fscrypt

Prepare the root filesystem for use with fscrypt

$ sudo fscrypt setup

$ fscrypt setup [path/to/directory]

$ fscrypt encrypt [path/to/directory]

$ fscrypt unlock [path/to/encrypted_directory]

$ fscrypt lock [path/to/encrypted_directory]

fscrypt command [arguments]

fscrypt is a high-level tool for managing Linux native filesystem encryption (fscrypt). It provides a user-friendly interface to the kernel's filesystem encryption capabilities, supporting ext4, F2FS, and UBIFS filesystems.
fscrypt uses "protectors" (passwords, PAM integration, or raw keys) to secure encryption keys. A directory can have multiple protectors, enabling shared access or recovery options. The encryption is transparent once unlocked.
Setup requires kernel support (CONFIGFSENCRYPTION) and filesystem configuration. The tool stores metadata in /.fscrypt on each enabled mountpoint.

setup

Initialize fscrypt on a filesystem or mountpoint

Enable encryption on a directory

Unlock an encrypted directory using the protector

Lock an encrypted directory, making contents inaccessible

Remove keys from kernel keyring for a mountpoint

Display encryption status of a file or directory

Manage encryption metadata and policies

/.fscrypt

Stores encryption metadata on each enabled mountpoint.

Global fscrypt configuration settings and protector definitions.

Only encrypts file contents and names, not metadata like file sizes or timestamps. Swap and temporary directories may leak data. The filesystem must be mounted with encryption support. Files created before encryption are not automatically encrypted.

fscrypt was developed by Google and first released in 2017 as a userspace tool for managing the Linux kernel's native filesystem encryption (fscrypt), which was introduced in kernel 4.1 for ext4 and later extended to other filesystems.

cryptsetup(8), ecryptfs(7), gpg(1)