eCryptFS (Enterprise Cryptographic Filesystem) is a POSIX-compliant stacked filesystem encryption layer for Linux. It works by encrypting and decrypting files transparently as they are written to and read from disk – each file gets its own encryption metadata stored in the file header, so you can copy, back up, and restore individual encrypted files without dealing with block-level encryption. This guide covers how to encrypt files and directories on Linux using eCryptFS, including manual directory encryption, auto-mounting, home directory encryption, backup strategies, and data recovery.
Unlike full-disk encryption tools such as LUKS that encrypt entire partitions, eCryptFS operates at the file level. This makes it a practical choice when you need to encrypt specific directories without reformatting or repartitioning your drive. The steps here apply to Ubuntu, Debian, RHEL, Rocky Linux, AlmaLinux, and Fedora systems.
Prerequisites
- A Linux server or workstation running Ubuntu 24.04/22.04, Debian 13/12, RHEL 10/9, Rocky Linux 10/9, AlmaLinux 10/9, or Fedora 42
- Root or sudo access
- Basic familiarity with the Linux file system hierarchy
Step 1: Install eCryptFS Utilities on Linux
The ecryptfs-utils package provides the userspace tools needed to mount, manage, and configure eCryptFS encrypted directories. Install it with your distribution’s package manager.
On Ubuntu and Debian:
sudo apt update
sudo apt install ecryptfs-utils -yOn RHEL, Rocky Linux, and AlmaLinux (EPEL repository required):
sudo dnf install epel-release -y
sudo dnf install ecryptfs-utils -yOn Fedora:
sudo dnf install ecryptfs-utils -yVerify the installation by checking that the eCryptFS kernel module is available:
modinfo ecryptfs | head -5The output should confirm the eCryptFS module is present in your kernel:
filename: /lib/modules/6.x.x/kernel/fs/ecryptfs/ecryptfs.ko
license: GPL
description: eCryptfs
author: Michael A. Halcrow <[email protected]>
alias: fs-ecryptfsStep 2: Encrypt a Directory with eCryptFS
eCryptFS works by mounting an encrypted layer on top of an existing directory. When you write files to the mount point, eCryptFS encrypts them and stores the ciphertext in the underlying directory. Start by creating a directory to hold the encrypted data:
mkdir -p ~/privateMount the directory with eCryptFS. This command mounts ~/private on top of itself – meaning the same directory serves as both the encrypted storage and the decrypted mount point:
sudo mount -t ecryptfs ~/private ~/privateThe mount command starts an interactive prompt asking for encryption options. Here is a typical session with recommended settings:
Select key type to use for newly created files:
1) passphrase
Choice: 1
Passphrase: [enter your passphrase]
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Choice: 1
Select key bytes:
1) 16
2) 32
3) 24
Choice: 2
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxx]:
(press Enter to accept the default)After confirming the options, create a test file to verify encryption is working:
echo "This is a secret file" > ~/private/secret.txt
cat ~/private/secret.txtThe file is readable while the eCryptFS mount is active:
This is a secret fileNow unmount the directory and try reading the file again:
sudo umount ~/private
ls ~/private/With filename encryption enabled, you will see garbled filenames like ECRYPTFS_FNEK_ENCRYPTED.FWY... instead of secret.txt. The file contents are also encrypted – trying to read them directly shows ciphertext.
Step 3: Understand eCryptFS Encryption Options
When mounting an eCryptFS directory, you choose several encryption parameters. Understanding these helps you make informed decisions for your security requirements.
Cipher Algorithm
AES (Advanced Encryption Standard) is the default and recommended cipher. It has hardware acceleration on most modern CPUs through AES-NI instructions, making it both the most secure and fastest option. Other ciphers like Twofish and Blowfish are available but rarely needed.
