1ecryptfs(7) eCryptfs ecryptfs(7)
2
3
4
6 eCryptfs - an enterprise-class cryptographic filesystem for linux
7
8
10 mount -t ecryptfs [SRC DIR] [DST DIR] -o [OPTIONS]
11
12
14 eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic
15 filesystem for Linux. It is derived from Erez Zadok's Cryptfs, imple‐
16 mented through the FiST framework for generating stacked filesystems.
17 eCryptfs extends Cryptfs to provide advanced key management and policy
18 features. eCryptfs stores cryptographic metadata in the header of each
19 file written, so that encrypted files can be copied between hosts; the
20 file will be decryptable with the proper key, and there is no need to
21 keep track of any additional information aside from what is already in
22 the encrypted file itself. Think of eCryptfs as a sort of "gnupgfs."
23
24
26 KERNEL OPTIONS
27
28 Parameters that apply to the eCryptfs kernel module.
29
30
31 ecryptfs_sig=(fekek_sig)
32 Specify the signature of the mount wide authentication token.
33 The authentication token must be in the kernel keyring before
34 the mount is performed. ecryptfs-manager or the eCryptfs mount
35 helper can be used to construct the authentication token and add
36 it to the keyring prior to mounting.
37
38 ecryptfs_fnek_sig=(fnek_sig)
39 Specify the signature of the mount wide authentication token
40 used for filename crypto. The authentication must be in the ker‐
41 nel keyring before mounting.
42
43 ecryptfs_cipher=(cipher)
44 Specify the symmetric cipher to be used on a per file basis
45
46 ecryptfs_key_bytes=(key_bytes)
47 Specify the keysize to be used with the selected cipher. If the
48 cipher only has one keysize the keysize does not need to be
49 specified.
50
51 ecryptfs_passthrough
52 Allows for non-eCryptfs files to be read and written from within
53 an eCryptfs mount. This option is turned off by default.
54
55 no_sig_cache
56 Do not check the mount key signature against the values in the
57 user's ~/.ecryptfs/sig-cache.txt file. This is useful for such
58 things as non-interactive setup scripts, so that the mount
59 helper does not stop and prompt the user in the event that the
60 key sig is not in the cache.
61
62 ecryptfs_encrypted_view
63 This option provides a unified encrypted file format of the
64 eCryptfs files in the lower mount point. Currently, it is only
65 useful if the lower mount point contains files with the metadata
66 stored in the extended attribute. Upon a file read in the upper
67 mount point, the encrypted version of the file will be presented
68 with the metadata in the file header instead of the xattr.
69 Files cannot be opened for writing when this option is enabled.
70
71 ecryptfs_xattr
72 Store the metadata in the extended attribute of the lower files
73 rather than the header region of the lower files.
74
75 verbose
76 Log ecryptfs information to /var/log/messages. Do not run
77 eCryptfs in verbose-mode unless you are doing so for the sole
78 purpose of development, since secret values will be written out
79 to the system log in that case.
80
81
82 MOUNT HELPER OPTIONS
83
84 Parameters that apply to the eCryptfs mount helper.
85
86
87 key=(keytype):[KEY MODULE OPTIONS]
88 Specify the type of key to be used when mounting eCryptfs.
89
90 ecryptfs_enable_filename_crypto=(y/N)
91 Specify whether filename encryption should be enabled. If not,
92 the mount helper will not prompt the user for the filename
93 encryption key signature.
94
95 verbosity=0/1
96 If verbosity=1, the mount helper will ask you for missing values
97 (default). Otherwise, if verbosity=0, it will not ask for miss‐
98 ing values and will fail if required values are omitted.
99
100
101 KEY MODULE OPTIONS
102
103 Parameters that apply to individual key modules have the alias
104 for the key module in the prefix of the parameter name. Key mod‐
105 ules are pluggable, and which key modules are available on any
106 given system is dependent upon whatever happens to be installed
107 in /usr/lib*/ecryptfs/. By default, this includes, at a minimum,
108 "passphrase" and "openssl."
109
110
111 passphrase_passwd=(passphrase)
112 The actual password is password. Since the password is visible
113 to utilities (like ps under Unix) this form should only be used
114 where security is not important.
115
116 passphrase_passwd_file=(filename)
117 The password should be specified in a file with
118 passwd=(passphrase). It is highly reccomended that the file be
119 stored on a secure medium such as a personal usb key.
120
121 passphrase_passwd_fd=(file descriptor)
122 The password is specified through the specified file descriptor.
123
124 passphrase_salt=(hex value)
125 The salt should be specified as a 16 digit hex value.
126
127 openssl_keyfile=(filename)
128 The filename should be the filename of a file containing an RSA
129 SSL key.
130
131 openssl_passwd_file=(filename)
132 The password should be specified in a file with
133 openssl_passwd=(openssl-password). It is highly reccomended that
134 the file be stored on a secure medium such as a personal usb
135 key.
136
137 openssl_passwd_fd=(file descriptor)
138 The password is specified through the specified file descriptor.
139
140 openssl_passwd=(password)
141 The password can be specified on the command line. Since the
142 password is visible in the process list, it is highly recom‐
143 mended to use this option only for testing purposes.
144
145
147 The following command will layover mount eCryptfs on /secret with a
148 passphrase contained in a file stored on secure media mounted at
149 /mnt/usb/.
150
151 mount -t ecryptfs -o
152 key=passphrase:passphrase_passwd_file=/mnt/usb/file.txt /secret /secret
153
154
155 Where file.txt contains the contents "passphrase_passwd=[passphrase]".
156
157
159 mount(8)
160
161 /usr/share/doc/ecryptfs-utils/ecryptfs-faq.html
162
163 http://launchpad.net/ecryptfs/
164
165
167 Do not run eCryptfs in verbose-mode unless you are doing so for the
168 sole purpose of development, since secret values will be written out to
169 the system log in that case. Make certain that your eCryptfs mount cov‐
170 ers all locations where your applications may write sensitive data. In
171 addition, use dm-crypt to encrypt your swap space with a random key on
172 boot, or see ecryptfs-setup-swap(1).
173
174 Passphrases have a maximum length of 64 characters.
175
176
178 Please post bug reports to the eCryptfs bug tracker on Launchpad.net:
179 https://bugs.launchpad.net/ecryptfs/+filebug.
180
181 For kernel bugs, please follow the procedure detailed in Documenta‐
182 tion/oops-tracing.txt to help us figure out what is happening.
183
184
186 This manpage was (re-)written by Dustin Kirkland <kirkland@canoni‐
187 cal.com> for Ubuntu systems (but may be used by others). Permission is
188 granted to copy, distribute and/or modify this document under the terms
189 of the GNU General Public License, Version 2 or any later version pub‐
190 lished by the Free Software Foundation.
191
192 On Debian systems, the complete text of the GNU General Public License
193 can be found in /usr/share/common-licenses/GPL.
194
195
196
197ecryptfs-utils 2009-03-24 ecryptfs(7)