{"id":36980876,"url":"https://github.com/iqb/ecryptfs","last_synced_at":"2026-01-13T22:50:40.418Z","repository":{"id":56993276,"uuid":"107619396","full_name":"iqb/ecryptfs","owner":"iqb","description":"Userland EcryptFS library written in PHP","archived":false,"fork":false,"pushed_at":"2020-04-03T12:40:08.000Z","size":118,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-04-19T14:43:51.352Z","etag":null,"topics":["crypto","ecryptfs","php"],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iqb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-10-20T01:55:40.000Z","updated_at":"2020-08-02T03:11:39.000Z","dependencies_parsed_at":"2022-08-21T10:40:39.837Z","dependency_job_id":null,"html_url":"https://github.com/iqb/ecryptfs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/iqb/ecryptfs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iqb%2Fecryptfs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iqb%2Fecryptfs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iqb%2Fecryptfs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iqb%2Fecryptfs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iqb","download_url":"https://codeload.github.com/iqb/ecryptfs/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iqb%2Fecryptfs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28402159,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-13T14:36:09.778Z","status":"ssl_error","status_checked_at":"2026-01-13T14:35:19.697Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crypto","ecryptfs","php"],"created_at":"2026-01-13T22:50:39.696Z","updated_at":"2026-01-13T22:50:40.411Z","avatar_url":"https://github.com/iqb.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"Userland EcryptFS library written in PHP\n========================================\n\n[![Build Status](https://travis-ci.org/iqb/ecryptfs.png?branch=master)](https://travis-ci.org/iqb/ecryptfs)\n[![Scrutinizer Score](https://scrutinizer-ci.com/g/iqb/ecryptfs/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/iqb/ecryptfs)\n[![Code Coverage](https://scrutinizer-ci.com/g/iqb/ecryptfs/badges/coverage.png?b=master)](https://scrutinizer-ci.com/g/iqb/ecryptfs)\n[![Software License](https://img.shields.io/badge/License-LGPL%20V3-brightgreen.svg?style=flat-square)](LICENSE)\n\n[EcryptFS](http://ecryptfs.org/) is a Linux file system that allows you encrypt your files (and filenames).\nIt is part of the Linux Kernel and is used e.g. by Ubuntu to encrypt users home directories.\n\nEcryptFS uses two (possibly different) keys for encryption:\n- the FNEK (File Name Encryption Key) for encrypting/decrypting files names\n- the FEKEK (File Encryption Key Encryption Key) for encrypting/decryption the file specific random key the file contents is encrypted with \n\nBy default, these two keys are derived from a passphrase.\n\nEncrypting/Decrypting file names\n--------------------------------\n\nEncrypted file names start with the prefix `ECRYPTFS_FNEK_ENCRYPTED.` followed by the encrypted original file name.\nE.g. `ECRYPTFS_FNEK_ENCRYPTED.FWayVrRYlN446EY.WUc7GBFqG9GB6qF3eRmJZ7NYS7ANeS4Gfi9c34ZDTU--` decrypts to `loremipsum.txt` you use the passphrase `test`.\n\nThe code for encrypting and decrypting file names looks like this:\n\n```php\n\u003c?php\n    require_once(__DIR__ . '/vendor/autoload.php');\n    \n    $passphrase = 'test';\n    // We need to derive the File Name Encryption key from the passphrase        \n    $fnek = \\Iqb\\Ecryptfs\\Util::deriveFNEK($passphrase);\n    // We need a crypto engine to do the work (currently only OpenSSL)\n    $cryptoEngine = new \\Iqb\\Ecryptfs\\OpenSslCryptoEngine();\n    \n    $filename = 'loremipsum.txt';\n    $encryptedFilename = \\Iqb\\Ecryptfs\\Util::encryptFilename($cryptoEngine, $filename, $fnek);\n    // Should output 'ECRYPTFS_FNEK_ENCRYPTED.FWayVrRYlN446EY.WUc7GBFqG9GB6qF3eRmJZ7NYS7ANeS4Gfi9c34ZDTU--'\n    echo $encryptedFilename, PHP_EOL;\n                     \n    // And the reverse operation should return the original file name\n    if (\\Iqb\\Ecryptfs\\Util::decryptFilename($cryptoEngine, $filename, $fnek) !== $filename) {\n        throw new \\RuntimeException(\"Decryption error\");\n    }\n    \n    // You can test whether a file name is encrypted or not by using the isEncryptedFilename method.