Here, /dev/sdb1 is my USB drive. You can find your drive details as shown in this link.

Next we need the signature file details. Remember a text file named "/root/.ecryptfs/sig-cache.txt" is created when we encrypt the directory for the first time? Open it and note down the signature:

$ sudo cat /root/.ecryptfs/sig-cache.txt

Sample output:

8567ee2ae5880f2d

Create a new text file called "password.txt" in the USB mount point directory to store the mount passphrase.

$ sudo nano /mnt/usb/password.txt

Enter your passphrase in this file. I use the following passphrase:

P@ssw0rd123#@!

Save and close the file.

Create a file named "/root/.ecryptfsrc" to store all required options to mount the encrypted directory:

$ sudo nano /root/.ecryptfsrc

Add the following lines:

key=passphrase:passphrase_passwd_file=/mnt/usb/password.txt
ecryptfs_sig=8567ee2ae5880f2d
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n

Please note that you must the same values that you given while creating the encrypted directory. Save and close the file.

Next open /etc/fstab file and add the following lines:

/dev/sdb1       /mnt/usb        ext3    ro      0 0
/home/sk/ostechnix /home/sk/ostechnix ecryptfs defaults 0 0

The USB drive should be mounted before the encrypted partition, because it contains the passphrase to mount the encrypted directory. So you should place the usb line before the encrypted directory line in your /etc/fstab file.

Finally, reboot your system. From now on, the /home/sk/ostechnix should be mounted automatically.

Conclusion

As you can see, creating encrypted directories with eCryptfs is incredibly easy! If you ever wanted to implement filesystem-level encryption or file-based encryption or file/folder encryption, without much effort, eCryptfs might be a good choice!

Resource:

4 comments

sitaram June 8, 2020 - 10:23 am

eCryptfs is no longer actively developed, if I am not mistaken. People have moved to either LUKS or FsCrypt. You can check various links that come up with googling “eCryptfs versus FsCrypt” for details.

Reply
sk June 8, 2020 - 12:28 pm

Thanks for the heads up. Never heard about fscrypt. I will look into it.

Reply
elleven July 12, 2020 - 7:23 pm

Yes, also luks is the more popular option.

Reply
Norbert October 20, 2020 - 5:03 pm

Hi,
It is very interesting and straight forward when i read your post, thank you.
I’ve encountered a problem when recovering my user folder on linux mint 20 x64 and am not able to view anything I had in there which was very valuable personally, photos, kids schoolwork, mine too,etc, etc…
It strikes me how linux mint, and other linux distros too, so happily nail a checkbox right at the end of the installation process to opt to encrypt the personal filesystem, just like that, when it turns out to be a holy nightmare to succeed in recovering your files after, as in my case and in many others you’ll find on the web. I would really appreciate it if someone would enlighten me with this process.
The best help I have seen is a post here (where I also posted an answer):

https://askubuntu.com/questions/823218/how-to-recover-ecryptfs-encrypted-data-using-password-after-a-broken-upgrade/1285299#1285299

And this person solved it being an advanced Linux user, by the look of i; otherwise, I haven’t seen any other single success story concerning this issue, yet.

Regards

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More