ecryptfs-rewrite-file

ecryptfs-rewrite-file [-f] file

-f, --force
    Force rewrite even if file already uses current keys

-h, --help
    Display help message and exit

-V, --version
    Display version information and exit

The ecryptfs-rewrite-file command is a utility in the eCryptfs toolkit, a stacked filesystem encryption layer for Linux. It re-encrypts an individual file in place using all keys currently loaded in the kernel keyring. This is essential when new passphrases or authentication tokens are added after file creation, as eCryptfs files are encrypted only with keys present at encryption time. Rewriting incorporates new keys into the file header, allowing decryption with any loaded key.

The process decrypts the file contents (requiring at least one matching key) and re-encrypts the plaintext with the full key set. This updates the file without affecting others and aids in key rotation or corruption repair. It must run from within an eCryptfs mountpoint. Operation is destructive, so backups are critical to prevent data loss from failures.

eCryptfs, active since kernel 2.6.19, provides POSIX-compliant transparent encryption. This tool enhances flexibility in multi-key environments, common in enterprise or personal setups with multiple authenticators.

Must execute from eCryptfs mountpoint. File must decrypt with current keys. Destructive; backup first to avoid irrecoverable loss. Fails if no keys match or I/O errors occur.

ecryptfs-rewrite-file -f secret.txt
Rewrites secret.txt forcefully after adding new key.

Loads keys via ecryptfs-add-passphrase; rewrite fails without decrypt access.

Developed by Dustin Kirkland and Michael Halcrow; part of ecryptfs-utils package since ~2007. eCryptfs kernel support added in Linux 2.6.19 (2006). Tools maintained until ~2016; superseded by fscrypt in modern kernels.

ecryptfs-add-passphrase(1), ecryptfs-mount-private(1), mount.ecryptfs(8), ecryptfs-umount-private(1)