Note

In the beta/experimental releases of eCryptfs, when you upgradeeCryptfs, you should copy the files to an unencrypted location andthen copy the files back into the new eCryptfs mount to migrate thefiles.

Mount-wide Passphrase¶

Create a new directory into which eCryptfs will write its encryptedfiles (i.e., /root/crypt). Then, create the mount point directory(i.e., /mnt/crypt). Now it’s time to mount eCryptfs:

mount -t ecryptfs /root/crypt /mnt/crypt

You should be prompted for a passphrase and a salt (the salt may beblank).

Try writing a new file:

echo "Hello, World" > /mnt/crypt/hello.txt

The operation will complete. Notice that there is a new file in/root/crypt that is at least 12288 bytes in size (depending on yourhost page size). This is the encrypted underlying file for what youjust wrote. To test reading, from start to finish, you need to clearthe user session keyring:

keyctl clear @u

Then umount /mnt/crypt and mount again per the instructions givenabove.

cat /mnt/crypt/hello.txt

Notes¶

eCryptfs version 0.1 should only be mounted on (1) empty directoriesor (2) directories containing files only created by eCryptfs. If youmount a directory that has pre-existing files not created by eCryptfs,then behavior is undefined. Do not run eCryptfs in higher verbositylevels unless you are doing so for the sole purpose of debugging ordevelopment, since secret values will be written out to the system login that case.

Mike Halcrowmhalcrow@us.ibm.com