ecryptfs-setup-private

ecryptfs-setup-private [--help] [--nopwcheck] [--force]

--help
    Display this help message and exit

--nopwcheck
    Skip pw_check(3) passphrase strength validation

--force
    Force setup even if already configured

The ecryptfs-setup-private command initializes a private encrypted directory for the current user using eCryptfs, a stacked filesystem encryption module in the Linux kernel.

It automates key setup by:
• Creating ~/.ecryptfs for configuration, keys, and wrapped passphrases.
• Generating a random filename encryption key (FEK).
• Prompting for a strong mount passphrase, wrapped with the user's login passphrase (via PBES2).
• Preparing ~/.Private (encrypted storage) and ~/Private (decrypted mount point).
• Installing PAM hooks if pam_ecryptfs is available for auto-mount on login.

Files in ~/Private are transparently encrypted/decrypted on access. Ideal for securing sensitive data without full home encryption. Requires eCryptfs kernel module and ecryptfs-utils. After setup, use ecryptfs-mount-private for manual mount and ecryptfs-umount-private to unmount.

Passphrase strength is checked by default using pw_check(3); backup ~/.ecryptfs/wrapped-passphrase securely.

Requires loaded ecryptfs kernel module, ecryptfs-utils, and optionally pam_ecryptfs. Backup wrapped passphrase immediately; loss prevents access. Not suitable for full-disk encryption; use LUKS instead. Interactive prompts require tty.

Run ecryptfs-mount-private post-setup; ls ~/Private should show mounted decrypted view.

Use ecryptfs-setup-private --force to reset or manually rm -rf ~/.ecryptfs ~/.Private before deletion.

Developed 2006 by LSST/Precision Insight engineers for enterprise Linux; merged into kernel 2.6.29 (2009). ecryptfs-setup-private in ecryptfs-utils package, widely used in Ubuntu pre-18.04.

ecryptfs-mount-private(1), ecryptfs-umount-private(1), ecryptfs-add-passphrase(1), ecryptfs-rewrap-passphrase(1), mount.ecryptfs(8)