How does eCryptfs compare with other Linux disk encryption solutions?

eCryptfs is an actual filesystem. Some other popular disk encryption technologies are not filesystems; they are block device encryption layers (they provide what appears to be a physical block device to some actual filesystem). There is no filesystem logic in these layers. A few of the more well-known block device encryption layers include dm-crypt, Truecrypt, and Loop-AES. Perhaps the best thing about block device-layer encryption is that it is an order of magnitude simpler to implement than filesystem-layer encryption. Another advantage of block device-layer encryption is that it will encrypt the entire filesystem, including all of the filesystem metadata. However, for many use cases, this can turn out to be more of a disadvantage than an advantage.

While eCryptfs uses a powerful and flexible approach to protecting filesystem content, block device-layer encryption technology is still required to protect swap space and certain databases that use their own block device partition. The table below provides a compare-and-constrast of the two technologies. I anticipate that block device encryption will be the best solution for some people, while stacked filesystem encryption will be the best solution for others. Sometimes it even makes sense to use them both together, to combine the comprehensive full-disk encryption of a block device layer encryption technology with the transparent per-file encryption provided by eCryptfs (this will result in double-encryption of the file contents).

EncFS is another popular cryptographic filesystem that behaves much like a stacked filesystem. EncFS is a userspace filesystem, and so individual page reads and writes require additional context switches between kernel and userspace. One advantage a userspace cryptographic filesystem is that it is possible to use symmetric ciphers implemented in userspace libraries, but the frequent context switching impacts performance. In addition, EncFS uses FUSE, which suffers from the fact that shared writable memory mappings must be entirely disabled in order to avoid deadlock on some page swap events.