The default ecryptfs-private settings aren’t quite what I want; they mount automatically on login and invoke some kind of system-magic I don’t understand to hide the encrypted files. Turns out that setting up encrypted directories is pretty darn easy, once you dig through enough of the man pages.
mkdir ~/private chmod 700 ~/private
# Cmnd alias specification Cmnd_Alias MOUNTPRIVATE = /bin/mount /path/to/private /path/to/private -t \ ecryptfs -o key\=passphrase\,ecryptfs_cipher\=aes\,ecryptfs_key_bytes\=24\,\ ecryptfs_passthrough\=no\,ecryptfs_enable_filename_crypto\=yes\,\ no_sig_cache\=yes Cmnd_Alias UMOUNTPRIVATE = /bin/umount /path/to/private # Your username goes here, obviously aphyr ALL=(ALL) NOPASSWD:MOUNTPRIVATE, UMOUNTPRIVATE
alias mount_private="sudo mount ~/private ~/private -t \ ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=24,\ ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,\ no_sig_cache=yes" alias umount_private="sudo umount ~/private"
Then just run
mount_private and enter a passphrase of your choice. You can unmount the directory with
umount_private. Drop that in your autostart.sh with xenity, unmount it before activating the screensaver, whatever floats your boat.
I’m not sure how to tell ecryptfs to use a sig cache other than the one in root’s homedir, or how to allow mounting as the regular user without abusing suid. If anyone has suggestions…