ecryptfs-insert-wrapped-passphrase-into-keyring

ecryptfs-insert-wrapped-passphrase-into-keyring [-t TOKEN] WRAPPED-PASSPHRASE-FILE [KEYRING]

-t, --token TOKEN-FILE
    Path to authentication token file containing signature and salt (avoids passphrase prompt)

WRAPPED-PASSPHRASE-FILE
    Required: File with wrapped (encrypted) passphrase

KEYRING
    Optional: Keyring name (default: 'login')

The ecryptfs-insert-wrapped-passphrase-into-keyring command unwraps an eCryptfs passphrase stored in a file (previously wrapped with a user's login passphrase or authentication token) and inserts it into the Linux kernel keyring. This enables automatic mounting of eCryptfs filesystems without re-entering the passphrase each session.

eCryptfs is a stacked filesystem that encrypts individual files. Passphrases are managed via the kernel's key retention service. Wrapping protects the raw passphrase on disk; this tool prompts for the wrapping passphrase (or uses a token) to unwrap and load it into a named keyring, typically the 'login' or session keyring.

Common use: After setup with ecryptfs-setup-private, it loads keys for private directories. Run as the user owning the keyring; sudo not recommended as it targets user session keyrings.

Requires matching user keyring; fails if keyring locked or passphrase mismatch. Not for root keyrings. eCryptfs deprecated in modern distros—use fscrypt instead.

ecryptfs-insert-wrapped-passphrase-into-keyring ~/.ecryptfs/wrapped-passphrase /home/user/.Private.mnt/login
Prompts for login passphrase, loads key.

Wrapped files safe on multi-user systems; token enhances PAM integration. Purge keyring with ecryptfs-manager or logout.

Part of eCryptfs-utils (2007+), integrated with kernel 2.6.19. Developed by Dustin Kirkland et al. for Ubuntu; peaked ~2010s, now legacy.

ecryptfs-add-passphrase(8), ecryptfs-unwrap-passphrase(8), ecryptfs-mount-private(8), keyctl(1)