1ecryptfs(7)                        eCryptfs                        ecryptfs(7)
2
3
4

NAME

6       eCryptfs - an enterprise-class cryptographic filesystem for Linux
7
8

SYNOPSIS

10       mount -t ecryptfs [SRC DIR] [DST DIR] -o [OPTIONS]
11
12

DESCRIPTION

14       eCryptfs  is  a  POSIX-compliant enterprise-class stacked cryptographic
15       filesystem for Linux. It is derived from Erez Zadok's  Cryptfs,  imple‐
16       mented  through  the FiST framework for generating stacked filesystems.
17       eCryptfs extends Cryptfs to provide advanced key management and  policy
18       features.  eCryptfs stores cryptographic metadata in the header of each
19       file written, so that encrypted files can be copied between hosts;  the
20       file  will  be decryptable with the proper key, and there is no need to
21       keep track of any additional information aside from what is already  in
22       the encrypted file itself. Think of eCryptfs as a sort of "gnupgfs."
23
24

OPTIONS

26       KERNEL OPTIONS
27
28            Parameters that apply to the eCryptfs kernel module.
29
30
31       ecryptfs_sig=(fekek_sig)
32              Specify  the  signature  of the mount wide authentication token.
33              The authentication token must be in the  kernel  keyring  before
34              the  mount  is performed. ecryptfs-manager or the eCryptfs mount
35              helper can be used to construct the authentication token and add
36              it to the keyring prior to mounting.
37
38       ecryptfs_fnek_sig=(fnek_sig)
39              Specify  the  signature  of  the mount wide authentication token
40              used for filename crypto. The authentication must be in the ker‐
41              nel keyring before mounting.
42
43       ecryptfs_cipher=(cipher)
44              Specify the symmetric cipher to be used on a per file basis
45
46       ecryptfs_key_bytes=(key_bytes)
47              Specify  the keysize to be used with the selected cipher. If the
48              cipher only has one keysize the keysize  does  not  need  to  be
49              specified.
50
51       ecryptfs_passthrough
52              Allows for non-eCryptfs files to be read and written from within
53              an eCryptfs mount. This option is turned off by default.
54
55       no_sig_cache
56              Do not check the mount key signature against the values  in  the
57              user's  ~/.ecryptfs/sig-cache.txt  file. This is useful for such
58              things as non-interactive  setup  scripts,  so  that  the  mount
59              helper  does  not stop and prompt the user in the event that the
60              key sig is not in the cache.
61
62       ecryptfs_encrypted_view
63              This option provides a unified  encrypted  file  format  of  the
64              eCryptfs  files in the lower mount point.  Currently, it is only
65              useful if the lower mount point contains files with the metadata
66              stored in the extended attribute.  Upon a file read in the upper
67              mount point, the encrypted version of the file will be presented
68              with  the  metadata  in  the  file  header instead of the xattr.
69              Files cannot be opened for writing when this option is enabled.
70
71       ecryptfs_xattr
72              Store the metadata in the extended attribute of the lower  files
73              rather than the header region of the lower files.
74
75       verbose
76              Log  ecryptfs  information  to  /var/log/messages.   Do  not run
77              eCryptfs in verbose-mode unless you are doing so  for  the  sole
78              purpose  of development, since secret values will be written out
79              to the system log in that case.
80
81
82       MOUNT HELPER OPTIONS
83
84              Parameters that apply to the eCryptfs mount helper.
85
86
87       key=(keytype):[KEY MODULE OPTIONS]
88              Specify the type of key to be used when mounting eCryptfs.
89
90       ecryptfs_enable_filename_crypto=(y/N)
91              Specify whether filename encryption should be enabled.  If  not,
92              the  mount  helper  will  not  prompt  the user for the filename
93              encryption key signature.
94
95       verbosity=0/1
96              If verbosity=1, the mount helper will ask you for missing values
97              (default).  Otherwise, if verbosity=0, it will not ask for miss‐
98              ing values and will fail if required values are omitted.
99
100
101       KEY MODULE OPTIONS
102
103              Parameters that apply to individual key modules have  the  alias
104              for the key module in the prefix of the parameter name. Key mod‐
105              ules are pluggable, and which key modules are available  on  any
106              given  system is dependent upon whatever happens to be installed
107              in /usr/lib*/ecryptfs/. By default, this includes, at a minimum,
108              "passphrase" and "openssl."
109
110
111       passphrase_passwd=(passphrase)
112              The actual password is passphrase. Since the password is visible
113              to utilities (like ps under Unix) this form should only be  used
114              where security is not important.
115
116       passphrase_passwd_file=(filename)
117              The    password   should   be   specified   in   a   file   with
118              passwd=(passphrase). It is highly reccomended that the  file  be
119              stored on a secure medium such as a personal USB key.
120
121       passphrase_passwd_fd=(file descriptor)
122              The password is specified through the specified file descriptor.
123
124       passphrase_salt=(hex value)
125              The salt should be specified as a 16 digit hex value.
126
127       openssl_keyfile=(filename)
128              The  filename should be the filename of a file containing an RSA
129              SSL key.
130
131       openssl_passwd_file=(filename)
132              The   password   should   be   specified   in   a   file    with
133              openssl_passwd=(openssl-password). It is highly recommended that
134              the file be stored on a secure medium such  as  a  personal  USB
135              key.
136
137       openssl_passwd_fd=(file descriptor)
138              The password is specified through the specified file descriptor.
139
140       openssl_passwd=(password)
141              The  password  can  be  specified on the command line. Since the
142              password is visible in the process list,  it  is  highly  recom‐
143              mended to use this option only for testing purposes.
144
145

EXAMPLE

147       The  following  command  will  layover mount eCryptfs on /secret with a
148       passphrase contained in a  file  stored  on  secure  media  mounted  at
149       /mnt/usb/.
150
151       mount                  -t                  ecryptfs                  -o
152       key=passphrase:passphrase_passwd_file=/mnt/usb/file.txt /secret /secret
153
154
155       Where file.txt contains the contents "passphrase_passwd=[passphrase]".
156
157

SEE ALSO

159       mount(8)
160
161       /usr/share/doc/ecryptfs-utils/ecryptfs-faq.html
162
163       http://launchpad.net/ecryptfs/
164
165

NOTES

167       Do not run eCryptfs in verbose-mode unless you are  doing  so  for  the
168       sole purpose of development, since secret values will be written out to
169       the system log in that case. Make certain that your eCryptfs mount cov‐
170       ers  all locations where your applications may write sensitive data. In
171       addition, use dm-crypt to encrypt your swap space with a random key  on
172       boot, or see ecryptfs-setup-swap(1).
173
174       Passphrases have a maximum length of 64 characters.
175
176

BUGS

178       Please  post  bug reports to the eCryptfs bug tracker on Launchpad.net:
179       https://bugs.launchpad.net/ecryptfs/+filebug.
180
181       For kernel bugs, please follow the  procedure  detailed  in  Documenta‐
182       tion/oops-tracing.txt to help us figure out what is happening.
183
184

AUTHOR

186       This  manpage  was  (re-)written  by  Dustin Kirkland <kirkland@canoni‐
187       cal.com> for Ubuntu systems (but may be used by others).  Permission is
188       granted to copy, distribute and/or modify this document under the terms
189       of the GNU General Public License, Version 2 or any later version  pub‐
190       lished by the Free Software Foundation.
191
192       On  Debian systems, the complete text of the GNU General Public License
193       can be found in /usr/share/common-licenses/GPL.
194
195
196
197ecryptfs-utils                    2009-03-24                       ecryptfs(7)
Impressum