\n    // But this method will just check the prefix of the filename (but works even if the file name contains a directory):\n    if (\\Iqb\\Ecryptfs\\Util::isEncryptedFilename(\\realpath($encryptedFilename))) {\n        echo $encryptedFilename, \" is an encrypted filename\", PHP_EOL;        \n    }\n    \n    if (!\\Iqb\\Ecryptfs\\Util::isEncryptedFilename($filename)) {\n        echo $filename, \" is not an encrypted filename\", PHP_EOL;        \n    }\n```\n\n        \nDecrypting file content\n-----------------------\n\nFile decryption has only basic support currently.\nDecryption is handled via the stream wrapper `ecryptfs://`.\nThe File Encryption Key Encryption Key (FEKEK) is derived from the supplied passphrase.\n\n```php\n\u003c?php\n    require_once(__DIR__ . '/vendor/autoload.php');\n    \n    // The passphrase to use\n    $passphrase = 'test';\n    \n    // We must pass it as a stream context\n    $context = \\stream_context_create([\n        'ecryptfs' =\u003e [\n            'passphrase' =\u003e $passphrase,\n        ]\n    ]);\n    \n    // alternatively we could use constants to avoid typos:\n    $context = \\stream_context_create([\n        \\Iqb\\Ecryptfs\\StreamWrapper::STREAM_NAME =\u003e [\n            \\Iqb\\Ecryptfs\\StreamWrapper::CONTEXT_PASSPHRASE =\u003e $passphrase,\n        ]\n    ]);\n    \n    // This will print some lorem ipsum text\n    echo \\file_get_contents('ecryptfs://' . __DIR__ . '/tests/data/encrypted/ECRYPTFS_FNEK_ENCRYPTED.FWayVrRYlN446EY.WUc7GBFqG9GB6qF3eRmJZ7NYS7ANeS4Gfi9c34ZDTU--', null, $context), PHP_EOL;\n```\n\nEverything after the `ecryptfs://` and the stream context is passed to `fopen()` so you can access encrypted files with all available stream wrappers in PHP.\n\nIf you don't have a file put an open resource (e.g. a file opened via HTTP by Guzzle), you can pass the resource via the stream context:\n\n```php\n\u003c?php\n    require_once(__DIR__ . '/vendor/autoload.php');\n    \n    // The passphrase to use\n    $passphrase = 'test';\n    \n    // Open the file directly or use a handle from somewhere else:\n    $stream_resource = \\fopen(__DIR__ . '/tests/data/encrypted/ECRYPTFS_FNEK_ENCRYPTED.FWayVrRYlN446EY.WUc7GBFqG9GB6qF3eRmJZ7NYS7ANeS4Gfi9c34ZDTU--', 'r');\n    \n    // And pass the stream resource via the stream context\n    $context = \\stream_context_create([\n        \\Iqb\\Ecryptfs\\StreamWrapper::STREAM_NAME =\u003e [\n            \\Iqb\\Ecryptfs\\StreamWrapper::CONTEXT_PASSPHRASE =\u003e $passphrase,\n            \\Iqb\\Ecryptfs\\StreamWrapper::CONTEXT_STREAM =\u003e $stream_resource,\n        ]\n    ]);\n    \n    // This will print some lorem ipsum text\n    // Everything after the 'ecryptfs://' is ignored\n    echo \\file_get_contents('ecryptfs://', null, $context), PHP_EOL;\n```\n\nLimitations\n-----------\n\n- Seeking in the decrypted file content is not supported yet\n- Encrypting files is not possible yet\n- Currently only AES (with 128 and 256 bits) are fully supported\n- AES with 192 bits only works for file names (due to limitations in the original EcryptFS kernel implementation)\n- If the randomly generated file encryption key (FEK) available for decryption with multiple FEKEKs (as is theoretically possible in the EcryptFS file header but not used AFAIK), only the first packet is tried. If it was encrypted with another FEKEK, the decryption will fail.  \n\nCompatibility\n-------------\n\nTo test compatibility with your specific version of EcryptFS just run the test suite with PHPUnit.\nThe IntegrationTest class creates real EcryptFS mounts and writes files to the mounts to verify the functionality.\nThat requires that the EcryptFS utilities package (e.g. ecryptfs-utils in Debian/Ubuntu) is installed and the tests\nare run by root or sudo without password is executable. \n\nThe library is developed on Debian Stretch with Kernel 4.9 but is at least compatible with the EcryptFS versions in Debian Jessie, the CI tests run on Ubuntu AFAIK.\nThe EcryptFS on disk format seems pretty stable to the chances for incompatibilities with future Kernel Versions is quite slim.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiqb%2Fecryptfs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fiqb%2Fecryptfs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiqb%2Fecryptfs/lists"}