eCryptfs encrypts and decrypts individual data extents in each file using a unique randomly generated File Encryption Key (FEK). The FEK is encrypted with the File Encryption Key Encryption Key (FEKEK), and the resulting Encrypted File Encryption Key (EFEK) is stored in the header of each lower file.
First, install the necessary packages. From a terminal prompt enter:
sudo apt-get install ecryptfs-utils
Now, lets encrypt all files that we read & write on /home/nikesh/private. So, mount /home/secretdata on a encrypted mount-point using command:
sudo mount -t ecryptfs /home/nikesh/private/ /encrypted
The directory /encrypted is an “encrypted” now, you can check using command "mount", What ever you write to this directory will get encrypted here.
Once the encrypted filesystem is out of action, we cannot read the file – as it is encrypted.
Automatically Mounting Encrypted Partitions
There is a ways to automatically mount an ecryptfs encrypted filesystem at boot. This example will use a /root/.ecryptfsrc file containing mount options, along with a passphrase file residing on a USB key.
First, create /root/.ecryptfsrc containing:
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txtNote: Adjust the above parameter as specified in your signature file in /root/.ecryptfs/sig-cache.txt
Next, create the /mnt/usb/passwd_file.txt passphrase file:
passphrase_passwd=[secrets]Now add the necessary lines to /etc/fstab:
/home/nikesh/private/ /encrypted ecryptfs defaults 0 0
Make sure the USB drive is mounted before the encrypted partition.