ecryptfs-setup-private

Setup encrypted private directory

$ ecryptfs-setup-private

$ ecryptfs-setup-private --wrapping

$ ecryptfs-setup-private --noautomount

$ ecryptfs-setup-private --force

ecryptfs-setup-private [options]

ecryptfs-setup-private creates an encrypted private directory for a user. It sets up ~/Private as an encrypted folder that is automatically mounted when the user logs in and unmounted on logout.
The setup creates the necessary encryption keys and wrapper, storing them in ~/.ecryptfs. The mount passphrase is wrapped with the login password, enabling automatic decryption on login.

--wrapping

Use login passphrase for wrapping.

Don't configure automount on login.

Don't verify login password.

Overwrite existing configuration.

Specify username (for root use).

Login passphrase (insecure, for scripting).

Mount passphrase (insecure, for scripting).

~/.ecryptfs/

Directory containing encryption keys, wrapped passphrases, and mount configuration.

Mount passphrase wrapped with login password for automatic decryption.

1. Prompts for login password
2. Generates random mount passphrase
3. Wraps mount passphrase with login password
4. Creates ~/.Private (encrypted) and ~/Private (mount point)
5. Configures PAM for auto-mount

Requires eCryptfs kernel module. Swap should be encrypted for security. Login password changes require rewrapping. Recovery requires unwrapped passphrase. Deprecated in favor of fscrypt on modern systems.

This utility was developed for Ubuntu's encrypted home directory feature. It was widely used for per-user encryption from Ubuntu 8.10 through 18.04, after which fscrypt became the recommended solution.

ecryptfs-mount-private(1), ecryptfs-umount-private(1), ecryptfs-recover-private(1)