Home → Article → How To Encrypt Directories with eCryptfs on Linux

How To Encrypt Directories with eCryptfs on Linux

In today's discussion, we will delve into the intricacies of eCryptfs, an incredibly powerful tool that enables us to encrypt our directories in Linux.

What is eCryptfs?

But what exactly is eCryptfs? Well, it is a stacked file system that offers a cryptographic environment that is compatible with POSIX for Linux. This means that it encrypts the metadata of each file header, making it possible to copy files between devices without compromising their security.

eCryptfs is a top-of-the-line cryptographic file system that is specifically designed for enterprise-level use in Linux environments. It is worth noting that POSIX stands for Portable Operating System Interface, which ensures that eCryptfs is compatible with a wide range of Linux systems. With eCryptfs, we can encrypt directories or partitions regardless of their format.

One of the most notable features of eCryptfs is its ability to store cryptographic metadata in the file headers. This means that encrypted files can be moved between computers without any difficulties. However, to decrypt the file or directory, we will need the respective key. Without it, accessing the content of the file will be impossible.

To decrypt a file, we must enter the key that was created at the time of encrypting the file. This ensures that only authorized individuals can access the content of the file. In summary, eCryptfs is an incredibly powerful tool that provides an unparalleled level of security for our directories and files in Linux.

Install the eCryptfs Tool

The first step is to create a folder, in this case called access, which will be encrypted to see the correct functioning of eCryptfs. For this we execute the following:

mkdir /home/access

Once we have the folder that we have to encrypt, we proceed to the installation of eCryptfs in Ubuntu 16 using the following command:

sudo apt-get -f install ecryptfs-utils

Create encrypted directory in Debian

For this tutorial we are going to create a directory called solvetic_secure in the home of the system, for that we enter the following command:

mkdir /home/solvetic_secure

In case the directory already exists and contains non-encrypted information, we must make a backup copy in order to execute the encryption, for which we will enter the following:

cp -pfr /home/solvetic_secure/ /tmp/

Let’s move on to encryption now.

How to encrypt directory in Debian

Then we will start the encryption process of our solvetic_seguro directory, for this, we will enter the following syntax:

mount -t ecryptfs /home/solvetic_seguro /home/solvetic_secure

In the first option that we see we must define the type of key that we will enter, to remember it is better to select option 2: “Passphrase.”

Press Enter, and you must enter the password to assign and later we will see the following:

In this row we press Enter (without adding anything) and we will see the following:

There we select the number of bytes that our password will have to improve security, in this case we choose option 2 (32 bytes).

Press Enter and then we will see the following:

In the rows Enable plaintext passthrough (y/n) [n] and Enable filename encryption (y/n) [n] we simply press Enter without adding information.

We see that a summary of the process performed is shown.

Finally we enter the word yes to start the encryption process.

We see that the encryption was finally mounted in our directory.

Now we enter the term mount to validate the encrypted directory.

We see in the final part how our solvetic_secure directory has been encrypted with the text:

/home/solvetic_seguro on /home/solvetic_seguro type ecryptfs (rw,relatime,ecryptfs_sig=f47572356788c1c7,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs)

If you already have the directory created and have executed a copy as described above, you must restore that copy using the commands.

We are going to validate this directory that we have encrypted.

cp -pfr /tmp/solvetic_secure/ /home/

rm -fr /tmp/solvetic_secure/

Check the Encryption in Debian

To verify how the encryption works in the directory, we are going to copy the content of a route to our solvetic_seguro directory. We can enter the following:

cp /etc/hosts /home/solvetic_secure

While the directory is mounted we will be able to visualize the content that we copy in it, as we see below using the cat command:

cat /home/solvetic_secure/hosts

Now let’s unmount the directory using the umount command like this:

umount home/solvetic_secure

If now we try again to visualize the content using the cat command:

cat /home/solvetic_secure/hosts

We see how the content of the route is illegible and thus we have protected our directory of unauthorized access.

In this way we can use eCryptfs to increase the levels of security in our system and in the directories and folders stored in it.

How to Encrypt Directory in Ubuntu

Before starting the encryption process it is important to create a backup copy of the file, in case of having information already stored in it, for this we will use the following command:

cp -pfr /home/acceso/ /tmp/

Once this is done, if necessary, we proceed to encrypt our directory called access using the following command.

At this point it is important that we indicate that the File System is ecryptfs.

sudo mount -t ecryptfs /home/acceso /home/acceso

As soon as we execute the command we will see a series of questions which with:

Passphrase: There we indicate a secure password.

Selection aes: There we must press Enter.

Selection 16: There we enter the value 32 (Key size).

Enable plaintext passthrough (y / n) n: Press Enter.

Enable filename encryption (y / n) n: Press Enter.

Later we will see two associated questions about whether we wish to proceed with the respective assembly to which we respond yes.

Up to this point we have encrypted the contents of the directory but not the name of it. We can use the mount command to see the content that we just encrypted.

Check Encryption in Ubuntu

To perform the respective tests of how eCryptfs works we have created the hosts file (/etc/hosts) to our directory, for this we use the following command:

sudo cp /etc/hosts /home/acceso

Next, we will use the cat command to visualize the content in the path /home/acceso/hosts. As we can see we have full access to the content of this route since the directory is mounted.

Now we will dismount it using the following command:

umount /home/acceso

And then we will try to visualize the content in the route /home/access/hosts again, and the result will be the following:

As we can see, the content has been encrypted to protect our files, directories, and folders in a simple and totally secure way.

This tool is simple, easy to implement and with an encryption system that helps us to have an additional security system in Linux either in Debian or in Ubuntu.