Because ecryptfs-utils package comes hard-coded with some assumptions, as:
- Your encrypted files are stored in
~/.Private directory.
- Your decrypted data will be mounted in
~/Private directory.
- Encryption keys are stored in
~/.ecryptfs.
- Encryption key is just the mount passphrase wrapped (encoded) using your login passphrase, stored in
~/.ecryptfs/wrapped-passphrase.
- Uses
AES with 16-byte key cipher in encrypting data.
Thus, any time you try to mount the eCryptfs using ecrypt-utils, it asks for your login passphrase to decrypt the wrapped-passphrase file to get the actual mount passphrase, then uses it to mount the filesystem, and that is for a good reason.
It uses your default login passphrase so as for you not to have to remember two different passphrases, and, more importantly, to auto-mount it whenever you login, as it uses the passphrase you use to login to unlock your Private data, too.
If you leave the mount passphrase blank, it will be replaced with a pretty long random mount passphrase that is hard to guess, thus making your .Private directory more secure, as hackers that have access to it, but not your wrapped-passphrase, they would have to guess the very long mount random passphrase that you do not even have to memorize. The drawback of this technique is that losing the wrapped-passphrase file and you do not know the real mount passphrase, even you will be unable to access the decrypted data anymore.
In your case, your custom mount passphrase is wrapped with your login passphrase in ~/.ecryptfs/wrapped-passphrase, and to mount it you enter your login passphrase but the filesystem is really unlocked using the mount passphrase.
On other machines that does not have a wrapped-passphrase file, it uses the password you supply as the mount password directly, thus it works there.
To encrypt and decrypt data using custom passphrase, you have at least two options:
Option 1: Using custom wrapping passphrase
Passing --nopwcheck to ecryptfs-setup-private while setting up private directory will not enforce entering the real login passphrase as the wrapping passphrase, thus issuing:
$ ecryptfs-setup-private --nopwcheck
will accept any passphrase you enter after Enter your login passphrase [******]:.
For the mount passphrase, you may enter the same password again, or leave it blank to generate you one, but if you are afraid of losing the wrapped-passphrase if it is auto-generated, you can issue:
$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
that will print you out the real mounting passphrase, that you can write down and keep in a safe place in case of emergency.
Option 2: Using low-level mounting
Low-level mounting uses the mount passphrase directly. No wrapping/unwrapping included. Issuing
# mount -t ecryptfs ~/.Private ~/Private
will present you an interactive mounting. Choose options compatible with ecryptfs-utils unless you know what you are doing, and they are as follows:
keytype: passphrase, passphrase: enter real mount passphrase (not wrapping one), cipher: AES, key bytes: 16, plaintext paththrough: no, filename encryption: yes, fnek signature: leave blank (default). Continue mounting and add signature to sig-cache.txt if asked to.
Even if the two directories were empty, this command only can effectively work for setting up new one in those custom directories, but it is advised when using it to setup a new encrypted directory not to use it with standard Private and .Private directories so as not to cause incompatibilities with standard ecryptfs-utils auto-mounting.
See also: eCryptfs - ArchWiki
