LinuxCommandLibrary

ecryptfs-add-passphrase

Add a passphrase to encrypt user data

SYNOPSIS

ecryptfs-add-passphrase [--fnek] [--help]

PARAMETERS

--fnek
    Derives and adds a filename encryption key (FNEK) from the new passphrase, enabling decryption of encrypted filenames in eCryptfs mounts.

--help, -h
    Displays help message with usage and exits.

DESCRIPTION

The ecryptfs-add-passphrase command is a utility in the eCryptfs ecosystem, a stacked filesystem-level encryption for Linux. It enables users to add an additional passphrase to their current session keyring, facilitating access to eCryptfs-encrypted mounts like private home directories.

When run, it prompts for a new passphrase (entered twice for verification). It generates a random 16-byte hex salt and derives a filesystem encryption key (FEK) using PBKDF2 with 65536 iterations and RIPEMD-160. The key is inserted into the user's keyring with a description like 'ecryptfs:<salt>', allowing ecryptfs-mount-private or mount.ecryptfs to unwrap it for decryption.

This is ideal for recovery passphrases, shared access, or multi-factor setups without unmounting. The original passphrase remains valid alongside the new one. Supports filename encryption via --fnek, deriving an FNEK for obscured filenames.

Requires eCryptfs kernel module and userspace tools; common in Ubuntu pre-18.04 for home encryption. Interactive by default, passphrase read from /dev/stdin securely (no echo).

CAVEATS

Adds key only to current session keyring; lost on logout/reboot. Must run as target user. No persistent storage; use for temporary/recovery access. Interactive prompts; pipe passphrase via stdin for scripts but risky. Fails if keyring full or eCryptfs unavailable.

USAGE EXAMPLE

$ ecryptfs-add-passphrase
INFO: Source the key from stdin? [no] 
Passphrase: ********
Confirm passphrase: ********
Success! Added new key to keyring with description:
'ecryptfs:7f2d69f5e1e2a5c3...'

SECURITY NOTE

Passphrases should be strong (>20 chars, mixed). Salt ensures unique key per passphrase. Keys logged in kernel ring-buffer (dmesg); secure systems restrict access.

HISTORY

Developed by Michael Halcrow at IBM (2006), upstreamed to Linux kernel 2.6.28 (2008). Maintained by Canonical for Ubuntu's encrypted home (2009-2018). Declined with shift to LUKS/dm-crypt; last major update ~2014.

SEE ALSO

ecryptfs-mount-private(1), ecryptfs-unwrap-passphrase(1), ecryptfs-rewrap-passphrase(1), mount.ecryptfs(8)

Copied to clipboard