Ubuntu – Encrypting an extra partition with ecryptfs

Lucky you! I just had the same problem and wrote a script that will facilitate mounting ecryptfs Folders with FNEK.

sudo su -

Then open nano/vim/your editor of choice and create a file ecryptfs-fnek-helper.sh with the following contents:

#!/bin/bash

# Thanks to https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/455709
# 

echo "Where is the /home with the .ecryptfs mounted? (default=/mnt/home)"
read home_ecryptfs
if [ -z "$home_ecryptfs" ]; then
    home_ecryptfs=/mnt/home
fi
home_ecryptfs=$home_ecryptfs/.ecryptfs

echo "Whose encrypted home would you like to mount?"
read user
if [ -z "$user" ]; then
    echo "You have to enter a user!"
    exit;
fi

echo "What is the user's password?"
read -s password
if [ -z "$password" ]; then
    echo "You have to enter a password!"
    exit;
fi

echo "Where would you like to mount it? (Default: /mnt/[username])"
read target
if [ -z "$target" ]; then
    target=/mnt/$user
fi
target=$target/
mkdir -p $target

wrapped=$home_ecryptfs/$user/.ecryptfs/wrapped-passphrase
sig=$home_ecryptfs/$user/.ecryptfs/Private.sig
private=$home_ecryptfs/$user/.Private/

echo I will be mounting $private into $target.

echo "Clearing the keyring."
keyctl clear @u
keyctl list @u

echo "Unwrapping passphrase and inserting it into key:"
printf "%s" $password | ecryptfs-insert-wrapped-passphrase-into-keyring $wrapped -

keyctl list @u

echo -e "\e[0;92mPassphrase:"
echo -e '\e[1;92m'`printf "%s" $password | ecryptfs-unwrap-passphrase $wrapped - `'\e[0m'
echo -e "\e[0;96mFilename Encryption Key (FNEK) Signature:"
echo -e '\e[1;96m'`tail -n1 $sig`'\e[0m'
echo -e "Mounting now! Be sure to enable FNEK!"
mount.ecryptfs $private $target -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,key=passphrase

This will unwrap your passphrase and add it to the keyring. It will also display the passhprase and the correct FNEK signature, so you can copy/paste them when prompted by mount.ecryptfs.

Make the file executable and run it while still in su:

chmod +x ecryptfs-fnek-helper.sh
./ecryptfs-fnek-helper.sh

I'll answer this question, as the author of ecryptfs-setup-private, and one of the maintainers of eCryptfs.

eCryptfs provides very strong cryptographic protection of your data "at rest" -- ie, when your system is powered off or hibernated. However, you should beware that when your system is running, and your home directory is mounted, your data is protected exclusively by DAC (Discretionary Access Controls) -- ie, UNIX filesystem permissions. By default in Ubuntu, if you're using an Encrypted Home Directory, then your $HOME directory has 700 permissions -- so no other users on the system besides you (and root) will be able to see your data while its mounted. Now when your data is mounted, then it is safely locked away in encryption.

As always, you should still have a very strong LOGIN passphrase, however. Your LOGIN passphrase is used to encrypt and decrypt a much longer and strong randomly generated mount passphrase, which is stored in $HOME/.ecryptfs/wrapped-passphrase. If an attacker has access to $HOME/.ecryptfs/wrapped-passphrase, then they can try and decrypt that file by guessing your LOGIN passphrase. If they do decrypt that, then they will have access to your long/random MOUNT passphrase and your data is no longer safe. As a stronger measure of security, some paranoid users (such as myself) store their wrapped-passphrase file on secure removable media such as a USB key or an SD-card, and use a symbolic link to link it into place at $HOME/.ecryptfs/wrapped-passphrase. This should only be attempted by expert users.

Cheers!