Linux Commands

How to use eCryptfs on Linux

Privacy and security have become an important concern these days. Encryption plays an important role in securing and protecting your confidential data. In Linux, there are many tools that can be used to encrypt the data. In this article, we will talk about one of such tools eCryptfs that allows encrypting partitions and directories in a Linux system. This article explains the following;

  • Installation of eCryptfs
  • Encryption of directories using eCryptfs
  • Auto-mount the encrypted directory

Note that we have explained the procedure on Ubuntu 18.04 LTS system.

Syntax

The general syntax for using eCryptfs is:

$ mount -t ecryptfs [source directory] [Destintaion directory] -o [options]

Install eCryptfs

eCryptfs is already included in the official Ubuntu repositories, so we can install it using the apt command. Open the Terminal in your Ubuntu system by pressing Ctrl+Alt+T. Now in the Terminal, execute this command to install eCryptfs:

$ sudo apt install ecryptfs-utils –y

Wait for a while until the installation of eCryptfs is completed.

Encrypt Directories using eCryptfs

To encrypt a directory using eCryptfs, use the syntax described above and replacing the and [Destintaion directory] with your own source or directory name.

For instance, I want to encrypt the “Myfiles” directory under my Home directory. In this case, the command would be:

$ sudo mount -t ecryptfs ~/Documents/Myfiles/ ~/Documents/Myfiles/

When you run the above command, you will be asked to provide some details along with passphrase. The passphrase is actually the encryption key that will be used to later to decrypt the encrypted directory.

Also, note that the details you provide will be later used when remounting the directory.

Now our directory is encrypted and mounted. You can verify it by running the following command:

$ mount | grep ecryptfs

You will see output similar to this.

Verifying Encryption

Let’s create a document in the mounted directory using the Nano editor.

$ sudo nano ~/Documents/Myfiles/sample.txt

Now add some text in the file and press Ctrl+O and Ctrl+X to save and exit the file respectively. Now try to view this document using the cat command:

$ cat ~/Documents/Myfiles/sample.txt

You will see that the document is unencrypted and you can view the content. It is due to the reason that the directory is mounted at this time. Remember that as long as the directory is mounted, you will be able to see the content unless you unmount it.

Now let’s try unmounting the directory. Use the following syntax to do so:

$ umount [mounted_directory]

In our case, it would be:

$ umount ~/Documents/Myfiles/

Note: to unmount a directory, the command is “umount” instead of “unmount”.

As the directory is unmounted, so now let’s view the document using the cat command. This time, you will not be able to view the original content. Instead, you will see the encrypted text.

To access your files again, you will need to re-mount them and enter the same passphrase and details you have set earlier while mounting for the first time.

Automatically mount the encrypted directory

You will need to mount the encrypted directory every time you reboot the system. To avoid this situation, you can configure eCryptfs to automount the encrypted directory at every boot. Let’s see how to do this:
Insert a USB drive into your system. After that, run the following command and note down the name of the USB device:

$ fdisk -l

From the above output, you can see my device name is “/dev/sdd1”.
Create a mount point using the following command:

$ sudo mkdir /mnt/usb

Now mount the USB drive at this mount point:

$ mount /dev/sdd1 /mnt/usb

Run this command and copy the signature from the output:

$ sudo cat /root/.ecryptfs/sig-cache.txt


Next, create a signature file using this command:

$ nano /root/.ecryptfsrc

Then insert the signature you copied above in previous step.

Once done,  save and exit the file.
Next, we will create a passphrase file in the USB drive. To do so, run the following command in Terminal:

$ nano /mnt/usb/key_file.txt

Add the following line by replacing the “your_passphrase” with the actual passphrase:

passphrase_passwd=your_passphrase


Now edit the /etc/fstab file using the Nano editor:

$ nano /etc/fstab

Then add following lines:

/dev/sdd1       /mnt/usb        ext3    ro      0 0Documents/Myfiles/
 ~/Documents/Myfiles/ ecryptfs defaults 0 0Change the device name,
mount point, and the encrypted directories according as per your system.

Once done, save and exit the file. Then reboot the system and the ~/Documents/Myfiles should be mounted.

In this article, we have learned to use eCryptfs for encrypting directories in Ubuntu. To access the encrypted directory, simply mount the directory and once you are done, unmount it. We have also discussed how to automatically mount the encrypted directory to avoid mounting every time the system boots.

About the author

Karim Buzdar

Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. He blogs at LinuxWays.