Encrypt Folders with Ecryptfs on the fly

Encrypt Folders with Ecryptfs on the fly

Here I will show you how to encrypt folders with encryptfs on the fly then how to de-encrypt them.  This can used to encrypt a folder you don’t want anybody to be able to read the files within. In this 1st part will show just how to encrypt a folder you created just to this purpose.

  1. You have to make sure that ecryptfs-utils is installed. Either open your Software Manager program or Synaptic Package Manager. Search for the ecryptfs-utils program and install it if not installed already.
  2. Open your File Manager and Create a new Folder where you want. Don’t forget, no spaces. Can’t use Private Folder as a name, would have to rename it Private_Folder. Remember NO SPACES
  3. Now to setup encryption for the folder you just created. Open a Terminal window and cut and past the following line into the Terminal window, changing the directory name to your namesudo mount -t ecryptfs /home/Private_Folder /home/Private_Folder
  4. The first time it run’s you will be asked some question.
Passphrase: passphrase (here you enter and passphrase you will remember – think of this as a password)
Select cipher: Select 1 (for AES encryption) Then 2 for 32 bit
Enable plaintext passthrough (y/n) [n]: <– ENTER
Enable filename encryption (y/n) [y]: <– ENTER (This scrambles the names in the folder when not mounted)
Attempting to mount with the following options:
Next you may or maynot get this:
The first time it will give you a warning like this: WARNING: Based on the contents of [/home/Private_Folder/],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.Would you like to proceed with the mount (yes/no)? : <– yes
Would you like to append sig [bd28c38da9fc938b] to [/home/Private_Folder/]
in order to avoid this warning in the future (yes/no)? : <– yes

Now anything you put into that folder will be encrypted while is mounted. So you see this a great way to store files and picture in a Private folder and lets you store them in the cloud with a lot more security.

The next time you mount your encrypted folder it will ask for your login password (for the sudo command) and then the passphrase that you used when first creating the encrypted folder. Don’t forget that….

Copy and paste the following in a terminal windows and run:
sudo mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y /home/Private_Folder /home/Private_Folder

You can make a new folder in your Home directory or on other drives and then run the setup on that folder and put all your secret files in there, unmount the folder and copy your folder to your cloud storage folder and all those files are now encrypted.

Un-Mount the Encrypted folder

sudo umount -l /home/Private_Folder  (don’t forget the -l that is a small L, this will force the folder to be un mounted)

Have fun and play around with some of the options, you can also create a hidden folder that you only see when you mount the folder.



       eCryptfs - an enterprise-class cryptographic filesystem for linux


       mount -t ecryptfs [SRC DIR] [DST DIR] -o [OPTIONS]


       eCryptfs  is  a  POSIX-compliant enterprise-class stacked cryptographic
       filesystem  for  Linux.  It  is  derived  from  Erez  Zadok's  Cryptfs,
       implemented   through   the   FiST  framework  for  generating  stacked
       filesystems.  eCryptfs  extends  Cryptfs  to   provide   advanced   key
       management and policy features.  eCryptfs stores cryptographic metadata
       in the header of each file written, so  that  encrypted  files  can  be
       copied between hosts; the file will be decryptable with the proper key,
       and there is no need to keep track of any additional information  aside
       from what is already in the encrypted file itself. Think of eCryptfs as
       a sort of "gnupgfs."



            Parameters that apply to the eCryptfs kernel module.

              Specify the signature of the mount  wide  authentication  token.
              The  authentication  token  must be in the kernel keyring before
              the mount is performed. ecryptfs-manager or the  eCryptfs  mount
              helper can be used to construct the authentication token and add
              it to the keyring prior to mounting.

              Specify the signature of the  mount  wide  authentication  token
              used  for  filename  crypto.  The  authentication must be in the
              kernel keyring before mounting.

              Specify the symmetric cipher to be used on a per file basis

              Specify the keysize to be used with the selected cipher. If  the
              cipher  only  has  one  keysize  the keysize does not need to be

              Allows for non-eCryptfs files to be read and written from within
              an eCryptfs mount. This option is turned off by default.

              Do  not  check the mount key signature against the values in the
              user's ~/.ecryptfs/sig-cache.txt file. This is useful  for  such
              things  as  non-interactive  setup  scripts,  so  that the mount
              helper does not stop and prompt the user in the event  that  the
              key sig is not in the cache.

              This  option  provides  a  unified  encrypted file format of the
              eCryptfs files in the lower mount point.  Currently, it is  only
              useful if the lower mount point contains files with the metadata
              stored in the extended attribute.  Upon a file read in the upper
              mount point, the encrypted version of the file will be presented
              with the metadata in the  file  header  instead  of  the  xattr.
              Files cannot be opened for writing when this option is enabled.

              Store  the metadata in the extended attribute of the lower files
              rather than the header region of the lower files.

              Log ecryptfs  information  to  /var/log/messages.   Do  not  run
              eCryptfs  in  verbose-mode  unless you are doing so for the sole
              purpose of development, since secret values will be written  out
              to the system log in that case.


              Parameters that apply to the eCryptfs mount helper.

       key=(keytype):[KEY MODULE OPTIONS]
              Specify the type of key to be used when mounting eCryptfs.

              Specify  whether  filename encryption should be enabled. If not,
              the mount helper will not  prompt  the  user  for  the  filename
              encryption key signature (default).

              If verbosity=1, the mount helper will ask you for missing values
              (default).  Otherwise, if  verbosity=0,  it  will  not  ask  for
              missing values and will fail if required values are omitted.


              Parameters  that  apply to individual key modules have the alias
              for the key module in the prefix  of  the  parameter  name.  Key
              modules  are  pluggable,  and which key modules are available on
              any given system  is  dependent  upon  whatever  happens  to  be
              installed in /usr/lib*/ecryptfs/.

              The actual password is passphrase. Since the password is visible
              to utilities (like ps under Unix) this form should only be  used
              where security is not important.

              The    password   should   be   specified   in   a   file   with
              passwd=(passphrase). It is highly recommended that the  file  be
              stored on a secure medium such as a personal usb key.

       passphrase_passwd_fd=(file descriptor)
              The password is specified through the specified file descriptor.

       passphrase_salt=(hex value)
              The salt should be specified as a 16 digit hex value.

              The  filename should be the filename of a file containing an RSA
              SSL key.

              The   password   should   be   specified   in   a   file    with
              openssl_passwd=(openssl-password). It is highly recommended that
              the file be stored on a secure medium such  as  a  personal  usb

       openssl_passwd_fd=(file descriptor)
              The password is specified through the specified file descriptor.

              The  password  can  be  specified on the command line. Since the
              password  is  visible  in  the  process  list,  it   is   highly
              recommended to use this option only for testing purposes.


       The  following  command  will  layover mount eCryptfs on /secret with a
       passphrase contained in a  file  stored  on  secure  media  mounted  at

       mount                  -t                  ecryptfs                  -o
       key=passphrase:passphrase_passwd_file=/mnt/usb/file.txt /secret /secret

       Where file.txt contains the contents "passphrase_passwd=[passphrase]".


Reference Site for Ecryptfs

Leave a Comment

You must be logged in to post a comment.