Encryption is one of the most effective tools for protecting sensitive data. If your laptop is stolen, your drive is pulled, or someone gains physical access to your machine, encryption ensures your files remain unreadable without the correct passphrase. ecryptfs is a stacked filesystem built into the Linux kernel that encrypts data transparently at the filesystem layer — you work with your files normally, and encryption happens underneath.
This guide covers everything from installation to daily use on Arch Linux and other distributions.
How ecryptfs Works
ecryptfs operates as a stacked filesystem: it sits on top of your existing filesystem (ext4, btrfs, etc.) and intercepts reads and writes. When you write a file, ecryptfs encrypts it and stores the ciphertext in a lower directory. When you read it, the kernel decrypts on the fly. The encrypted files on disk are real files — you can back them up or move them anywhere.
Your applications
│
ecryptfs layer ← encryption / decryption happens here
│
Lower directory ← encrypted ciphertext files stored here
│
Physical disk
Two directories are always in play:
| Directory | Role |
|---|---|
| Lower directory | Where encrypted ciphertext is stored on disk (e.g. ~/.Private) |
| Mount point | Where you access decrypted plaintext (e.g. ~/Private) |
When you mount, ecryptfs overlays the lower directory at the mount point. When you unmount, the plaintext disappears — only ciphertext remains on disk.
Step 1 — Install ecryptfs-utils
Arch Linux / Manjaro
|
|
Debian / Ubuntu
|
|
Fedora / RHEL
|
|
Load the Kernel Module
ecryptfs is a kernel module. Load it before using it:
|
|
To load it automatically on every boot:
|
|
Verify it is loaded:
|
|
Step 2 — Create an Encrypted Directory
This is the core workflow: a lower directory (ciphertext on disk) and a mount point (plaintext in use).
Create the Directories
|
|
Mount the Encrypted Filesystem
|
|
ecryptfs will ask a series of questions:
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
...
Selection [aes]:
Select key bytes:
1) 16
2) 24
3) 32
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]:
Recommended answers:
| Prompt | Recommended choice | Why |
|---|---|---|
| Cipher | aes (default) |
AES-128/256 is the industry standard, hardware-accelerated on most CPUs |
| Key bytes | 32 |
AES-256 — maximum key strength |
| Plaintext passthrough | n |
Do not allow unencrypted files in the mount point |
| Filename encryption | y |
Hides filenames — prevents metadata leakage about what you store |
After answering, ecryptfs shows:
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=32
ecryptfs_cipher=aes
ecryptfs_sig=abc123...
Mounted eCryptfs
Your ~/Private directory is now mounted and ready. Files written here are encrypted automatically.
Step 3 — Write and Verify Encryption
Add a Test File
|
|
Output:
This is secret data
Check What Is Stored on Disk (Ciphertext)
|
|
The file on disk is binary ciphertext — completely unreadable without the passphrase and key.
Step 4 — Unmounting the Encrypted Directory
When you are done working with your private files, unmount to remove plaintext access:
|
|
After unmounting:
~/Privateappears empty~/.ecryptfs/Privatestill contains the encrypted files- No plaintext data remains accessible on the filesystem
Verify the unmount:
|
|
Step 5 — Remounting (Accessing Files Again)
To access your encrypted files again, remount with the same passphrase and options:
|
|
ecryptfs will prompt for your passphrase.
Save Mount Options to Avoid Retyping
Store the options in a file so you do not need to remember them:
|
|
Add:
/home/yourusername/.ecryptfs/Private /home/yourusername/Private ecryptfs ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=y 0 0
Mount using the saved options:
|
|
Step 6 — Automating Mount/Unmount with ecryptfs Helper Scripts
ecryptfs-utils includes helper scripts that wrap the mount/unmount workflow cleanly.
Set Up a Private Directory with the Helper
|
|
This interactive tool:
- Creates
~/.Private(lower directory) and~/Private(mount point) - Generates a mount passphrase and wraps it with your login password
- Sets up PAM integration so the directory mounts automatically when you log in
Follow the prompts — you will be asked for your login password and optionally a separate mount passphrase.
Manual Mount with the Helper
|
|
Manual Unmount with the Helper
|
|
These scripts handle the full options string for you.
Step 7 — Auto-Mount on Login with PAM
The most convenient setup is having your encrypted directory mount automatically when you log in and unmount when you log out. This requires PAM integration.
Enable PAM Auto-Mount
|
|
On Arch Linux, the PAM configuration is typically in
/etc/pam.d/system-loginrather than/etc/pam.d/login. Edit the correct file for your setup.
