Ecryptfs

Introduction
eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux.

Kernel Configuration
First of all we need configure our Kernel for eCryptfs. We need crypto API support with at least one symmetric key cipher, key retention support and eCryptfs layer support.

Build and install the module and then load it.

Install userspace tools
Install the ecryptfs-utils package

If you use stable packages, you may need to keyword the following packages:

Mount on login
ecryptfs can be configured to be mounted when you login. Therefore the passphrase of the ecrypted volume is encrypted with the login-password and saved to .ecryptfs/wrapped-passphrase.

Prepare PAM
First make sure that ecryptfs-utils is built with USE="pam suid".

To allow transparent unwrapping of the passphrase on login, ecryptfs needs to be added to the pam-stack.

After these steps the encrypted passphrase stored in $HOME/.ecryptfs/wrapped-passphrase is decrypted on login.

If the file .ecryptfs/auto-mount exists the .Private-directory is mounted on login to the mount-point configured in .ecryptfs/Private.mnt.

Setup a private directory
This creates the directories .ecryptfs .Private and Private.

.ecryptfs contains your ecryptfs-settings and the wrapped-passphrase.

.Private contains the encrypted data.

Private serves as the default-mountpoint for the decrypted data.

Links

 * Chapters 2-4 retrieved from http://www.gentoo-wiki.info/ECryptfs)
 * ecryptfs-homepage
 * Encrypt home directory with ecryptfs