eCryptFS On Debian Howto

By | 2011-02-02

This article explains how to get a stacked encrypted directory using the ecryptfs Linux kernel driver, and to transparently automount that directory using the ecryptfs PAM module.

Being “stacked” means that the real storage is provided by your existing file system in a nominated directory. That directory is decrypted on the fly once the ecryptfs filesystem is mounted and provides a virtual decrypted view of that storage at the mount point.

Use of the PAM module means that the encrypted directory is secured on your login password.


Ecryptfs doesn’t use your login password as the decryption key (if it did, then root could gain access to it by changing your password to something root knows). Instead the login password is used to decrypt your mount passphrase.

Three directories are used

  • .ecryptfs/ configuration directory
  • .Private/ raw encrypted real files
  • Private/ mount point for virtual file system which is the decrypted version of .Private/

PAM Recap

  • account modules are called to check that the requesting account actually exists and is valid. This might include checks for account expiration of time of day access limits.
  • auth modules verify the users identity — they might do this by requesting and checking a password
  • password modules are called when updating the password.
  • session modules are called to perform actions at the beginning and end of a session. A session being defined as starting after the user successfully authenticates.


apt-get install ecryptfs-utils

This will automatically pull in libecryptfs0. It will also automatically add the PAM module to

  • /etc/pam.d/common-account (although this is commented out)
  • /etc/pam.d/common-auth
  • /etc/pam.d/common-password
  • /etc/pam.d/common-session
  • /etc/pam.d/common-session-noninteractive

The auth ecryptfs PAM module takes a copy of the password used to log in. The session ecryptfs PAM module uses that password to unwrap the mount passphrase for the encrypted directory, and mount the plaintext virtual directory; similarly it unmounts that directory on logout. The password module rewraps the mount passphrase when the user changes their own password (note it doesn’t do this when root changes the user’s password).


You begin by running the following when logged in with your user account:

$ ecryptfs-setup-private
Enter your login passphrase: 
Enter your mount passphrase [leave blank to generate one]: 
Enter your mount passphrase (again): 

  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase

Done configuring.

Testing mount/write/umount/read...
Testing succeeded.

Logout, and log back in to begin using your encrypted directory.

First you enter your login password. ecryptfs will use this to wrap the mount passphrase, which you can also specify should you wish, or leave blank to generate something suitable.

This process will generate the following:

|-- Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
`-- README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt
|-- auto-mount
|-- auto-umount
|-- Private.mnt
|-- Private.sig
`-- wrapped-passphrase

Your mount passphrase is stored in .ecryptfs/wrapped-passphrase in an encrypted form. You can use your login password to decrypt it, which you enter when prompted:

$ ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase 

Here I’ve used a generated mount passphrase as I don’t expect to ever have to type it, other than under very rare circumstances.

Next time you log in the PAM module will automatically mount .Private/ over Private/ but you can do the same thing manually from the command line like this

$ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [551b13b8dcd852e6] into the user session keyring

This will hide the real Private/ directory with an ecryptfs mount

$ mount
/home/user/.Private on /home/user/Private type ecryptfs (ecryptfs_sig=551b13b8dcd852e6,ecryptfs_fnek_sig=6a55078f86383f67,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)

The directory will be automatically unmounted when you log out, but you can umount manually with:

$ ecryptfs-umount-private

Note: that the passphrase is not unwrapped when the administrator tries to log in as you:

$ sudo su - user
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'

In this case, because root doesn’t know the literal password, he is merely using his superuser status to login as “user”, the wrapping password isn’t available so the encrypted directory is not available.


When you change your login password, the wrapping password should be updated by the password module of the PAM ecryptfs driver. However, if it is not automatically changed at the same time, say because the administrator changed your password rather than you personally, you will have to be able to rewrap your mount passphrase manually.

This is easily done like this:

$ ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase
Old wrapping passphrase: 
New wrapping passphrase: 

Be careful typing your new password, you will not be asked for it twice. Note that this is not the mount passphrase it is your login password.


Given that root can do anything on the system, the above is no guarantee of security. It would be trivial for root to install a “login” program that simply emailed him a copy of your password, so you still have to have a certain level of trust in your administrator.

Also be aware that while you are logged in your encrypted directory is visible to your user account. The administrator could choose to assume your identity at that moment and could still see your encrypted data.

Further, an attacker who gains access to your account while you are logged in can do the same.

In short: encryption won’t do much to protect a live attack. It will protect you if your computer is stolen, as the data will be inaccessible without the key phrase.

Manual Directories

Should you wish to make an encrypted directory other than .Private/ you can do it manually. It’s simple but not as automated as using ecryptfs-setup-private:

$ mkdir encrypted-source
$ chmod 700 encrypted-source
$ mkdir encrypted-dest
$ sudo mount -t ecryptfs encrypted-source encrypted-dest
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:  
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: y
Attempting to mount with the following options:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [d7284afb87fef554] to
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs

Note that defaults were accepts apart from “Enable filename encryption”, which you should enable.

You can, should you wish, use an overlay mount and mount the encrypted directory on itself. This will hide the underlying encrypted directory from the filesystem.

Leave a Reply