Chapter 3. Encrypted File System
Red Hat Enterprise Linux 6 provides a technology preview of eCryptfs, a "pseudo-file system" which provides data and filename encryption on a per-file basis. The term "pseudo-file system" refers to the fact that eCryptfs does not have an on-disk format; rather, it is a file system layer that resides on top of an actual file system. The eCryptfs layer provides encryption capabilities.
eCryptfs works like a bind mount by intercepting file operations that write to the underlying (that is, encrypted) file system. The eCryptfs layer adds a header to the metadata of files in the underlying file system. This metadata describes the encryption for that file, and eCryptfs encrypts file data before it is passed to the encrypted file system. Optionally, eCryptfs can also encrypt filenames.
eCryptfs is not an on-disk file system; as such, there is no need to create it via tools such as
mkfs. Instead, eCryptfs is initiated by issuing a special mount command. To manage file systems protected by eCryptfs, the
ecryptfs-utilspackage must be installed first.
3.1. Mounting a File System as Encrypted
To encrypt a file system with eCryptfs, execute the following command:
mount -t ecryptfs /source /destination
Encrypting a directory hierarchy (
/sourcein the above example) with eCryptfs means mounting it to a mount point encrypted by eCryptfs (
/destinationin the example above). All file operations to
/destinationwill be passed encrypted to the underlying
/sourcefile system. In some cases, however, it may be possible for a file operation to modify
/sourcedirectly without passing through the eCryptfs layer; this could lead to inconsistencies.
This is why for most environments, Red Hat recommends that the names of both
/destinationbe identical. For example:
mount -t ecryptfs /home /home
This effectively means encrypting a file system and mounting it on itself. Doing so helps ensure that all file operations to
/homepass through the eCryptfs layer.
During the mount and encryption process,
mountwill allow the following settings to be configured:
- Encryption key type
passphrase. When choosing
mountwill ask for one.
- Key bytesize
- Enabled or disabled.
- Enabled or disabled.
After the last step of an interactive mount,
mountwill display all the selections made and perform the mount. This output consists of the command-line option equivalents of each chosen setting. For example, mounting
/homewith a key type of
aescipher, key bytesize of
filename encryptiondisabled, the output would be:
Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=c7fed37c0a341e19 Mounted eCryptfs
The options in this display can then be passed directly to the command line to encrypt and mount a file system using the same configuration. To do so, use each option as an argument to the
mount. For example:
# mount -t ecryptfs /home /home -o ecryptfs_unlink_sigs\
ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=c7fed37c0a341e19
 This is a single command split into multiple lines, to accommodate printed and PDF versions of this document. All concatenated lines — preceded by the backslash (\) — should be treated as one command, sans backslashes.