Topic: Encrypting directory ~/.electrum/wallets with a stacked file system (Read 173 times)

No offense taken, timeshift isn't great tool for those who can use rsync directly and know a bit about linux directory structure. IMO timeshift is worth for newbie (which uses default partition configuration without LVM/LUKS) or lazy users (who know how to restore the OS manually if timeshift break something).


I know it's easy, but it's annoying especially if you use LVM, LUKS or both of them.

That's exactly the sort of thing I can live without!!

I'm quoting a relevant comment from Dave McKay from an excellent tutorial on the use of gocryptfs at https://www.howtogeek.com/686779/how-to-encrypt-files-with-gocryptfs-on-linux/

LUKS will only benefit you if someone like your local police department physically takes the hard drive out of the computer and takes it away. It's more likely to give you headaches with data recovery because restoring LUKS partitions is convoluted. A single bad modification to the partition can cause total data loss, which you do not want to deal with on a disk with wallet.dat files.

I haven't used LVM (yet). When I started my current linux project I was (and still am) afraid of loosing mission critical data with LVM. Do be honest, I have to do some additional learning concerning LVM. I might try it in a future project without grouping physical volumes.

At the moment I use gpt partitioning with ext4 partitions.

Haven't tried LUKS either or any other block device encryption (yet). To this respect I am also worried about an additional point of failure, possible increase of hardware wear, ...

For now I like the simplicity of a stacked FS, and the option of having certain folders encrypted, while actually operating the system.

Having said all that, I am always open to new ideas and reconsidering my points of view.

I don't use scripts with gocryptfs.

Its commands are very simple.

Mount the cipherdir with

Unmount it with

I guess that you can make this a "wrapper" around Electrum in the sense that you make a script that installs gocryptfs, fuse and other dependencies, another script that decrypts the wallets folder before Electrum starts and encrypted it back again after it quits, and then a third script which you can use while Electrum is running to back up the wallet files, the gocryptfs keys, etc?

This all seems too complicated to merge into Electrum itself but it makes for a great implementation when coupled with a custom live ISO image.

No offence, but after trying to recover a system state with timeshift once, and got left with an unbootable system, I do not want to try it again. IMHO,  timeshift is not worth anything, and the same goes for Mint that has timeshift as a pre-installed application; Mint that embraces MS concepts, like not being able to exclude certain updates.

Rsync options cannot fit in a gui in any sane way. Using a gui for critical tasks is way more dangerous than the cli. There's a reason why Ubuntu will not let you edit files as root in a gui text editor any more.

Changing UUIDs in /etc/fstab is just copying and pasting three strings, and nano editor is very easy to use, especially since I use a persistent (customizable) live USB, which you can create in debian based distros with https://help.ubuntu.com/community/mkusb.

You can get the masterkey any time with

Whenever you print passwords in the terminal delete history with


If you decide to use the gocryptfs for any data, there is a gocryptfs.conf file that you have to backup in case it gets corrupted, or you can you use the masterkey instead.

My concept to avoid being sorry as much as possible is make copies, copies, copies ...

I always have 3 bootable OSs with all their programs (home dir, etc) on my hard disk. I also have 2 external disks and each one has another 3 copies of the complete OS with everything. So at any given time I have 9 copies of everything that I try to update 3 times per month.

Every time I update, I boot a different clone just to make sure everything works. By the way you can copy the OS partition without loosing any file attributes from anywhere with
You have to run this as root from a live USB.

After doing this you have to change UUIDs of the updated partitions
to get the UUIDs
to update UUIDs for /, /boot/efi and [SWAP] (if you have a swap partition)

You can boot with the http://www.rodsbooks.com/refind/ bootloader and install grub again with


This means I also have 9 functional copies of my electrum wallets always.

In older times that I did not have the above concept, when I got a new hard disk, I created a new wallet with my seed.

Mind you external clones are not portable to other systems. They are bound to the system they were copied from.

That's great.

But what happens if Electrum won't start for some reason (or your computer dies) and you must manually copy the wallet file somewhere else?

It looks like each wallet file is encrypted by itself, so now there's an AES-encrypted file that you somehow have to decrypt before you can open it.

How can the wallet be decrypted in such cases? I have read from the tool website that there is a master key which allows for access but I'm not quite sure how to use it off-line if it's only printed at mount time:


Wallets definitely sound like important data to me. Does this mean we're also going to have an offline wallet backup stashed away somewhere on an external disk or USB?

From the man page description:


From the gocryptfs https://github.com/rfjakob/gocryptfs/blob/master/Documentation/MANPAGE.md


Only if you pass the gocryptfs -allow_other option can root access the fuse mount, otherwise it's impossible, and as you see, it requires additional config to achieve this.

Like any file system that's mounted with fusermount, this will require root access each time the folder is mounted when Electrum is started. Electrum currently doesn't need root permissions so making it request for its password or your own password if you use sudo opens up an additional vulnerability in that if your Electrum is boobytrapped, hackers will also have your OS password (as well as all your bitcoin), and can also do stuff like spawning a remote shell.

I use passwords with a lot of special chars that don't make any sense.


I use ubuntu 20.04 lts. The disk has many partitions with OS clones, KVM virtual machines .... I am afraid, based on my current skills, to complicate things any further.

No problem 

Make sure to pick a somewhat random password (no sentences, words, special dates, etc..).
16 chars is already a pretty good length. Depending on the charset, this should be sufficient already.




A somewhat modern system won't get slowed down much by full disk encryption.
The bottleneck most likely still will be the disk itself, instead of the additional operations required for encrypting/decrypting. But this obviously completely depends on your actual system.

Thanks, I'll do as you suggest! I have a wallet password that is 16 chars long, I'll add a few more chars to it.


For the moment I prefer a hybrid solution, as it does not slow down the system, and being a newbie with encryption systems, I am afraid I might ruin my whole OS installation.

Well, this also falls under unauthorized access.

As long as the encryption is strong (strong algorithm, good implementation and strong passphrase), you are fine. Regardless of whether you use the electrum built-in encryption (which is AES-256 btw), or any external encryption software.

Electrums built-in password protection is already an encryption, no further encryption mechanisms required. 

Well I guess then, my idea is excessive , bob123.

A different attack vector, is if the laptop is stolen.

I mean.. it depends.

It is not a bad idea. But if it is against unauthorized system access, you might as well just set an electrum password.
Electrum encrypts all the sensitive data with a key derived from your password. Use a strong enough passphrase, and you are fine. You don't need to use any external encryption (or even 2 encryption schemes).

Or are you concerned about a different attack vector? If it is just against unauthorized access, the electrum password is fine as long as you don't write it down on a piece of paper and stick it onto the monitor.

How about encrypting for the case of unauthorized system access, with the stacked cryptographic fs https://nuetzlich.net/gocryptfs/?

The idea behind a cryptographic stacked file system https://wiki.archlinux.org/index.php/Data-at-rest_encryption#Stacked_filesystem_encryption is to selectively encrypt sensitive folders.

Move the directory wallets into a cipherdir, the lower directory, create an empty wallets directory at ~/.electrum/, the upper directory, where we mount the cipherdir before accessing our wallets and unmount the cipherdir after we close our wallets, with fusermount.

I've used gocryptfs for some weeks now, first on trivial data, and now on important data without any problems so far. It has a option to check the cipherdir for corruption.

Is this a good idea?