Here's how to create this encrypted folder, step by step.
First we install eCryptfs, which is the encryption system integrated into the Linux kernel, lightweight, reliable and completely open source. We write:
sudo xbps-install -Sy ecryptfs-utilsor if you use Debian or Ubuntu:
sudo apt install ecryptfs-utilsImportant: the first time you mount the encrypted vault, eCryptfs will ask a series of questions. These choices define how your data is encrypted, and they must remain identical every time you mount the vault. If even one answer is different, the files will not be readable.
1. Cipher (encryption algorithm)
Recommended answer: aes — selects AES‑256.
2. Key length (key bytes)
Recommended answer: 32 — provides 256‑bit security.
3. Filename encryption
Recommended answer: y — encrypts filenames as well.
4. Passphrase
Choose a long, unique password.
5. Save configuration
Recommended answer: yes — saves technical settings.
Do not store the passphrase in the keyring.
Every time you mount the vault, eCryptfs will expect these exact settings. If even one is different, the vault will mount but your files will NOT be readable.
Once installed we can create the vault structure with two folders, one that will contain the encrypted data and one that will show the files in clear after mounting. The command is:
mkdir -p ~/.safe_real ~/PrivateThe first folder is the encrypted one and stays hidden while the second is the visible one and behaves like a normal directory.
Before proceeding it's important to restrict access to the encrypted directory. Even if the contents are encrypted and unreadable, other users could still see the number of files, their sizes, or modification dates. To avoid exposing metadata we set strict permissions:
chmod 700 ~/.safe_real ~/.safeThis ensures that only your user can see or access the encrypted folder structure, even in encrypted form. Remember: encryption protects the content, permissions protect the visibility.
Now we create the script that will take care of mounting it. We write:
sudo nano /usr/local/bin/mount-safeand paste inside this code:
#!/bin/bash
SOURCE="$HOME/.safe_real"
TARGET="$HOME/Private"
if ! mountpoint -q "$TARGET"; then
echo "@ Mounting vault..."
sudo mount -t ecryptfs "$SOURCE" "$TARGET" && sudo chown -R $USER:$USER "$TARGET"
echo "+ Vault opened and ready to use."
else
echo "+ The vault is already mounted."
fiWe save with Ctrl + O and exit with Ctrl + X then we make the file executable with:
sudo chmod +x /usr/local/bin/mount-safeThis script mounts the vault as root using eCryptfs and immediately after returns ownership of the files to the user so that programs like Dolphin or Nautilus can see them normally.
A note on more complex systems: if your system uses Btrfs with subvolumes, automatic snapshots, LUKS full-disk encryption or SSDs with TRIM enabled, take into account that some metadata like file counts, sizes or timestamps may still be visible at the filesystem level. The encrypted content remains safe, but metadata patterns can sometimes reveal usage habits. On SSDs in particular, TRIM operations may expose block usage timing and sizes. If you use Btrfs snapshots, remember they may store historical encrypted versions of files even after deletion.
Now we also create the script to unmount it safely with lazy unmount. We write:
sudo nano /usr/local/bin/unmount-safeand paste:
#!/bin/bash
TARGET="$HOME/Private"
if mountpoint -q "$TARGET"; then
echo "# Unmounting vault..."
sudo umount -l "$TARGET" && echo "+ Vault closed safely."
else
echo "+ No vault mounted."
fiWe also save this and make it executable with:
sudo chmod +x /usr/local/bin/unmount-safeAt this point we can already mount the vault with the command:
mount-safeand unmount it with:
unmount-safeBut we want to make everything more convenient and integrated into the desktop, so we add two icons in the GNOME menu, one to open and one to close.
For the mounting one we write:
nano ~/.local/share/applications/MountSafe.desktopand paste:
[Desktop Entry]
Name=Mount Safe
Exec=sh -c '/usr/local/bin/mount-safe'
Icon=folder-locked
Type=Application
Terminal=true
Categories=Utility;
StartupNotify=trueThen for the unmounting one:
nano ~/.local/share/applications/UnmountSafe.desktopand paste:
[Desktop Entry]
Name=Unmount Safe
Exec=sh -c '/usr/local/bin/unmount-safe'
Icon=folder-locked
Type=Application
Terminal=true
Categories=Utility;
StartupNotify=trueOnce both files are saved we update the cache with:
update-desktop-database ~/.local/share/applications/Now opening the GNOME menu we'll find two new entries, one called Mount Safe and one called Unmount Safe. Clicking on Mount Safe the vault will be opened, the system will ask us for the encryption password and the Private folder will immediately become accessible with our files in clear. When we've finished working we can click on Unmount Safe and the vault will be automatically closed with lazy unmount, even if it was still in use.
Don't delude yourselves even with this. Be careful. I created the mount and unmount icons precisely to make the process fast, but the folder must remain invisible most of the time. It should be opened only to move or consult files, and then immediately closed. Do it possibly by disconnecting the internet connection, because if your system were compromised, some program could still access and steal your data. It's a rare eventuality, but possible. And you see... to reach one hundred percent security takes a lot, a whole lot. And it's not within the possibilities of the normal user. Neither yours, nor mine.
While the encrypted vault offers a strong level of protection, there are important advanced considerations to be aware of. Filesystem metadata—such as timestamps, file counts, and sizes—may still be visible to the system and potentially to forensic tools. These elements do not reveal file contents, but provide patterns that can be analyzed.
On systems using Btrfs with subvolumes or automatic snapshots, encrypted file remnants may persist inside snapshots even after deletion. On SSDs, TRIM operations can expose when blocks were written or cleared, and wear-leveling mechanisms may leave encrypted data in unexpected physical locations over time. None of these expose content directly, but they expand the footprint of encrypted traces on the disk.
If your main system drive is protected with LUKS full-disk encryption, remember that this shields the entire block device, including metadata. eCryptfs then functions as a second independent layer inside your encrypted environment. However, always unmount the vault properly before shutting down to avoid leaving decrypted data in caches or buffers longer than needed.
The vault should only be opened when strictly necessary. Keep it closed during web browsing, updates, or any operation that requires an active network connection. Even encrypted data is vulnerable if malicious software compromises your system at the moment the folder is mounted. The safest practice is to disconnect from the internet while accessing sensitive documents.
No solution guarantees absolute protection. Security is a process made of layers, habits, and awareness. This vault is a strong brick, but it is only one piece of your digital fortress.
Comments