A very simple utility for working with eCryptfs.
Arch Forum ID:
I have lost data with eCryptFS and can no longer recommend it. As far as I can tell, this is not due to
ecryptfs-simple. All of the encryption and decryption is handled by eCryptFS, and data loss due to resulting input/output errors eith eCryptFS alone abound online.
This may be due to some common user error1, but it is nevertheless too great a risk for important data. I have switched back to using EncFS for my data.
ecryptfs-simple is a utility for users that want to work with eCryptfs in the simplest way possible. It allows users to mount and unmount eCryptfs directories if they have full permissions on the source and target directories.
ecryptfs-simple requires neither superuser privileges nor entries in fstab. Unlike the utilities in the ecryptfs-utils package, there are no hard-coded paths (e.g. ~/.Private).
The idea is to make eCryptfs as easy to use as EncFS.
See the ecryptfs-simple help message below for more information.
ecryptfs-simple --help will list command-line options. See
man ecryptfs for mount options.
ecryptfs-simple provides an "automount" option. The first time it is invoked with this option, it will present the same mount option prompt as
mount.ecryptfs. Subsequent mounts with this option will reload options selected during the first mount.
The mount options are stored in the configuration directory, which is located at
$XDG_CONFIG_HOME is set else at
$HOME/.config/ecryptfs-simple. The canonicalized file path of the source directory is hashed with the SHA512 algorithm to generate a filename. If you need to get the name of the config path for a given encrypted directory, use the
Options passed in with the
-o flag while automounting take precedence. To override flag options such as
no_sig_cache, use the
-x (exclude) option. This will also prevent them from being written to the configuration file. Options can also be removed by manually editing the configuration file for the given path.
Make sure that you load the
ecryptfs kernel module before using
ecryptfs-simple. If you intend to use
ecryptfs-simple regulary, add
ecryptfs to the
MODULES array in /etc/rc.conf. Otherwise, the module can be loaded during a session with
ecryptfs-simple should be owned by root and have the setuid flag enabled. It will check that the real user has full permissions to both the directory and mountpoint for the requested operation. It will refuse to mount a directory on an existing mountpoint and it will only unmount ecryptfs directories.
The key ring and mounting is handled by code from
mount.ecryptfs.c in the ecryptfs-utils package. This may change in the future but at the time of writing it made more sense to me to re-use the existing code. My reasoning was that the code has been in use for a while and should therefore have been scrutinized and tested.
Mounting is handled by code in
mount.ecryptfs.c from the ecryptfs-utils package, which manages keys as needed. Unmounting, however, does not. Use
keyctl to manage keys if necessary after unmounting. For example, to list all keys in the user-defined keyring, run
$ keyctl list @u
If the keys are no longer needs, they can be removed with
keyctl unlink... or
keyctl purge..., for example.
This may happen if the
ecryptfs module is not loaded. Check the output of
lsmod | grep ecryptfs
ecryptfs is not listed, load it with
You should probably add it to a file in /etc/modules-load.d/ to ensure that it is loaded automatically at startup.
If the module is listed then the kernel may have been updated without a reboot. In this case, try reloading the module:
modprobe -r ecryptfs modprobe ecryptfs
It may be a good idea to unmount other ecryptfs mountpoints before reloading the module.
If that still does not solve the problem, try rebuilding the ecryptfs-simple package using the provided PKGBUILD (check the nav links or get it from the AUR).
$ ecryptfs-simple --help Usage: ecryptfs-simple [OPTION...] [<source dir> <target dir> | <source dir> | <target dir>] Mount and unmount arbitrary directories with eCryptfs. ecryptfs-simple will check that the real user has full permissions to both the source and the target directories before proceeding. -a, --automount Automatically mount the directory using saved parameters. The user will be prompted for parameters as usual the first time this is invoked, but subsequent calls will re-use the previously supplied parameters. Parameters are stored in a file in the configuration directory. The name of the file is a SHA512 hash of the source directory's full path. -o <name>=<value>[,<name>=<value>...] Mount options to pass to eCryptfs. See "man ecryptfs" for a full list of options. Example: "-o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16" --print-config-path Print the configuration file path for the given directory path. -r, --reset Resets previously saved parameters associated with the given source directory by removing the parameter file. -u, --unmount Unmount the given directory. If the source directory is given, an attempt will be made to unmount all associated mountpoints. -x, --exclude=<name>[,<name>...] Exclude the given options from the parameter file when automatically mounting. Use an alias or script to avoid giving this option each time ecryptfs-simple is invoked. -?, --help Give this help list --usage Give a short usage message -V, --version Print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.
Major backend update: the upstream ecryptfs-utils were changed in such a way that hooks were no longer possible, so the functionality was recreated directly in ecryptfs-utils.
Major update: added code to handle parameters and hook directly into mount.ecryptfs.c.
The only thing that comes to mind right now is that it may be due to upgrading the kernel while eCryptFS files are exposed, but I have no idea if this is plausible and I have not tested it.↩