eCryptfs – The Enterprise Cryptographic Filesystem
Chosen by Canonical to keep home folders secure, does eCryptfs deliver on its promise?
At first glance, eCryptfs has plenty to recommend it: it’s already been chosen as the standard encryption solution for keeping home directories private by no lesser entities than Canonical for Ubuntu and Google for Chrome OS, among others. Derived from Erez Zadok’s Cryptfs, eCryptfs is a file-system – rather than block – level encryption solution which has been part of the mainline kernel since 2.6.19.
Setup is easy enough: to manage your encrypted storage you simply install ecryptfs-utils, which provides the capabilities required to create, mount, and manage a full file-system level encryption system.
Setting the software up is also straightforward: create a directory which you want to be encrypted, and mount it as the type ‘ecryptfs.’ As a file-system level encryption solution, that’s all that’s required: if it’s the first time that you’ve used that directory as an encryption target, you’ll be taken to a wizard that walks you through the software’s various configuration options. While the defaults are mostly acceptable, it’s advisable to enable file name encryption to help prevent information leakage – although this does carry a small performance penalty over leaving the file names visible.
Unlike encfs, eCryptfs allows you to specify the same directory as both the mount point and the device – meaning you can have a single directory which holds the encrypted files and then provides their contents when properly mounted.
Unlike LUKS, however, there’s no support for doing so quickly and easily in a GUI – although add-on packages for Nautilus are available for automatically mounting an eCryptfs directory.
For more advanced users, there is one key point of eCryptfs that may cause issues: as a stacked file system, it adds to the existing call stack and its use with certain file systems – including XFS – this can result in a stack overflow. It’s not an issue that most users will encounter, but it’s one that may spell the difference between implementing eCryptfs and opting for an alternative.
Sadly, the user space nature of eCryptfs rears its head in another way: performance. Compared to dm-crypt via LUKS or TrueCrypt, eCryptfs results in an impressive performance penalty. Small file performance on our test system dropped to around 10MB/s from around 28MB/s, and while the performance penalty was less pronounced with a single large file it was still noticeable. Users with more impressive hardware will find the performance better, but eCryptfs is a poor choice for slower systems.
Linux User Verdict
On most distributions, the installation of a single package is enough to start using eCryptfs.
There are plenty of options in eCryptfs for tuning performance and security, and files are transferable between hosts.
Ease of use: 8/10
Setup is easy, but the software could benefit from better integration with the GUI.
Sadly, eCryptfs does result in a not-inconsiderable performance hit, although this will be lessened on more powerful systems.
The ease of creating eCryptfs file systems makes it a handy package, but the performance penalty is severe.