[linux-2.6-block.git] / Documentation / filesystems / ecryptfs.rst

.. SPDX-License-Identifier: GPL-2.0

======================================================
eCryptfs: A stacked cryptographic filesystem for Linux
======================================================

eCryptfs is free software. Please see the file COPYING for details.
For documentation, please see the files in the doc/ subdirectory.  For
building and installation instructions please see the INSTALL file.

:Maintainer: Phillip Hellewell
:Lead developer: Michael A. Halcrow <mhalcrow@us.ibm.com>
:Developers: Michael C. Thompson
             Kent Yoder
:Web Site: http://ecryptfs.sf.net

This software is currently undergoing development. Make sure to
maintain a backup copy of any data you write into eCryptfs.

eCryptfs requires the userspace tools downloadable from the
SourceForge site:

http://sourceforge.net/projects/ecryptfs/

Userspace requirements include:

- David Howells' userspace keyring headers and libraries (version
  1.0 or higher), obtainable from
  http://people.redhat.com/~dhowells/keyutils/
- Libgcrypt


.. note::

   In the beta/experimental releases of eCryptfs, when you upgrade
   eCryptfs, you should copy the files to an unencrypted location and
   then copy the files back into the new eCryptfs mount to migrate the
   files.


Mount-wide Passphrase
=====================

Create a new directory into which eCryptfs will write its encrypted
files (i.e., /root/crypt).  Then, create the mount point directory
(i.e., /mnt/crypt).  Now it's time to mount eCryptfs::

    mount -t ecryptfs /root/crypt /mnt/crypt

You should be prompted for a passphrase and a salt (the salt may be
blank).

Try writing a new file::

    echo "Hello, World" > /mnt/crypt/hello.txt

The operation will complete.  Notice that there is a new file in
/root/crypt that is at least 12288 bytes in size (depending on your
host page size).  This is the encrypted underlying file for what you
just wrote.  To test reading, from start to finish, you need to clear
the user session keyring:

keyctl clear @u

Then umount /mnt/crypt and mount again per the instructions given
above.

::

    cat /mnt/crypt/hello.txt


Notes
=====

eCryptfs version 0.1 should only be mounted on (1) empty directories
or (2) directories containing files only created by eCryptfs. If you
mount a directory that has pre-existing files not created by eCryptfs,
then behavior is undefined. Do not run eCryptfs in higher verbosity
levels unless you are doing so for the sole purpose of debugging or
development, since secret values will be written out to the system log
in that case.


Mike Halcrow
mhalcrow@us.ibm.com
Commit	Line	Data
b02a17cb MCC	1	.. SPDX-License-Identifier: GPL-2.0
	2
	3	======================================================
237fead6	4	eCryptfs: A stacked cryptographic filesystem for Linux
b02a17cb	5	======================================================
237fead6 MH	6
	7	eCryptfs is free software. Please see the file COPYING for details.
	8	For documentation, please see the files in the doc/ subdirectory. For
	9	building and installation instructions please see the INSTALL file.
	10
b02a17cb MCC	11	:Maintainer: Phillip Hellewell
	12	:Lead developer: Michael A. Halcrow <mhalcrow@us.ibm.com>
	13	:Developers: Michael C. Thompson
	14	Kent Yoder
	15	:Web Site: http://ecryptfs.sf.net
237fead6 MH	16
	17	This software is currently undergoing development. Make sure to
	18	maintain a backup copy of any data you write into eCryptfs.
	19
	20	eCryptfs requires the userspace tools downloadable from the
	21	SourceForge site:
	22
	23	http://sourceforge.net/projects/ecryptfs/
	24
	25	Userspace requirements include:
b02a17cb MCC	26
	27	- David Howells' userspace keyring headers and libraries (version
	28	1.0 or higher), obtainable from
	29	http://people.redhat.com/~dhowells/keyutils/
	30	- Libgcrypt
237fead6 MH	31
237fead6 MH	32
c44166fe	33	.. note::
237fead6	34
c44166fe MCC	35	In the beta/experimental releases of eCryptfs, when you upgrade
	36	eCryptfs, you should copy the files to an unencrypted location and
	37	then copy the files back into the new eCryptfs mount to migrate the
	38	files.
237fead6 MH	39
237fead6 MH	40
b02a17cb MCC	41	Mount-wide Passphrase
b02a17cb MCC	42	=====================
237fead6 MH	43
	44	Create a new directory into which eCryptfs will write its encrypted
	45	files (i.e., /root/crypt). Then, create the mount point directory
b02a17cb	46	(i.e., /mnt/crypt). Now it's time to mount eCryptfs::
237fead6	47
b02a17cb	48	mount -t ecryptfs /root/crypt /mnt/crypt
237fead6 MH	49
	50	You should be prompted for a passphrase and a salt (the salt may be
	51	blank).
	52
b02a17cb	53	Try writing a new file::
237fead6	54
b02a17cb	55	echo "Hello, World" > /mnt/crypt/hello.txt
237fead6 MH	56
	57	The operation will complete. Notice that there is a new file in
	58	/root/crypt that is at least 12288 bytes in size (depending on your
	59	host page size). This is the encrypted underlying file for what you
	60	just wrote. To test reading, from start to finish, you need to clear
	61	the user session keyring:
	62
	63	keyctl clear @u
	64
	65	Then umount /mnt/crypt and mount again per the instructions given
	66	above.
	67
b02a17cb MCC	68	::
	69
	70	cat /mnt/crypt/hello.txt
237fead6 MH	71
237fead6 MH	72
b02a17cb MCC	73	Notes
b02a17cb MCC	74	=====
237fead6 MH	75
	76	eCryptfs version 0.1 should only be mounted on (1) empty directories
	77	or (2) directories containing files only created by eCryptfs. If you
	78	mount a directory that has pre-existing files not created by eCryptfs,
	79	then behavior is undefined. Do not run eCryptfs in higher verbosity
	80	levels unless you are doing so for the sole purpose of debugging or
	81	development, since secret values will be written out to the system log
	82	in that case.
	83
	84
	85	Mike Halcrow
	86	mhalcrow@us.ibm.com