eCryptfs is now hooked into Launchpad‘s Translations functionality for internationalization of text strings (at least the shell scripts, for now).

If you are fluent in another language and would like to help translate eCryptfs, please help out at:


Also, a belated congratulations, and thank you to the Launchpad team on their open sourcing of all of Launchpad’s functionality, under the AGPL!



In the spirit of the FHS, Encrypted Home Directories in Ubuntu 9.04 stored certain configuration information about your Encrypted Home setup in /var/lib/ecryptfs.

However “correct” this location might be, it has caused considerable pain to a number of users, mostly because people don’t backup /var/lib, generally. That said, it is totally possible to re-generate all of the information in your /var/lib/ecryptfs directory if you recorded your all-important mount passphrase.

In any case, this is not the most user-friendly place to store this information.

Thus, in Karmic, we are using /home/.ecryptfs instead of /var/lib/ecryptfs. Each user encrypting their home directory will have a a directory in /home/.ecryptfs/$USER which will contain the “real” .ecryptfs and .Private directories.

This provides a couple of advantages.

First, your /home directory is completely self-contained. You can backup that entire hierarchy and save all of the data necessary (excepting your secret passphrase, of course). Actually, many users make /home a separate partition.

Secondly, having access to /home/.ecryptfs/$USER/.Private means that you can much more easily perform backups of your encrypted data. This feature has been requested many, many times.

You can actually take advantage of this same configuration in Ubuntu 9.04, if you follow the guide below. I recommend doing so 😉

As always, you should log out of all desktop sessions, and perform these instructions from a tty terminal, or an ssh session.

#!/bin/sh -e

# Move out of your home directory
cd /

# If your encrypted home is not mounted, try to mount it
grep -qs " $HOME ecryptfs " /proc/mounts || ecryptfs-mount-private

# With root privilege, create a /home/.ecryptfs/$USER directory
sudo mkdir -p /home/.ecryptfs/$USER

# Make sure $USER owns that
sudo chown $USER:$USER /home/.ecryptfs/$USER

# Rename your /var/lib/ecryptfs/$USER dir to the new location
sudo mv -f /var/lib/ecryptfs/$USER /home/.ecryptfs/$USER/.ecryptfs

# Remove the two symlinks in your mounted home, to .ecryptfs and .Private
rm -f $HOME/.ecryptfs $HOME/.Private

# Establish links to these two dirs
ln -sf /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfs
ln -sf /home/.ecryptfs/$USER/.Private $HOME/.Private

# Unmount home
while ecryptfs-umount-private | grep "Sessions still open"; do

# Make your unmounted home writable (briefly)
sudo chmod 700 $HOME

# Move the *real* .Private directory to the new location
mv -f $HOME/.Private /home/.ecryptfs/$USER/

# Remove the .ecryptfs and .Private links
rm -f $HOME/.ecryptfs $HOME/.Private

# Re-establish the .ecryptfs and .Private links
ln -sf /home/.ecryptfs/$USER/.ecryptfs $HOME/.ecryptfs
ln -sf /home/.ecryptfs/$USER/.Private $HOME/.Private

# Mount your home directory again


I’m listening to the UK Podcast S02E09 right now, and there was a question from a user about restricting who can encrypt their home or private directory under Ubuntu. (A bit later in the broadcast, these fine fellows interview yours truly.)

Dave Walker and Alan Pope were discussing this. Perhaps you have a shared system at home and you want to encrypt your home directory, but don’t want to give this privilege to your unruly 10 year old 😉

Here’s a simple recipe for solving this using Unix Discretionary Access Controls:

sudo addgroup ecryptfs
sudo usermod -a -G ecryptfs [allowed users]
sudo chown root:ecryptfs /sbin/mount.ecryptfs_private
sudo chmod 4750 /sbin/mount.ecryptfs_private

So you create an ecryptfs group, add your allowed users to the ecryptfs group, chown the setuid binary 4750, such that only users in the ecryptfs group can execute it. Done!

I’ll note that Fedora 11 ships with /sbin/mount.ecryptfs_private permissioned by default in such a way. I don’t plan to change Ubuntu’s default behavior unless required by the Ubuntu Security Team.

-rwsr-x--- 1 root ecryptfs 12216 2009-07-21 02:36 /sbin/ecryptfs_private*



Many eCryptfs and Ubuntu Jaunty users have requested instructions on migrating their existing, non-encrypted home directories to an Encrypted-Home setup. I have some instructions for you now!


