Encrypting Files Using EcryptFS

Whether you're a business with sensitive client information to protect, or whether you just want to stop people looking at your holiday pictures without permission, you probably have something that you should be encrypting!

Full-disk encryption is usually considered to be the most secure option, as it stops people from knowing anything about your files - the number, sizes, etc!  However, if you want to backup your files elsewhere - either to the cloud, or even just to another computer you own - the files are no longer encrypted!  Of course if the files are transferred through an encrypted connection such as SSH, and stored on an encrypted drive, then it's OK... but especially with cloud backups, this is unlikely.

Therefore we can use per-file encryption.  The two options I know for Linux of are EncFS and EcryptFS.  EncFS has the benefit of a Windows port (which may be important to you, see here for instructions), however it's not as regularly maintained as EcryptFS so I use this choice as I don't need Windows compatibility. *DISCLAIMER: I make no assertions as to the security of either EncFS or EcryptFS, nor the options I am just about to provide, I am simply giving instructions as to how I use EcryptFS*


To create a new "encrypted directory", I use the following (after creating the two directories - "encrypted" and "decrypted"):

sudo mount -t ecryptfs "/path/to/encrypted" "/path/to/decrypted"

Then provide the following choices:

Passphrase: [a randomly generated 64-character password, stored in KeePass - longer passwords will result in an error]
Select cipher: aes
Select key bytes: 32
Enable plaintext passthrough: n
Enable filename encryption: y
Filename Encryption Key (FNEK) Signature: [press enter to accept default - encrypting filenames using the passphrase provided above]
Would you like to proceed with the mount: yes
Would you like to append sig to sig-cache.txt: yes

And you're done!  It will give you mounting information, which you can make a record of if you wish.

Any files you create or modify inside "decrypted" will show up inside "encrypted", but with a non-sensical name and unintelligible contents!


In order to mount an existing encrypted directory, I use (inside a script so I don't have to type it!):

sudo mount -t ecryptfs "/path/to/encrypted" "/path/to/decrypted" -o ecryptfs_sig=[replace with sig from earlier],ecryptfs_fnek_sig=[replace with sig from earlier],ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs,ecryptfs_passthrough=no,key=passphrase

It will then ask for the passphrase - provide it correctly, and the directory will be mounted.  An actual example:

sudo mount -t ecryptfs "/home/pi/.pictures-encrypted" "/home/pi/Pictures" -o ecryptfs_sig=019ab83c82e19fa0,ecryptfs_fnek_sig=019ab83c82e19fa0,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs,ecryptfs_passthrough=no,key=passphrase


In order to unmount a directory, use:

sudo umount "/path/to/encrypted"