ecryptfs-mount-private

ecryptfs-mount-private [OPTIONS]

--undo
    Unmounts the previously mounted private directory, making its contents inaccessible.

--ecryptfs-dir=DIR
    Specifies the path to the encrypted source directory (e.g., ~/.Private) if it differs from the default location.

--private-dir=DIR
    Specifies the mount point for the decrypted view of the private directory (e.g., ~/Private) if it differs from the default location.

--no-autostart
    Prevents the command from attempting to automatically start any associated background services or daemons.

--verbose
    Prints more detailed information during execution, useful for debugging.

--version
    Displays the version information of the ecryptfs-mount-private utility.

--help
    Displays a help message with usage instructions and available options.

ecryptfs-mount-private is a user-friendly helper script provided by the ecryptfs-utils package. Its primary purpose is to simplify the mounting of a user's private encrypted directory, typically ~/.Private (the encrypted eCryptfs filesystem) onto ~/Private (the decrypted view). This command automates the complex mount command syntax required for eCryptfs, handling details like cryptographic setup, key management, and directory locations. It often prompts the user for their login passphrase, which is then used to derive the necessary eCryptfs master passphrase. This utility is a cornerstone for users who have set up their home directory encryption using ecryptfs-setup-private or ecryptfs-setup-home, providing a convenient way to access their encrypted files after logging in. It ensures that the decrypted content is only accessible when explicitly mounted by the authorized user.

ecryptfs-mount-private relies on a correctly configured eCryptfs setup, typically managed by ecryptfs-setup-private. Misconfiguration can lead to data inaccessibility. Users must carefully manage their login passphrase, as it's often used to derive the eCryptfs master passphrase. While convenient, the command only encrypts data within the specified private directory; files stored elsewhere are not protected. Performance might be slightly impacted due to the on-the-fly encryption/decryption. Always ensure the private directory is unmounted when not in use for maximum security.

Many systems, especially Ubuntu, configure ecryptfs-mount-private to run automatically through PAM (Pluggable Authentication Modules) when a user logs in. This seamless integration ensures that the encrypted private directory is mounted and accessible without requiring manual intervention every time the user logs in.

When executed, this command often prompts for the user's login passphrase. This passphrase is then securely used to derive the eCryptfs master passphrase, which is essential for decrypting the file encryption keys and ultimately the user's data. This mechanism ensures that the encryption keys are never stored directly on disk in an unencrypted format.

The ecryptfs-utils suite, which includes ecryptfs-mount-private, emerged to provide user-friendly management of eCryptfs, a cryptographic filesystem integrated directly into the Linux kernel. Its development gained significant traction, particularly with its adoption by distributions like Ubuntu for simplified user home directory encryption, offering an alternative to full disk encryption. Over time, the tools have evolved to better integrate with PAM, allowing for automatic mounting of the private directory upon user login, thereby enhancing user experience and security.

ecryptfs(7), ecryptfs-setup-private(1), ecryptfs-setup-home(1), ecryptfs-umount-private(1), mount(8), ecryptfs-add-passphrase(1)