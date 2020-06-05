This guide explains what is eCryptfs and how to encrypt directories with eCryptfs in Linux. eCryptfs is a POSIX-compliant enterprise cryptographic “stacked” filesystem for Linux. Please note that eCryptfs is not a Kernel-level full disk encryption subsystems like “dm-crypt”. In full disk encryption mechanism, the entire partition or disk, in which the filesystem resides, is encrypted. But eCryptfs is a stacked filesystem that can be mounted on any directory and on top of the main file system.

Using eCryptfs, we can easily create an encrypted directory to store the confidential data and mount it on any directory. No separate partition or pre-allocated space is actually required! eCryptfs should work well on local filesystems such as EXT3, EXT4, XFS, JFS and ReiserFS etc. It also supports networked filesystems such as NFS, CIFS, Samba and WebDAV, but not fully functional as it works on local filesystems.

eCryptfs stores the cryptographic metadata in the headers of files, so the encrypted data can be easily moved between different users and even systems. eCryptfs has been included in Linux Kernel since version 2.6.19.

eCryptfs is derived from Erez Zadok’s Cryptfs, and the FiST framework for stacked filesystems. It is originally authored by Michael Halcrow and IBM Linux Technology Center. Now, it has been actively maintained by Dustin Kirkland and Tyler Hicks of Canonical, the parent company of Ubuntu.

Install eCryptfs on Linux

eCryptfs has been packaged for many Linux operating systems and is available in the default repositories.

To install eCryptfs on Arch Linux and its variants like Manjaro Linux, run:

$ sudo pacman -S ecryptfs-utils

On Debian, Ubuntu, Linux Mint:

$ sudo apt-get install ecryptfs-utils

On Fedora:

$ sudo dnf install ecryptfs-utils

On openSUSE:

$ sudo zypper --install ecryptfs-utils

Encrypt Directories With eCryptfs In Linux

For the purpose of this guide, I am going to encrypt a directory named “ostechnix”. Please note that you shouldn’t encrypt a non-empty directory. If you do, the existing data will still remain unencrypted, or the data can’t be accessed. So if the directory contains any data, move them to a different location, and then encrypt it. Once the directory is encrypted, move the backup to the encrypted directory.

To encrypt the directory ostechnix with ecryptfs filesystem, run the following command as sudo or root user:

$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/

While encrypting a directory for the first time, you will be prompted to answer a couple questions such as choose cipher, key bytes, enable/disable plaintext passthrough, enable/disable filename encryption etc. Read carefully and answer them accordingly. I go with the default values.

[sudo] password for sk: Passphrase: <----- Enter your passphrase Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: <----- Press ENTER Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: <----- Press ENTER Enable plaintext passthrough (y/n) [n]: <----- Press ENTER Enable filename encryption (y/n) [n]: <----- Press ENTER Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=8567ee2ae5880f2d WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes <----- Type "yes" and press ENTER Would you like to append sig [8567ee2ae5880f2d] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes <----- Type "yes" and press ENTER Successfully appended new sig to user sig cache file Mounted eCryptfs

Please take a note of the mount passphrase which you given in the first step. You will need it to unlock the encrypted directory next time. A signature file named “sig-cache.txt” will be created under “/root/.ecryptfs/” directory. This file is used to identify the mount passphrase in the kernel keyring.

Congratulations! The “ostechnix” directory has been encrypted with eCryptfs and automatically mounted.

Now open your file manager and you will see that the encrypted directory is mounted.

You can also verify if it is really mounted from command line using “mount” command:

$ mount

You will see an output like below at the end:

/home/sk/ostechnix on /home/sk/ostechnix type ecryptfs (rw,relatime,ecryptfs_sig=8567ee2ae5880f2d,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

Congratulations! We have successfully encrypted a directory using eCryptfs. Now, move all your important files and folders inside the encrypted directory.

Mount / Unmount encrypted directories

To unmount the eCryptfs directory, simply run:

$ sudo umount ~/ostechnix

To mount it again, run:

$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/

Enter the mount passphrase and then choose cipher, keybyte. Please note that you should input the same values that you entered when you created the encrypted directory.

Passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n) [n]: Enable filename encryption (y/n) [n]: Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=8567ee2ae5880f2d Mounted eCryptfs

Now the encrypted directory will be remounted.

Test encrypted directory

Create a new text file named “encrypt.txt” in the encrypted directory:

$ nano ~/ostechnix/encrypt.txt

Append some contents in it. I am going to add the following line:

This is an encrypted file saved in ostechnix.com.

Save and close the file.

And then unmount the encrypted directory:

$ sudo umount ~/ostechnix

Now try to view the file using any text editors or using “cat” command:

$ cat ~/ostechnix/encrypt.txt

You will see some distorted and weird characters.

To view the contents of the file, you must remount the directory again.

$ sudo mount -t ecryptfs ~/ostechnix/ ~/ostechnix/

Now you can view the actual contents of the file stored in the encrypted directory.

As you can see, creating encrypted directories with eCryptfs is incredibly easy! If you ever wanted to implement filesystem-level encryption or file-based encryption or file/folder encryption, without much effort, eCryptfs might be a good choice!

Resource: