LinuxCommandLibrary

fscrypt

Encrypt files and directories

TLDR

Prepare the root filesystem for use with fscrypt

$ sudo fscrypt setup
copy

Prepare a specific mountpoint for use with fscrypt
$ fscrypt setup [path/to/directory]
copy

Enable filesystem encryption for a directory
$ fscrypt encrypt [path/to/directory]
copy

Unlock an encrypted directory
$ fscrypt unlock [path/to/encrypted_directory]
copy

Lock an encrypted directory
$ fscrypt lock [path/to/encrypted_directory]
copy

SYNOPSIS

fscrypt [options] <command> [<args>]

Commands include: setup, status, encrypt, unlock, lock, key-add, key-remove, key-status

PARAMETERS

-h, --help
    Print help message and exit

-V, --version
    Print version information and exit

--log-level LEVEL
    Set log verbosity: error, warning, notice, info, debug

DESCRIPTION

fscrypt is a userspace utility for setting up and controlling filesystem-level encryption via the Linux kernel's fscrypt API, available since kernel 4.1. It supports transparent encryption on directories in ext4, f2fs, and ubifs filesystems, encrypting file contents and filenames without block-level overhead like dm-crypt or LUKS.

Key features include per-directory policies with multiple key slots, various protectors (passwords, login PAM keys, PKCS#11 tokens), and encryption modes (AES-256-XTS for contents, AES-256-CTS-CBC for filenames). Files appear decrypted to processes with unlocked keys, enabling selective protection.

Workflow: Run fscrypt setup to prepare a directory tree, add keys, apply encrypt policies, then unlock for access or lock to deny. Status checks and key management are also provided. It's efficient, with no runtime cost when unlocked, and integrates with systemd-logind for auto-unlock on login.

Ideal for securing user home directories or specific folders without full-disk encryption.

CAVEATS

Requires kernel ≥4.1 with CONFIG_FS_ENCRYPTION=y.
Supported only on ext4, f2fs, ubifs; no casefold or verity.
Some ops need root or CAP_FOWNER unless unprivileged user namespaces enabled.
Keys must be unlocked before access; lost keys mean data loss.

KEY PROTECTORS

Supported types: prompt (password), login (PAM-linked), pkcs11 (tokens), raw (hex key).

ENCRYPTION MODES

Contents: AES-256-XTS, AES-128-XTS.
Filenames: AES-256-CTS-CBC, AES-128-CTS-CBC, or AES-256-CTS-HMAC-SHA256 (v2).

HISTORY

Kernel fscrypt API introduced in Linux 4.1 (2015) by Mike Gilbert and others.
Userspace fscrypt tool developed by Eric Biggers at Google (2019), superseding e4crypt. Actively maintained, latest versions support more filesystems and protectors.

SEE ALSO

cryptsetup(1), mount(8), e4crypt(1)

Copied to clipboard