  1. Make a complete backup copy of your non-encrypted data to another system or external media. Some of the following instructions are dangerous, could result in data lost, or lock you out of your system! Please read and follow all instructions very carefully.
  2. Make sure you have sufficient disk space available. To make a full copy, you will need at least 2x the disk usage of your current home directory. Assuming the copy succeeds and you have access to your encrypted data, you can recover some space by deleting the unencrypted data.

    du -sh $HOME
    df -h $HOME
  3. You must have administrator (sudo) privileges.
  4. You should install ecryptfs-utils

    sudo apt-get install ecryptfs-utils

  5. These instructions require an empty $HOME/Private directory. If you already have some data in your $HOME/Private directory, please move all of these files and directories out of the way, and follow the instructions in:

    ecryptfs-setup-private --undo


Exit all desktop sessions. You need to ensure that there are no other processes on your system reading and/or writing data in your home directory. Perform all of the following instructions by logging in via SSH or at a tty terminal (ctrl-alt-F1).

Login and setup an Encrypted Private directory:


Logout, and log back in and make sure $HOME/Private is mounted.

mount | grep "$USER.*ecryptfs"

Use rsync to copy all data from your home directory to your new Encrypted Private directory. If you have a large home directory, this step might take a very long time. Be very wary of any errors at this point. This is the most essential step in this migration scheme. I usually re-run this step 3 times.

rsync -aP --exclude=.Private --exclude=Private --exclude=.ecryptfs \
$HOME/ $HOME/Private/

Sync to disk, unmount, logout, and log back in.

sync && sync && sync

Setup your eCryptfs configuration directory.

cd /
sudo mkdir -p /home/.ecryptfs/$USER
sudo chown $USER:$USER /home/.ecryptfs/$USER
mv $HOME/.ecryptfs /home/.ecryptfs/$USER/
mv $HOME/.Private /home/.ecryptfs/$USER/
sudo chmod 700 /home/.ecryptfs/$USER/.Private /home/.ecryptfs/$USER/.ecryptfs

Setup your new, unmounted home directory.

sudo mkdir -p -m 700 /home/$
sudo chown $USER:$USER /home/$
ln -sf /home/.ecryptfs/$USER/.ecryptfs \
ln -sf /home/.ecryptfs/$USER/.Private \

Move your old, unencrypted home directory out of the way.

sudo mv $HOME $HOME.old

“Activate” your new, unmounted home directory by renaming it.

sudo mv /home/$ $HOME
echo $HOME > $HOME/.ecryptfs/Private.mnt
ln -sf \
/usr/share/ecryptfs-utils/ecryptfs-mount-private.txt \
sudo chmod 500 $HOME

Logout, and log back in. Ensure that $HOME is mounted, and that you have a symlink to your configuration directory.

mount | grep "$USER.*ecryptfs"
ln -sf /home/.ecryptfs/$USER/.ecryptfs \
ln -sf /home/.ecryptfs/$USER/.Private \

Check all of your home directory data. Ensure that everything is in order. Once you are completely confident that the migration worked, you can reclaim some disk space by removing your old, non-encrypted data.

sudo rm -rf $HOME.old


If you are a shred-minded-individual, you will need to backup your cleartext data, shred your disk, and reinstall from scratch.


Most of my eCryptfs posts have been dedicated to my work on Ubuntu’s Encrypted Home and Encrypted Private Directories. I’m incredibly proud that we are helping Ubuntu users enjoy confidence in the security of their personal data without requiring sophisticated expertise in cryptographic filesystems and system adminstration.

This post, however, is intended to highlight what I hope is a burgeoning development community around the upstream eCryptfs project.

Minutes ago, I released ecryptfs-utils-75. I believe that this is a landmark release based on the number of contributions from people other than the maintainers, Tyler Hicks (IBM) and myself (Canonical).

Have a look at the changelog, and you should see contributions from:

  • Michal Hlavinka (Red Hat)
  • Daniel Baumann (Debian)
  • Arfrever Frehtes Taifersar Arahesis
  • Frédéric Guihéry
  • Adrian C. (anrxc)

Thank you!

If you have an interest in eCryptfs and a proficiency in C programming, please have a look at our open bugs. We are quite interested in growing our community of developers. You can join us in IRC at #ecryptfs on, and you can grab the source code with:

  • bzr branch lp:ecryptfs


p.s. Several years ago, I was criticized on a mailing list for submitting a “drive-by patch” (some maintainers evidently do not like this model). It scared me away from making minor contributions to projects I was otherwise unaffiliated with for some time. So, for the record, if your code is good, I don’t mind “drive-by patches” 😉