eCryptfs on Fedora

For some reason it’s hard to find up to date installation instructions for eCryptfs on Fedora, so I’m posting instructions here. These work with at least Fedora 22 and Fedora 23, and maybe other versions. Note that eCryptfs isn’t a substitute for full disk encryption; I personally use it in addition to full disk encryption (via LUKS) to get further security on important files.

First, install ecryptfs-utils:

sudo dnf install ecryptfs-utils

Subsequently the ecryptfs kernel module will get automatically loaded on boot, but immediately after installing the RPM it probably won’t be loaded. So you have to load the kernel module manually once (or reboot):

sudo modprobe ecryptfs

Next you need to make sure that your user has been added to the ecryptfs group:

sudo gpasswd -a $USER ecryptfs

You’ll want to log out of your current session and back in to make sure that this change affects your session. Finally, once you are in the ecryptfs group you need to run:

ecryptfs-setup-private

This will prompt you for your login password and optionally an ecryptfs password. The script will then do some stuff to make ~/Private be your ecryptfs private directory. The way this actually works is it creates ~/.ecryptfs which has the encrypted data and keys, and there are scripts to mount this via FUSE to ~/Private. Thus if you mess something up and want to restart, you can rm -rf ~/.ecryptfs which stores the actual encrypted data and keys and you’ll reset things.

Subsequently, when you want to have ~/Private be decrypted and mounted you’ll run:

ecryptfs-mount-private

and likewise to unmount ~/Private you’ll run:

ecryptfs-umount-private

If you want to do something fancy you might need to deviate from this setup and RTFM, but for the usual use case of “I want an encrypted directory for my personal files” this system is easy to configure and works well.