mount -t ecryptfs [SRC DIR] [DST DIR] -o [OPTIONS]

       eCryptfs  is  a  POSIX-compliant enterprise-class stacked cryptographic
       filesystem for Linux. It is derived from Erez Zadok's  Cryptfs,  imple-
       mented  through  the FiST framework for generating stacked filesystems.
       eCryptfs extends Cryptfs to provide advanced key management and  policy
       features.  eCryptfs stores cryptographic metadata in the header of each
       file written, so that encrypted files can be copied between hosts;  the
       file  will  be decryptable with the proper key, and there is no need to
       keep track of any additional information aside from what is already  in
       the encrypted file itself. Think of eCryptfs as a sort of "gnupgfs."


            Parameters that apply to the eCryptfs kernel module.

              Specify  the  signature  of the mount wide authentication token.
              The authentication token must be in the  kernel  keyring  before
              the  mount  is performed. ecryptfs-manager or the eCryptfs mount
              helper can be used to construct the authentication token and add
              it to the keyring prior to mounting.

              Specify  the  signature  of  the mount wide authentication token
              used for filename crypto. The authentication must be in the ker-
              nel keyring before mounting.

              Specify the symmetric cipher to be used on a per file basis

              Specify  the keysize to be used with the selected cipher. If the
              cipher only has one keysize the keysize  does  not  need  to  be

              Allows for non-eCryptfs files to be read and written from within
              an eCryptfs mount. This option is turned off by default.

              Do not check the mount key signature against the values  in  the
              user's  ~/.ecryptfs/sig-cache.txt  file. This is useful for such
              things as non-interactive  setup  scripts,  so  that  the  mount
              helper  does  not stop and prompt the user in the event that the
              key sig is not in the cache.
              rather than the header region of the lower files.

              Log  ecryptfs  information  to  /var/log/messages.   Do  not run
              eCryptfs in verbose-mode unless you are doing so  for  the  sole
              purpose  of development, since secret values will be written out
              to the system log in that case.


              Parameters that apply to the eCryptfs mount helper.

       key=(keytype):[KEY MODULE OPTIONS]
              Specify the type of key to be used when mounting eCryptfs.

              Specify whether filename encryption should be enabled.  If  not,
              the  mount  helper  will  not  prompt  the user for the filename
              encryption key signature (default).

              If verbosity=1, the mount helper will ask you for missing values
              (default).  Otherwise, if verbosity=0, it will not ask for miss-
              ing values and will fail if required values are omitted.


              Parameters that apply to individual key modules have  the  alias
              for the key module in the prefix of the parameter name. Key mod-
              ules are pluggable, and which key modules are available  on  any
              given  system is dependent upon whatever happens to be installed
              in /usr/lib*/ecryptfs/.

              The actual password is passphrase. Since the password is visible
              to  utilities (like ps under Unix) this form should only be used
              where security is not important.

              The   password   should   be   specified   in   a   file    with
              passwd=(passphrase).  It  is highly recommended that the file be
              stored on a secure medium such as a personal usb key.

       passphrase_passwd_fd=(file descriptor)
              The password is specified through the specified file descriptor.

       passphrase_salt=(hex value)
              The salt should be specified as a 16 digit hex value.

              The password can be specified on the  command  line.  Since  the
              password  is  visible  in  the process list, it is highly recom-
              mended to use this option only for testing purposes.

       The following command will layover mount eCryptfs  on  /secret  with  a
       passphrase  contained  in  a  file  stored  on  secure media mounted at

       mount                  -t                  ecryptfs                  -o
       key=passphrase:passphrase_passwd_file=/mnt/usb/file.txt /secret /secret

       Where file.txt contains the contents "passphrase_passwd=[passphrase]".



       Do  not  run  eCryptfs  in verbose-mode unless you are doing so for the
       sole purpose of development, since secret values will be written out to
       the system log in that case. Make certain that your eCryptfs mount cov-
       ers all locations where your applications may write sensitive data.  In
       addition,  use dm-crypt to encrypt your swap space with a random key on
       boot, or see ecryptfs-setup-swap(1).

       Passphrases have a maximum length of 64 characters.

       Please post bug reports to the eCryptfs bug tracker  on

       For  kernel  bugs,  please  follow the procedure detailed in Documenta-
       tion/oops-tracing.txt to help us figure out what is happening.

       This manpage was (re-)written by Dustin Kirkland  <>
       for  Ubuntu systems (but may be used by others).  Permission is granted
       to copy, distribute and/or modify this document under the terms of  the
       GNU General Public License, Version 2 or any later version published by
       the Free Software Foundation.

       On Debian systems, the complete text of the GNU General Public  License
       can be found in /usr/share/common-licenses/GPL.
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2019 Hurricane Electric. All Rights Reserved.