PSA: Get away from ecryptfs!

I found a USB stick with some encrypted backups on it, and went to see what they were.

1st problem: I can't copy them to the NTFS HDD on this machine, because the ridiculously-long names ecryptfs uses for no good reason exceed the path limit of pretty much every sane filesystem.
Okay, that's no big deal: I'll copy them to the machine that I think they're from.

2nd problem: Try to actually mount the ~/Private directory on that machine, since I'll be comparing against that anyway... ecryptfs fails with "no such directory". Huh? Check ~, all the directories and files needed are there, and clearly fine. WTF?

Much googling around later, I finally find a bug report - from TWO YEARS AGO - about this problem. systemd broke it - no surprise there - but still hasn't fixed it, which is also no surprise. The bug comments thankfully had a workaround, so I did eventually get both that system and the USB decrypted, but holy crap: 2+ years and counting, for a bug with this much impact?! eesh...

The workaround, incidentally, also makes it impossible to UNMOUNT the encrypted data. And thanks to another systemd bug, logging out won't unmount it either. So you're looking at a reboot every time, unless you like the idea of your encrypted data not actually being encrypted, in which case you're kinda probably not using this in the first place. :stuck_out_tongue:
($ keyctl link @u @s, to save you having to waste time hunting it down like I did).

A few years after starting down the ecryptfs path, I switched to using fscrypt instead. This is superior in EVERY way, most notably because it allows you to mount (that is, decrypt) directories at will, including over a network. Encrypted filenames, though still quite substantial, are still well within reasonable ranges, and data can be backed up to USB sticks formatted with almost any filesytem, which is pretty important since data you're going to all the trouble of encrypting is probably data you REALLY don't want to lose.

The USB stick, and that particular machine, are still using ecryptfs simply because of their age. But it's an absolutely terrible idea, in an utterly broken state, and you absolutely should not use it when setting up new machines, and should migrate any use of it that you DO have away from it ASAP.

(If you're interested in the background, ecryptfs was pimped HARD by Dustin Kirkland, who was in charge of Ubuntu Desktop at the time - the job that Wimpy now has, I think - and is also technically the maintainer of the ecrypt packages Ubuntu uses. This bug surfaced while he was still at Canonical (he's since left) but he didn't address it back then and he still hasn't now, over two years later. So that's a good indication of how well supported the package is. If you're still willing to entrust your data to it, well, I wish you luck, but you're just plain crazy. :P)

Seriously, get the hell away from ecryptfs as fast as possible. Because NOBODY is doing even the most basic testing of it, let alone actually maintaining it, and next time around there might not even be a hack that lets you recover your data.