Chapter 12. Encrypted File System
eCryptfs works like a bind mount, as it intercepts file operations that write to the underlying (i.e. encrypted) file system. The eCryptfs layer adds a header to the metadata of files in the underlying file system. This metadata describes the encryption for that file, and eCryptfs encrypts file data before it is passed to the encrypted file system. Optionally, eCryptfs can also encrypt filenames.
eCryptfs is not an on-disk file system; as such, there is no need to create it via tools such as
mkfs. Instead, eCryptfs is initiated by issuing a special mount command. To manage file systems protected by eCryptfs, the
ecryptfs-utils package must be installed first.
12.1. Mounting a File System as Encrypted
The easiest way to encrypt a file system with eCryptfs and mount it is interactively. To start this process, execute the following command:
mount -t ecryptfs
Encrypting a directory heirarchy (i.e.
) with eCryptfs means mounting it to a mount point encrypted by eCryptfs (i.e.
). All file operations to
will be passed encrypted to the underlying
file system. In some cases, however, it may be possible for a file operation to modify
directly without passing through the eCryptfs layer; this could lead to inconsistencies.
This is why for most environments, Red Hat recommends that both
be identical. For example:
mount -t ecryptfs /home /home
This effectively means encrypting a file system and mounting it on itself. Doing so helps ensure that all file operations to
/home pass through the eCryptfs layer.
During the interactive encryption/mount process,
mount will allow the following settings to be configured:
Encryption key type;
passphrase. When choosing
mount will ask for one.
Whether or not
plaintext passthrough is enabled
Whether or not
filename encryption is enabled
After the last step of an interactive mount,
mount will display all the selections made and perform the mount. This output consists of the command-line option equivalents of each chosen setting. For example, mounting
/home with a key type of
aes cipher, key bytesize of
16 with both
plaintext passthrough and
filename encryption disabled, the output would be:
Attempting to mount with the following options:
The options in this display can then be passed directly to the command line to encrypt and mount a file system using the same configuration. To do so, use each option as an argument to the
-o option of
mount. For example:
mount -t ecryptfs /home /home -o ecryptfs_unlink_sigs \
ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=c7fed37c0a341e19