Creating a Secure File System in Linux Using ecrypts

This is a basic guide to creating an encrypted file system. In my case I encrypt all sensitive information and the backups of the whole system. My system is a file server running Ubuntu 10.10 and a desktop machine / storage server running Kubuntu 11.10. On the file server I have an encrypted  samba share that contains all my customer critical data. The encryption code is held on a USB device secured to the server room bricks and mortar. For the storage server the encryption code is held on the file-server in the encrypted area. Therefore if the server is stollen the encryption key will not be available and if the storage server is stolen the encryption key will not be available. If both systems are stolen the enrytion key(s) will not be available. Therefore a conciderably more secure solution than a vanilla installation.


The ecrypts file system need to be installed.

sudo apt-get install  ecryptfs-utils

A usb pen drive if you wish to store your key on a usb drive.

A backup of your passphrases or all will be lost !

Server Setup

For this example I'm going to encypt a directory called /ToBeEncrypted and mount it as /Encrypted

sudo mount -t ecryptfs /ToBeEncrypted /Encrypted

  • You will be prompted for a passphrase. This should be a secure password. I use this generator Password Generator. There appears to be an issue with using ( or ) in the password. You will get spurios errors if you do so.
  • I accept the defaults aes, 32, Plain Text Passthrough (N), Filename Encrytion I set to (Y), Accept the FNEK
  • As this is the first time you have mounted this mount you will be asked if you want to proceed (yes)
  • Would you like to append sig (yes)
  • Keep a record of all the options you have selected.
To mount this share in fstab you need to update a file /root/.ecrytfsrc with the information used to mount the share. An example is shown below


Then chmod 600 .ecrptfsrc

You now need to create the passwd_file.txt. Which looks like this:


If you are using a USB drive to store the passwd_file.txt then remember to mount it in fstab as needs to be availabe during boot.

Modify the fstab to have the following line:

/ToBeEncryted /Encrypted ecryptfs user,_netdev 0 0

Now the share should auto mount at reboot.

Mount as a Samba Share

In samba you can now share the /Encryted Directory

Setting up the Storage Server

Repeat the process above using a different passphrase and using the directory for your backups. The only changes are:

  • In the .ecryptsrc file the key=passphrase line needs to point to the mounted secure share on the server


My backup is done by rsyncing the server to the storage servers encryted area. Providing me with a reasonable level of encrytion.
Please feel free to leave comments/corrections

Find Us


Contact Details

Sussex PC Works
9 Barclays Court,
Skeyne Drive,
Pulborough RH20 2BG

Tel: 01903680683