ecryptfs

TLDR

Mount encrypted directory

$ sudo mount -t ecryptfs [/encrypted] [/mnt/decrypted]

Setup encrypted private directory

$ ecryptfs-setup-private

Mount user's private directory

$ ecryptfs-mount-private

Unmount private directory

$ ecryptfs-umount-private

Add passphrase to keyring

$ ecryptfs-add-passphrase

Recover encrypted directory

$ ecryptfs-recover-private

SYNOPSIS

mount -t ecryptfs source dest [-o options]

eCryptfs is a stacked cryptographic filesystem for Linux. It encrypts files at the filesystem level, storing encrypted data in a lower directory while presenting decrypted files through a mount point.
Unlike block-level encryption, eCryptfs encrypts individual files, allowing encrypted and unencrypted files to coexist. Metadata is stored in file headers, making backup and recovery straightforward.

PARAMETERS

ecryptfs_cipher cipher

Encryption cipher (aes, blowfish, des3_ede).

ecryptfs_key_bytes bytes

Key size in bytes (16, 24, 32).

ecryptfs_passthrough yes|no

Allow unencrypted files.

ecryptfs_enable_filename_crypto yes|no

Encrypt filenames.

ecryptfs_sig sig

Mount signature for key.

ecryptfs_fnek_sig sig

Filename encryption key signature.

no_sig_cache

Don't cache signature.

SETUP EXAMPLE

$ # Create directories
mkdir /encrypted /decrypted

# Mount with interactive setup
sudo mount -t ecryptfs /encrypted /decrypted

# Answer prompts for cipher, key size, plaintext passthrough

CAVEATS

Filename encryption requires additional setup. Performance overhead compared to block encryption. Key management requires understanding of kernel keyrings. Deprecated in favor of fscrypt for ext4. Not recommended for new deployments.

HISTORY

eCryptfs was developed by IBM and first included in the Linux kernel in 2006. It was used by Ubuntu for encrypted home directories. The project has been largely superseded by fscrypt (native ext4/F2FS encryption) but remains available for legacy use.