Re: ecryptfs is unmaintained and untested

[Eric Biggers <ebiggers@kernel.org>]

On Tue, Oct 14, 2025 at 10:39:16AM -0400, Theodore Ts'o wrote:
> On Mon, Oct 13, 2025 at 11:07:56PM -0700, John Stultz wrote:
> > 
> > Yeah. Sadly I'm one, as I needed something to migrate off of when
> > encfs was deprecated.
> > 
> > Is there another soon-to-be-deprecated filesystem to encrypt
> > directories I should move to? :)
> 
> Well, the closest way of encrypting directories is fscrypt.  The good
> news is that it works on top of btrfs, ext4, f2fs, and ubifs, and it's
> not likely to be deprecated given that it is used by chromeos and
> android.  The bad news is that the integration with traditional Linux
> desktop setups (e.g., login, etc.) was never completed.

The current set of filesystems that support fscrypt is ext4, f2fs,
ubifs, cephfs, and (out-of-tree) Lustre.  btrfs's support for fscrypt is
still under development, I'm afraid.  I'm told it's starting to be
worked on again.

While the main user of the fscrypt kernel feature is Android which has
its own userspace, there's also a userspace tool for general-purpose
Linux distros, also called fscrypt.  See
https://github.com/google/fscrypt and
https://wiki.archlinux.org/title/Fscrypt

I've been maintaining the 'fscrypt' userspace tool, and in the past I've
done quite a bit of work to improve it.  I also use it to encrypt the
home directory on my personal desktop.

It's true that it really could use some love, though.  It's not
something that I've been prioritizing recently, and no one else has
stepped up either.  (Compare to eCryptfs where Ubuntu adopted it, and
Canonical stepped up to develop and maintain ecryptfs-tools.  That's
just not something that's happened for fscrypt.)

There are other userspace programs that use the fscrypt kernel feature
too, such as systemd-homed and a new one called dirlock:
https://lwn.net/Articles/1038859/

- Eric