Setting Up eCryptFS on Linux: A Manual Guide

On Fedora/RHEL-based systems:

dnf install ecryptfs-utils

On Debian/Ubuntu:

apt-get install ecryptfs-utils

Load the kernel module

modprobe ecryptfs

To ensure the module loads automatically on boot, add it to /etc/modules-load.d/:

echo "ecryptfs" | sudo tee /etc/modules-load.d/ecryptfs.conf

Create directories

You’ll need two directories: one for encrypted storage (.private) and one as the mount point (private). The .private directory holds encrypted data; the private mount point is where you access decrypted files.

mkdir -p /home/zma/.private /home/zma/private

First-time mount

Mount the encrypted directory with interactive prompts:

mount -t ecryptfs /home/zma/.private /home/zma/private

You’ll be prompted for several options:

Key type: Choose 2 for passphrase (the most straightforward option).

Passphrase: Enter a strong passphrase. This is the only thing you need to remember.

Cipher: Select 1 for AES (recommended for security and performance).

Key bytes: Select 2 for 256-bit keys.

Plaintext passthrough: Answer n (encryption should always be enabled).

Filename encryption: Answer y (encrypts filenames too).

The system will ask to save your key signature to ~/.ecryptfs/sig-cache.txt for future mounts. Answer yes to avoid retyping signature information.

After a successful mount, verify with:

df -hT | grep ecryptfs

Streamline future mounts

Rather than answering prompts each time, use a single command with all options pre-specified. First, note the signature printed during initial setup, then run:

mount -t ecryptfs /home/zma/.private /home/zma/private \
  -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,\
ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,\
ecryptfs_fnek_sig=SIGNATURE_HERE

Replace SIGNATURE_HERE with the actual signature from your first mount (e.g., a1b2c3d4). You can find it by checking ~/.ecryptfs/sig-cache.txt.

When prompted, enter your passphrase. The mount will complete without additional prompts.

To simplify further, create a shell alias or script:

cat > ~/bin/mount-private.sh << 'EOF'
#!/bin/bash
mount -t ecryptfs /home/zma/.private /home/zma/private \
  -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,\
ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,\
ecryptfs_fnek_sig=YOUR_SIGNATURE_HERE
EOF
chmod +x ~/bin/mount-private.sh

Using mounted storage

Once mounted, /home/zma/private behaves like a normal directory:

echo "sensitive data" > /home/zma/private/file.txt
ls -la /home/zma/private/

The files are transparently encrypted and decrypted by the kernel. Check the underlying encrypted storage to confirm it’s unreadable:

cat /home/zma/.private/file.txt

You’ll see binary garbage, confirming encryption is working.

Unmount when done

umount /home/zma/private

After unmounting, the .private directory is inaccessible without the passphrase. Files appear as encrypted binary data until remounted.

Important notes

• Passphrase recovery: Your passphrase is the only key to your data. Losing it means losing access forever. There is no recovery mechanism.
• Signature caching: eCryptFS caches your key signature in ~/.ecryptfs/sig-cache.txt. If you lose this file, you’ll need to re-enter the signature on subsequent mounts, but your passphrase remains the same.
• Filename encryption overhead: Encrypting filenames has a small performance cost but provides better privacy. Keep it enabled unless you have specific performance constraints.
• Session persistence: Unlike some automated tools, manual mounting doesn’t auto-unmount when your session ends. This is useful for long-running services but means you must explicitly unmount to lock data.
• Performance: AES-256 is fast on modern CPUs, especially with AES-NI hardware acceleration. Check for it with grep aes /proc/cpuinfo.