mount.ecryptfs

mount.ecryptfs source_directory mount_point
mount.ecryptfs source_directory mount_point [options]
mount.ecryptfs mount_point

source_directory
    The directory containing the encrypted eCryptfs files. This is the lower directory where encrypted data resides.

mount_point
    The directory where the decrypted filesystem will be accessible. This is the upper directory which users interact with.

-o option
    Specifies various mount options. These can be standard mount(8) options or eCryptfs-specific options.

ecryptfs_sig=signature
    Specifies the signature (a 16-character hexadecimal string) of the encryption key to use for decryption.

ecryptfs_cipher=cipher_name
    Sets the encryption cipher to be used, e.g., 'aes', 'blowfish', 'des3_ede'. Default is often 'aes'.

ecryptfs_key_bytes=size
    Sets the key size in bytes, e.g., '16' (128-bit), '24' (192-bit), '32' (256-bit). Must match the original encryption setup.

ecryptfs_passthrough
    Allows unencrypted files within the source directory to be visible and accessible in the mount point. Use with caution.

ecryptfs_xattr
    Enables support for extended attributes (xattrs) on the eCryptfs filesystem.

ecryptfs_nofilename_cipher
    Disables filename encryption. If the original files were encrypted with filename encryption, they will not be readable without this option properly matching the original setup. This often implies ecryptfs_passthrough for filenames.

ecryptfs_enable_filename_cipher
    Explicitly enables filename encryption. This is typically the default behavior if not specified otherwise or if the original files were encrypted this way.

ecryptfs_fnek_sig=signature
    Specifies the signature for the filename encryption key, if different from the file encryption key.

ecryptfs_unlink_sigs
    Unlinks unused key signatures from the kernel keyring after successful mount, helping to clean up the keyring.

ecryptfs_verbosity=level
    Sets the verbosity level for eCryptfs logging messages, from 0 (silent) to 10 (debug).

no_sig_cache
    Disables caching of key signatures in the kernel keyring. Can prevent issues with key conflicts but may impact performance.

rw
    Mounts the filesystem in read-write mode (default).

ro
    Mounts the filesystem in read-only mode.

mount.ecryptfs is a helper utility for the standard mount(8) command, specifically designed to handle filesystems encrypted with eCryptfs. It simplifies the process of mounting an eCryptfs private directory or a raw eCryptfs filesystem, often prompting the user for necessary credentials like passphrases or mount keys.

It automatically handles the complex aspects of eCryptfs mounting, such as determining the correct source and target paths, setting up the key management, and configuring various eCryptfs-specific options (e.g., encryption ciphers, key sizes, filename encryption). Its primary goal is to provide a user-friendly interface for accessing encrypted data stored in eCryptfs format.

Key Management: Losing the passphrase or key will result in permanent data loss. eCryptfs relies heavily on kernel keyrings.

Performance: Encryption and decryption add overhead, which can impact filesystem performance, especially for large files or many small files.

Security: While it encrypts data at rest, the decrypted data is accessible in memory. Physical access to a running system could expose data. Proper system security (e.g., disk encryption at boot like LUKS) should complement eCryptfs.

Interoperability: Files encrypted with eCryptfs are generally only readable by eCryptfs.

Filesystem Layout: eCryptfs stores encrypted files in a way that resembles the original directory structure, but file names are often encrypted, and file content is transformed. This can be confusing if directly browsing the source directory.

Kernel Module: Requires the ecryptfs kernel module to be loaded.

mount.ecryptfs will often automatically prompt for a passphrase or other key information if it's not provided via command-line options, making it very user-friendly.

eCryptfs heavily relies on the Linux kernel's keyring for managing encryption keys. When a filesystem is mounted, keys are added to the active keyring. This can be viewed or managed using the keyctl(1) command.

This command acts as a user-space helper, meaning it's invoked by mount(8) when the filesystem type is detected or specified as ecryptfs. The actual encryption/decryption operations happen within the kernel.

eCryptfs itself was developed primarily by Michael Halcrow at IBM and later at Canonical Ltd., with contributions from other developers. It was designed as a stacked cryptographic filesystem, meaning it sits atop an existing filesystem (like ext4) and encrypts files transparently.

mount.ecryptfs emerged as a user-friendly wrapper for interacting with this filesystem, making it easier for users to manage their encrypted directories without delving into complex mount options and key management manually. It gained significant adoption, particularly in Ubuntu, where it was used for encrypted home directories. Development has been ongoing, adapting to kernel changes and improving stability and features.

mount(8), umount(8), ecryptfs-setup-private(1), ecryptfs-migrate-home(8), keyctl(1), cryptsetup(8)