eCryptfs: A stacked cryptographic filesystem for Linux

eCryptfs is free software. Please see the file COPYING for details. For documentation, please see the files in the doc/ subdirectory. For building and installation instructions please see the INSTALL file.

This software is currently undergoing development. Make sure to maintain a backup copy of any data you write into eCryptfs.

eCryptfs requires the userspace tools downloadable from the SourceForge site:

http://sourceforge.net/projects/ecryptfs/

Userspace requirements include:

• David Howells' userspace keyring headers and libraries (version 1.0 or higher), obtainable from http://people.redhat.com/~dhowells/keyutils/
• Libgcrypt

Mount-wide Passphrase

Create a new directory into which eCryptfs will write its encrypted files (i.e., /root/crypt). Then, create the mount point directory (i.e., /mnt/crypt). Now it's time to mount eCryptfs:

mount -t ecryptfs /root/crypt /mnt/crypt

You should be prompted for a passphrase and a salt (the salt may be blank).

Try writing a new file:

echo "Hello, World" > /mnt/crypt/hello.txt

The operation will complete. Notice that there is a new file in /root/crypt that is at least 12288 bytes in size (depending on your host page size). This is the encrypted underlying file for what you just wrote. To test reading, from start to finish, you need to clear the user session keyring:

keyctl clear @u

Then umount /mnt/crypt and mount again per the instructions given above.

cat /mnt/crypt/hello.txt

Notes

eCryptfs version 0.1 should only be mounted on (1) empty directories or (2) directories containing files only created by eCryptfs. If you mount a directory that has pre-existing files not created by eCryptfs, then behavior is undefined. Do not run eCryptfs in higher verbosity levels unless you are doing so for the sole purpose of debugging or development, since secret values will be written out to the system log in that case.

Mike Halcrow mhalcrow@us.ibm.com