Key Bytes
This controls the encryption key length. For AES, you have three choices:
- 16 bytes (128-bit) – adequate for most use cases
- 24 bytes (192-bit) – middle ground
- 32 bytes (256-bit) – maximum security, recommended for sensitive data
The performance difference between 128-bit and 256-bit AES is negligible on hardware with AES-NI support. Use 256-bit unless you have a specific reason not to.
Plaintext Passthrough
When enabled, files that were written to the directory before eCryptFS was mounted remain readable in plaintext. When disabled (the default and recommended setting), only eCryptFS-encrypted files are accessible through the mount point. Keep this disabled unless you have a mixed directory with both encrypted and unencrypted files.
Filename Encryption (FNEK)
Filename Encryption Key (FNEK) encrypts directory entries so that file names are not visible when the directory is unmounted. Without filename encryption, an attacker can see file names even though file contents are encrypted. Enable this for any directory containing sensitive data.
Step 4: Auto-Mount an Encrypted Directory
Typing mount options manually every time is tedious. You can automate the mount process by storing your mount passphrase in the kernel keyring and using a mount options file. First, add your passphrase to the eCryptFS keyring:
ecryptfs-add-passphraseThis prompts for your passphrase and returns a signature (a hex string). Note this signature – you need it for the mount command. The output looks like:
Inserted auth tok with sig [abcdef1234567890] into the user session keyringNow you can mount without the interactive prompt by passing all options on the command line. Replace the signature values with your own:
sudo mount -t ecryptfs ~/private ~/private \
-o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_sig=abcdef1234567890,ecryptfs_fnek_sig=abcdef1234567890,passphrase_passwd_fd=0For a persistent setup that mounts at boot, add an entry to /etc/fstab. Open the file:
sudo vi /etc/fstabAdd the following line at the end (replace the signature with your actual value):
/home/user/private /home/user/private ecryptfs key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=y,ecryptfs_sig=abcdef1234567890,ecryptfs_fnek_sig=abcdef1234567890,passphrase_passwd_fd=0 0 0Note that storing the passphrase in fstab has security implications – anyone with root access can read it. For production servers, consider using a PAM module or a key script that prompts at login instead.
Step 5: Encrypt a User Home Directory with eCryptFS
eCryptFS can encrypt an entire user home directory, automatically decrypting it when the user logs in and locking it when they log out. This is the most common eCryptFS use case and is handled by the ecryptfs-migrate-home utility.
This operation must be run as root while the target user is logged out. Log in as root or another user with sudo access, and make sure the target user has no running processes:
sudo -iVerify the target user is not logged in:
who | grep targetuserThis should return no output. If the user is logged in, have them log out first. Then run the migration:
ecryptfs-migrate-home -u targetuserThe tool creates a new encrypted home directory, copies all existing files into it, and sets up PAM hooks for automatic mount/unmount on login/logout. The original home directory is preserved as a backup at /home/targetuser.random_suffix.
After migration, log in as the target user and verify the home directory is decrypted and accessible:
mount | grep ecryptfsYou should see an ecryptfs mount for the user’s home directory:
/home/targetuser/.Private on /home/targetuser type ecryptfs (ecryptfs_check_dev_ruid,...)Record the recovery passphrase immediately – you will need it if the system breaks or you need to access the data from another machine:
ecryptfs-unwrap-passphraseStore this passphrase in a secure location outside the encrypted home directory (a password manager, a printed copy in a safe, etc.). Without it, you cannot recover your data if the login passphrase changes or the system is reinstalled.
Once you confirm everything works, delete the backup of the unencrypted home directory:
sudo rm -rf /home/targetuser.random_suffixStep 6: Backup eCryptFS Encrypted Data
One major advantage of eCryptFS over block-level encryption is that you can back up encrypted files directly without decrypting them first. The encrypted files in the underlying directory are regular files that any backup tool can handle.
