How To Encrypt Directories/Partitions With eCryptfs

This example provides steps for encrypting an existing home directory

Install eCryptfs

apt-get install ecryptfs-utils

Backup existing Home directory

cp -pfr /home/[username]/ /tmp/

Mount /home/[username] with the file system type ecryptfs

mount -t ecryptfs /home/[username] /home/[username]

	Select cipher: aes
	Select key bytes: 16
	Enable plaintext passthrough (y/n) [n]: <-- ENTER
	Enable filename encryption (y/n) [n]: <-- ENTER

	Would you like to proceed with the mount (yes/no)? : <-- yes
	Would you like to append sig...to avoid this warning in the future (yes/no)? : <-- yes

Take a look at the output of

mount

and you should see that /home/[username]/ is now encrypted

/home/[username] on /home/[username] type
ecryptfs(rw,ecryptfs_sig=bd28c38da9fc938b,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)

Restore Home backup to the now encrypted directory /home/[username]/, then delete the backup

cp -pfr /tmp/[username]/ /home/
rm -fr /tmp/[username]/

Testing

Copy a file to /home/[username] and read it

cp /etc/hosts /home/[username]
cat /home/[username]/hosts

Now, unmount /home/[username] and try to read the same file

umount /home/[username]
cat /home/[username]/hosts

Automatically Mount An Encrypted Partition At Boot Time

Plug in a USB key and find its device name

fdisk -l

For this example, the device name is /dev/sda1 and it uses FAT32

Mount the USB key to /mnt/usb

mkdir /mnt/usb
mount /dev/sda1 /mnt/usb

Look at /root/.ecryptfs/sig-cache.txt and copy the output

cat /root/.ecryptfs/sig-cache.txt

Create a signature file using the key from the output above

nano /root/.ecryptfsrc

	key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
	ecryptfs_sig=<insert the sig-cache.txt key here>
	ecryptfs_cipher=aes
	ecryptfs_key_bytes=16
	ecryptfs_passthrough=n
	ecryptfs_enable_filename_crypto=n

Create the passphrase file on the USB key

nano /mnt/usb/passwd_file.txt

passphrase_passwd=your_passphrase

Add the following two lines to /etc/fstab

nano /etc/fstab

/dev/sda1       /mnt/usb        vfat    ro      0 0
/home/[username] /home/[username] ecryptfs defaults 0 0

Reboot

If everything goes fine, your encrypted partition should automatically be mounted after the reboot. However, it is possible that your system cannot mount your USB key during boot, which means your encrypted partition cannot be mounted either. If this happens, edit /etc/rc.local (this script is executed at the end of the boot process)

nano /etc/rc.local

Add this line before the exit 0 at the end of the file

/bin/mount -a

This will (re-)mount all partitions (including your USB key and the encrypted partition) at the end of the boot process.