ecryptfs-wrap-passphrase

Encrypt/wrap eCryptfs passphrase using another passphrase

SYNOPSIS

ecryptfs-wrap-passphrase [-f, --force] WRAPPED-PASSPHRASE-FILE KEY PASSPHRASE-FILE

-f, --force
    Force overwrite of WRAPPED-PASSPHRASE-FILE if it exists, without prompting.

WRAPPED-PASSPHRASE-FILE
    Output file path to store base64-encoded salt and wrapped passphrase.

KEY
    GnuPG public key ID, short or long fingerprint for encryption.

PASSPHRASE-FILE
    Input file containing the raw plaintext passphrase (no trailing newline).

DESCRIPTION

The ecryptfs-wrap-passphrase command is a utility from the eCryptfs stacked filesystem toolsuite for Linux. It reads a plaintext passphrase from an input file, generates a random 16-byte salt, and encrypts (wraps) the passphrase concatenated with the salt using a specified GnuPG public key. The output is written to a file in a simple text format: a Salt: line with the base64-encoded salt, followed by a Wrapped-Passphrase: line with the base64-encoded encrypted data.

This enables secure storage of passphrases for later decryption with the matching private key via ecryptfs-unwrap-passphrase. Common use cases include preparing passphrase files for automated mounting of encrypted directories (e.g., /home/username/.ecryptfs/wrapped-passphrase), recovery in enterprise environments, or migration scripts. It relies on gpg for asymmetric encryption, ensuring the passphrase remains protected even if the wrapped file is compromised, as long as the private key is secure.

Security relies on strong GnuPG keys and proper key management. The salt prevents precomputation attacks and ensures unique derivations. Always protect the input passphrase file and remove it after use.

ecryptfs-wrap-passphrase

Encrypt/wrap eCryptfs passphrase using another passphrase

SYNOPSIS

PARAMETERS

DESCRIPTION

CAVEATS

OUTPUT FORMAT

EXAMPLE USAGE

HISTORY

SEE ALSO