↑ Top
dev studios
| Sign in | DE EN

Folder encryption with eCryptfs

eCryptfs is a file encryption tool that works on top of a filesystem without a large container or a special partition.
Some commands may differ if you use a Linux which doesn't belong to the Debian family.


eCryptfs (Enterprise Cryptographic Filesystem) is a package of disk encryption software for Linux. It is implemented as a POSIX-compliant filesystem-level encryption layer, aiming to offer functionality similar to that of GnuPG at the operating system level, and has been part of the Linux kernel since version 2.6.19. The eCryptfs package has been included in Ubuntu since version 9.04 and is used to implement Ubuntu's encrypted home directory feature.

eCryptfs is derived from Erez Zadok's Cryptfs. It uses a variant of the OpenPGP file format for encrypted data, extended to allow random access, storing cryptographic metadata (including a per-file randomly generated session key) with each individual file.

It also encrypts file and directory names which makes them internally longer (average one third). The reason is it needs to uuencode the encrypted names to eliminate unwanted characters in the resulting name. This lowers the maximum usable byte name length of the original file system entry depending on the used file system (this can lead to four times fewer characters for example for Asian utf-8 file names). Read more.

Debian 10 "Buster"

Debian 10 doesn't support eCryptfs because of a security bug: It doesn't auto-unmount on a user logout. If this is no problem for you, read here how to get it working anyway.

Install the tools

sudo apt install ecryptfs-utils

Create a hidden folder where your encrypted data should be stored

mkdir .downloads

Create the encryption and mount it (e.g. as Downloads folder). You can keep all default values but change filename encryption to yes! Copy and save the signature. You'll need it later.

sudo mount.ecryptfs /home/user/.downloads/ /home/user/Downloads/

Unable to find a list of options to parse, defaulting to interactive mount
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [d395309aaad4de06]:
Unable to find a list of options to parse, defaulting to interactive mount
Attempting to mount with the following options:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [d395309aaad4de06] to
in order to avoid this warning in the future (yes/no)? : yes
Mounted eCryptfs

Unmount and mount

It is now mounted at the selected folder and can be used. To later unmount it use

sudo umount /home/user/Downloads

And to remount it you can use this long command which includes all settings (change the signature to yours)

sudo mount -t ecryptfs -o ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y -o ecryptfs_sig=d395309aaad4de06,ecryptfs_fnek_sig=d395309aaad4de06 -o ecryptfs_unlink_sigs,ecryptfs_key_bytes=16,ecryptfs_cipher=aes /home/user/.downloads /home/user/Downloads

Mount script

To make this easier use this mount script. You can mount with:

sudo .\ecryptfs-mount d395309aaad4de06 /home/user/.downloads /home/user/Downloads

See also

(Edited 18-11-19)