How to set up eCryptFS in Linux will be introduced in this post. We can store encrypted files in one eCryptFS directory, the manual way. The content can be seen only after it is mounted as eCryptFS file system. Otherwise, the users can only see garbled characters in the files.
Note that this tutorial will cover the “manual way” which you may find a little bit different from other tutorials which uses the
ecrypt-umount-private tools. The benefit of this method is that you will only need to keep the passphrase only. No
~/.ecryptfs directory is required. And after a directory is mounted, it will not be automatically unmounted after the user session is closed.
Here, we use Fedora 22 as the example platform.
Install eCryptFS tools
First, install utils for ecryptfs:
# dnf install ecryptfs-utils
Add ecryptfs module to Linux Kernel
Load the ecryptfs kernel module:
# modprobe ecryptfs
If we store encrypted file in
/home/zma/.private directory and mount it to
# mount -t ecryptfs /home/zma/.private /home/zma/private
For the first time you mount the ecryptfs directory, it will ask you to set up the encryption as follows.
Select key type to use for newly created files: 1) tspi 2) passphrase 3) pkcs11-helper Selection: 2 Passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: 1 Select key bytes: 1) 16 2) 32 3) 24 Selection : 2 Enable plaintext passthrough (y/n) [n]: n Enable filename encryption (y/n) [n]: y Filename Encryption Key (FNEK) Signature [a-signature-here]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=a-signature-here ecryptfs_key_bytes=32 ecryptfs_cipher=aes ecryptfs_sig=a-signature-here WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes Would you like to append sig [a-signature-here] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes Successfully appended new sig to user sig cache file Mounted eCryptfs
For the later mounting, it will ask you the info again. You must provide the same choices here to mount the directory correctly. Otherwise, you will see “garbage” content.
To make this easier by not choosing so many options, you may store a command as an alias or a script as follows:
mount -t ecryptfs /home/zma/.private /home/zma/private \ -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y
The mount process will be like:
# mount -t ecryptfs /home/zma/.private /home/zma/private -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y Passphrase: ENTER YOUR PASSPHRASE HERE Filename Encryption Key (FNEK) Signature [a-signature-here]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=a-signature-here ecryptfs_key_bytes=32 ecryptfs_cipher=aes ecryptfs_sig=a-signature-here Mounted eCryptfs
If you do not want to see the FNEK message anymore, you can add the option
ecryptfs_fnek_sig=THE_SIGNATURE_ABOVE with the signature printed to the
After it is mounted, you can check it:
# df -hT Filesystem Type Size Used Avail Use% Mounted on ... /home/zma/.private ecryptfs 473G 4.7G 449G 2% /home/zma/private
Then you can read/write from/to files under
/home/zma/.private as a normal directory.
# umount /home/zma/private
less a file under
/home/zma/.private. You will only see encrypted binary files.
When you want to read your files, mount this directory again and your files will be back :)