After enabling PAM integration, the encrypted directory mounts transparently when you log in — no passphrase prompt, no manual mount step.
Verify Auto-Mount Is Working
Log out and log back in:
|
|
If files appear, auto-mount is working correctly.
Encrypting Your Home Directory
ecryptfs can encrypt your entire home directory. The ecryptfs-migrate-home tool handles the migration:
Warning: Back up your home directory before proceeding. Encrypting your home directory modifies fundamental aspects of your user account. A failed migration without a backup results in data loss.
|
|
After migration:
- Log in as the user — the home directory will be decrypted on login
- Verify all files are accessible
- Reboot and verify again
- Only delete the unencrypted backup once you are fully satisfied
The unencrypted backup is left at /home/yourusername.random_suffix — delete it when you are sure the migration was successful:
|
|
Managing Your ecryptfs Passphrase
View Your Wrapped Passphrase
|
|
You will be asked for your login password. The output is your actual mount passphrase — store this somewhere safe (password manager, printed copy in a secure location). If you forget your login password and cannot unwrap the passphrase, your data is permanently inaccessible.
Change the Wrapping Password
If you change your Linux login password, re-wrap the ecryptfs passphrase to match:
|
|
Enter the old password, then the new password.
Important: Always run
ecryptfs-rewrap-passphraseafter changing your login password when using PAM auto-mount. If the wrapping password does not match your login password, auto-mount will fail and you will be unable to access your files on login.
Add the Passphrase to the Kernel Keyring Manually
|
|
Enter your passphrase — it is added to the kernel keyring for the current session. This is what ecryptfs-mount-private does internally.
Backing Up Encrypted Data
One of ecryptfs’s advantages over full-disk encryption is that backups are simple — copy the ciphertext (lower directory) and the passphrase, and your backup is encrypted at rest.
|
|
To restore on another machine:
- Install
ecryptfs-utils - Restore
~/.ecryptfs/from backup - Mount using
ecryptfs-mount-privateand enter your passphrase
Checking Mount Status
|
|
Quick Reference Cheat Sheet
| Task | Command |
|---|---|
| Install ecryptfs-utils (Arch) | sudo pacman -S ecryptfs-utils |
| Load kernel module | sudo modprobe ecryptfs |
| Set up private directory | ecryptfs-setup-private |
| Mount encrypted directory | ecryptfs-mount-private |
| Unmount encrypted directory | ecryptfs-umount-private |
| Manual mount | sudo mount -t ecryptfs <lower> <mount> -o <options> |
| Unmount | sudo umount ~/Private |
| View unwrapped passphrase | ecryptfs-unwrap-passphrase |
| Re-wrap after password change | ecryptfs-rewrap-passphrase ~/.ecryptfs/wrapped-passphrase |
| Add passphrase to keyring | ecryptfs-add-passphrase |
| Check mount status | mount | grep ecryptfs |
| Migrate home directory | sudo ecryptfs-migrate-home -u username |
Troubleshooting
Mount Fails: “Key not found”
The passphrase is not in the kernel keyring for the current session. Add it:
|
|
Then retry the mount.
Mount Fails After Changing Login Password
The wrapped passphrase no longer matches your login password. Re-wrap it:
|
|
Enter the old password (the one the passphrase was wrapped with) and then your new password.
Filename Encryption Mismatch
If you mounted without filename encryption initially but now try to mount with it (or vice versa), ecryptfs will not read your files correctly. Always use identical options to what you used when the data was first written. Check your .conf file or the options saved during setup.
Cannot Unmount: “Device is Busy”
A process is still reading from or writing to the mounted directory:
|
|
ecryptfs Module Not Loading at Boot
Verify your modules-load config:
|
|
A Note on ecryptfs vs Full-Disk Encryption
ecryptfs encrypts at the directory or file level — individual directories can be encrypted while the rest of the system runs normally. LUKS (Linux Unified Key Setup) encrypts the entire disk at the block level before the OS loads.
| ecryptfs | LUKS (full-disk) | |
|---|---|---|
| What is encrypted | Specific directories | Entire partition or disk |
| Setup complexity | Low | Requires setup at install time |
| Performance | Slight overhead per file | Minimal (block-level, hardware-accelerated) |
| Protects swap / temp files | No | Yes |
| Backup of encrypted data | Easy (copy ciphertext files) | Requires block-level copy |
| Best use case | Encrypting a specific ~/Private folder |
Laptop full-disk protection |
For maximum security on a laptop, LUKS full-disk encryption is the stronger choice. ecryptfs is ideal when you want to encrypt a subset of your data — a documents folder, a secrets directory, or a home directory on a shared system — without the complexity of full-disk setup.