Using ecryptfs on Windows

The Why

Why you might want to use ecryptfs on Windows?

This guide is mostly for those who already actively use ecryptfs on Linux and need to access some of the encrypted files on Windows without the hassle of migrating to a new file system. If you are just starting with filesystem encryption, consider gocryptfs and cppcryptfs instead.

Why is it difficult?

Ecryptfs is a Linux kernel module. That's the only version of ecryptfs that's available, nobody ever ported it to Windows.

The How

The answer to "how?" is WSL2. Windows Subsystem for Linux, or WSL, has been available for a while, but the first version of it didn't really run Linux. Instead it was an API translation layer provided by Microsoft, which made it possible to run some, but not all Linux software. WSL2 takes a different approach - it is essentially a lightweight virtual machine running a real Linux kernel. Well, a real-ish Linux kernel. It's a Microsoft's fork of the Linux kernel, patched for tighter integration with the VM. This kernel is capable of running ecryptfs, but that doesn't happen out of the box - some effort will be required.

Let's get started

First you will need a WSL2 VM if you don't already have one. Just follow Microsoft's instructions and get back here when you're ready.

The not-so-secret sauce

Now that you have a WSL2 VM you may try mounting an ecryptfs folder. You will however discover that it doesn't work. Let's fix that.

Remember the good old days when everyone had to build their own kernel? Well, it's time to dust off that long-forgotten skill. Open your WSL2 VM's shell and run these commands:

sudo apt install build-essential flex bison libssl-dev libelf-dev git dwarves python3 bc

git clone https://github.com/microsoft/WSL2-Linux-Kernel.git

cd WSL2-Linux-Kernel/

cp Microsoft/config-wsl .config

Now open this .config file with you favorite text editor and find the line that looks like this:

# CONFIG_ECRYPT_FS is not set

At this point you know what to do, but for the sake of completeness I'm going to write it down. Change the line you've just found to

CONFIG_ECRYPT_FS=y

Now save the file and start the build process:

make -j $(nproc)

If the build succeeds, at the end of the output from the make command you will see the path to the file with your freshly built kernel.

Using the \\wsl$ share, copy your new kernel to some location outside your Linux VM.

Now create file .wslconfig in your Windows home directory or edit the existing one. You need this file to contain the following:

[wsl2]
kernel=C:\\Path\\to\\your\\kernel

Obviously you need to replace the path in the example above with the actual path to the copy of your kernel outside the VM. Note that the backslashes have to be doubled.

The only thing that's left now is to restart your WSL2 VM. Open powershell and type:

wsl --shutdown

That's it! If you haven't run into any unexpected obstacles, you should now be able to use ecryptfs in you WSL2 VM. And Windows can access your files using the \\wsl$ share.