To back up encrypted data, copy the contents of the underlying .Private directory (or your custom encrypted directory) while eCryptFS is unmounted. This ensures you are copying the encrypted versions:
sudo umount ~/private
rsync -av ~/private/ /backup/private-encrypted/You can also use dedicated backup tools like Restic or Timeshift to back up the encrypted directory. The backup itself is encrypted at rest since you are copying ciphertext.
For home directory encryption, back up the .ecryptfs and .Private directories inside the user’s home:
rsync -av /home/.ecryptfs/targetuser/ /backup/targetuser-encrypted/Always back up the wrapped-passphrase file from /home/.ecryptfs/targetuser/.ecryptfs/ as well – you cannot recover without it.
Step 7: Recover Data with ecryptfs-recover-private
If your system fails to boot or you need to access encrypted data from a live USB or another installation, the ecryptfs-recover-private utility handles the recovery process. Boot from a live USB or mount the drive on another system, then install ecryptfs-utils and run the recovery tool:
sudo ecryptfs-recover-privateThe tool scans the filesystem for eCryptFS .Private directories. If it finds one, it prompts for your passphrase and mounts the decrypted data to a temporary directory under /tmp:
INFO: Found [/home/.ecryptfs/targetuser/.Private].
Try to recover this directory? [Y/n]: Y
INFO: Enter your LOGIN passphrase...
Passphrase:
INFO: Success! Private data mounted at [/tmp/ecryptfs.xxxxxxxx].You can also point the tool directly at a specific .Private directory if the automatic scan does not find it:
sudo ecryptfs-recover-private /mnt/disk/home/.ecryptfs/targetuser/.PrivateCopy the files you need from the temporary mount point, then unmount:
cp -r /tmp/ecryptfs.xxxxxxxx/important-files ~/recovered/
sudo umount /tmp/ecryptfs.xxxxxxxxStep 8: Compare eCryptFS vs LUKS vs fscrypt
Linux offers several encryption options, each suited to different use cases. Here is a comparison to help you choose the right tool.
| Feature | eCryptFS | LUKS (dm-crypt) | fscrypt |
|---|---|---|---|
| Encryption level | Per-file (stacked filesystem) | Full disk/partition (block level) | Per-file (filesystem native) |
| Filesystem support | Any filesystem (ext4, XFS, etc.) | Any filesystem on encrypted block device | ext4, F2FS, UBIFS only |
| Granularity | Individual directories | Entire partition | Individual directories |
| Per-file backup | Yes – files are individually encrypted | No – must backup entire volume | No – metadata in filesystem |
| Performance | Moderate (stacking overhead) | Best (direct block I/O with AES-NI) | Good (native filesystem integration) |
| Setup complexity | Simple (no repartitioning) | Requires dedicated partition | Simple (filesystem flag) |
| Key management | Passphrase or key file | LUKS header with multiple key slots | PAM integration, per-user keys |
| Maintenance status | Mature but limited active development | Actively maintained in kernel | Actively maintained by Google |
| Best for | Encrypting specific directories, shared hosting | Full system encryption, servers | Per-directory encryption on ext4 |
When to use eCryptFS: You need to encrypt specific directories without touching the partition layout. You want per-file encrypted backups. You work with filesystems other than ext4. You need a solution that works across any Linux distribution.
When to use LUKS: You want full disk encryption with the best performance. You are setting up a new system and can dedicate a partition. You need multiple key slots or hardware token support.
When to use fscrypt: You are on ext4 or F2FS and want native filesystem encryption with minimal overhead. You need per-directory encryption with PAM-integrated automatic unlock. You want a solution actively maintained by Google as part of the kernel.
Conclusion
eCryptFS provides a straightforward way to encrypt files and directories on Linux without repartitioning or reformatting your drives. You have installed the tools, encrypted a directory, configured auto-mounting, migrated a home directory, and learned how to back up and recover encrypted data. For production systems, always store your recovery passphrase securely and test your backup/recovery process before relying on it. Combine eCryptFS with regular encrypted backups and access controls to build a solid data protection strategy.
