The default ecryptfs-private settings aren’t quite what I want; they mount automatically on login and invoke some kind of system-magic I don’t understand to hide the encrypted files. Turns out that setting up encrypted directories is pretty darn easy, once you dig through enough of the man pages.

Pick a directory

mkdir ~/private
chmod 700 ~/private

Add the mount command to sudoers for passwordless mounts

# Cmnd alias specification
Cmnd_Alias MOUNTPRIVATE = /bin/mount /path/to/private /path/to/private -t \
ecryptfs -o key\=passphrase\,ecryptfs_cipher\=aes\,ecryptfs_key_bytes\=24\,\
ecryptfs_passthrough\=no\,ecryptfs_enable_filename_crypto\=yes\,\
no_sig_cache\=yes

Cmnd_Alias UMOUNTPRIVATE = /bin/umount /path/to/private

# Your username goes here, obviously
aphyr ALL=(ALL) NOPASSWD:MOUNTPRIVATE, UMOUNTPRIVATE

Set up that mount command in .bash_aliases

alias mount_private="sudo mount ~/private ~/private -t \
ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=24,\
ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,\
no_sig_cache=yes"
alias umount_private="sudo umount ~/private"

Then just run mount_private and enter a passphrase of your choice. You can unmount the directory with umount_private. Drop that in your autostart.sh with xenity, unmount it before activating the screensaver, whatever floats your boat.

I’m not sure how to tell ecryptfs to use a sig cache other than the one in root’s homedir, or how to allow mounting as the regular user without abusing suid. If anyone has suggestions…