eCryptfs is a stacked file system in the Linux kernel. Users mount a directory in one file system on top of another. Content read from, and written to, the upper directory exists as decrypted content in memory and is seamlessly accessible to the user and applications. Files are written to disk in the lower directory as atomic, encrypted units. File names and directory names are encrypted with a single, mount-wide File Name Encryption Key (FNEK)

The stacked file system is generated by the File System Translator (FiST) framework. This system combines a set of stackable file system templates for each operating system, and a high-level language that can describe stackable file systems in a cross-platform portable fashion. Using FiST, stackable file systems need only be described once. FiST's code generation tool, fistgen, compiles a single file system description into loadable kernel modules for several operating systems (currently Solaris, Linux, and FreeBSD). The project demonstrates that with FiST, code size and development time are reduced significantly, while imposing a small performance overhead of only 1-2%. These benefits are achieved, as well as portability, without changing existing operating systems or file system

eCryptfs provides advanced key management and policy features. eCryptfs stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts. The file will be decryptable with the proper key, and there is no need to keep track of any additional information aside from what is already in the encrypted file itself

The eCryptfs layered file system approach also eliminates the need for a dedicated partition, sparse file, or preallocated disk space for the encrypted data. eCryptfs files are written to the administrators chosen underlying file system with the total disk capacity available. Since each encrypted file is written to disk as an atomic unit, users can perform per-file incremental encrypted backups to remote storage something that is impractical and dangerous with block device encryption solutions

Each encrypted file embeds a unique, randomly generated FEK (file encryption key) in the header, wrapped with a separate, mount-wide FEKEK (file encryption key, encryption key). Keys are managed by the Linux kernel keyring and the encryption is provided by the common ciphers in the kernel

In terms of per-file key management, eCryptfs uses the methods of PGP RFC2440 in 1998 and applies those methods within a file system service in the kernel. eCryptfs employs encryption techniques that have been in common use in the community for over two decades since Linux kernel versions 2.6.19

eCryptfs is an actual file system. Some other popular disk encryption technologies are not file systems; they are block device encryption layers, they provide what appears to be a physical block device to some actual file system. There is no file system logic in these layers. eCryptfs has been well tested on EXT3, and it should work well on other popular local file systems such as JFS, ReiserFS, and so forth


Ubuntu initiative to utilize eCryptfs originated in the Ubuntu Server Team desire to provide an encrypted, private space for administrators without breaking unattended reboots. Typically, full disk encryption blocks the unattended boot process while waiting at a password prompt during start up. This is highly impractical for servers in data centers. Using an eCryptfs PAM (Pluggable Authentication Module) however, the system can load the necessary keys and mount the home directory at login, rather than during boot time

Command line