ecryptfs-generate-tpm-key

ecryptfs-generate-tpm-key [-g keysize]

-g keysize
    Key size in bits (default: 256, yielding 32-byte passphrase)

ecryptfs-generate-tpm-key is a utility in the eCryptfs stacked filesystem encryption framework for Linux. It creates a cryptographically random symmetric passphrase (default 256 bits), wraps it securely with the TPM's Storage Root Key (SRK) using tpm_wrap, encodes the blob in base64, and outputs it to stdout. A second line provides a keyctl command to load the unwrapped key into the kernel keyring upon successful TPM PCR authorization.

This facilitates automatic, passwordless mounting of eCryptfs-encrypted directories (e.g., /home/user/.Private) on TPM-equipped systems, binding decryption to hardware state like BIOS settings and boot loader. Ideal for enterprise or secure laptops.

Requires root, provisioned TPM 1.2, trousers daemon running, and tpm-tools. Automatically backs up SRK if absent. Key blob typically stored in ~/.ecryptfs/wrapped-passphrase for ecryptfs-mount-private.

Requires root privileges, enabled TPM 1.2 with SRK, trousers service, and tpm-tools. Fails if TPM locked or PCR values mismatch. eCryptfs/TPM1.2 legacy; limited TPM2 support. Always verify key loading post-generation.

Line 1: Base64-encoded 205-byte TPM blob (e.g., AAABAAYAYA...==)
Line 2: keyctl add user tpm_2a27c3e7... `xxd -p randomfile` @u
Store blob in ~/.ecryptfs/wrapped-passphrase; load keyring command manually or via script.

Developed 2006-2007 by Michael Halcrow (IBM) for eCryptfs, merged in Linux 2.6.23. Key for Ubuntu's Encrypted Home (since 8.04). Maintained in eCryptfs-utils; usage declined with fscrypt/LUKS2 adoption.

ecryptfs-mount-private(1), ecryptfs-setup-tpm(1), tpm_wrap(8), keyctl(1), ecryptfs-add-passphrase(1)