mount.ecryptfs_private

mount.ecryptfs_private [--user <username>] [--dir <directory>] [--force]

This command is primarily invoked by the mount command itself or by higher-level utilities like ecryptfs-mount-private(1), rather than being directly called by end-users with these options.

--user <username>
    Specify the username whose private directory is to be mounted. If omitted, it defaults to the current user.

--dir <directory>
    Specify the target directory where the private mount should be placed. Defaults to ~/Private relative to the user's home directory.

--force
    Force the mounting operation, potentially overriding some checks. Use with caution.

mount.ecryptfs_private is a helper command for the mount utility, specifically designed to handle ecryptfs_private filesystem types. It facilitates the automatic mounting of encrypted user home directories, a common setup where a user's ~/Private directory acts as an encrypted eCryptfs mountpoint.

When a user logs in, often through Pluggable Authentication Modules (PAM) like pam_ecryptfs, this helper is invoked to decrypt and mount the private directory. It uses the user's login passphrase or a derived key to handle the complexities of setting up the correct cryptographic parameters and mounting the underlying encrypted filesystem onto the user's specified private directory, typically ~/.Private mounted at ~/Private.

This command ensures that sensitive user data remains encrypted at rest and is only accessible after successful user authentication, significantly enhancing data security on multi-user systems or laptops. It works in conjunction with the eCryptfs kernel module and ecryptfs-utils userspace tools to provide transparent on-the-fly encryption and decryption.

Requires eCryptfs Kernel Module: The ecryptfs kernel module must be loaded for this command to function.

Key and Directory Structure: Relies heavily on the correct setup of the user's eCryptfs key and directory structure (e.g., ~/.Private, ~/.ecryptfs).

Improper Unmounting: Improper unmounting (e.g., due to system crash without proper shutdown) can leave the underlying encrypted data temporarily accessible until a reboot or manual unmount.

Security Dependence: Overall security depends on the strength of the user's passphrase and correct key management.

Automated Use: This command is typically part of an automated login process and not intended for manual, everyday use by end-users.

When pam_ecryptfs is configured, during user login, it uses the user's login passphrase (or a derived key) to generate an eCryptfs mount passphrase. mount.ecryptfs_private then uses this passphrase to decrypt and mount the ~/.Private directory (which is the actual encrypted data store) over the user's ~/Private directory. This entire process is largely invisible to the end-user, providing seamless access to their encrypted data.

eCryptfs encrypted home directories typically involve two crucial hidden directories within the user's home:

• ~/.Private: This directory serves as the actual encrypted data store. It's often a separate mountpoint (e.g., /home/.ecryptfs/<username>/.Private) and contains the ciphertext.
• ~/.ecryptfs: This directory holds essential eCryptfs mount metadata, cryptographic keys (like the fnek and sigs), and configuration files necessary for the encrypted mount.

The mount.ecryptfs_private helper is an integral part of the eCryptfs project, which began development around 2005-2006. It gained significant prominence in Linux distributions, particularly Ubuntu, where it became a standard and often default method for encrypting user home directories. Its development focused on providing a robust and transparent solution for on-the-fly encryption, allowing users to secure their sensitive data without complex manual encryption steps. Its deep integration with PAM modules further streamlined the user experience, making secure home directories easily manageable through standard login procedures, thereby enhancing data privacy and security on personal and multi-user systems.

mount(8), ecryptfs(7), ecryptfs-mount-private(1), ecryptfs-utils(7), pam_ecryptfs(8)