Encrypted Temp Directory

The EncryptedTempDirectory class is designed for when you need a directory whose contents are encrypted by eCryptfs, but you would also like to take advantage of the features of in-memory-only directories, such as increased access speed and automatic deletion (e.g. when you’re unpacking a CRX).

To understand this class fully, please also read the documentation on the TemporaryDirectory class.

class crx_unpack.encrypted_dir.EncryptedTempDirectory(*, upper_dir, **kwargs)[source]

Bases: tempfile.TemporaryDirectory

Create and return an encrypted temporary directory.

This behaves similarly to TemporaryDirectory, except for the following:

  • It requires that an “upper directory” be specified, which will be the mount point used by eCryptfs to mount the encrypted directory to the filesystem.
  • It creates two files in ~/.ecryptfs required to mount the directory (both of which are deleted when this object is):
    • ALIAS.sig - Contains the signatures for the FEK and FNEK encryption keys.
    • ALIAS.conf - Contains fstab-style information for which directory eCryptfs should mount and where.

In the above notes, ALIAS (which is a term used in the eCryptfs documentation, see links below) will be the name of the created temp directory, accessible as the basename of self.name.

To use an EncryptedTempDirectory object, it’s best to use it with a with clause, like so:

with EncryptedTempDirectory(upper_dir=upper) as lower:

Better yet, use an instance of TemporaryDirectory as the upper directory, like this:

with TemporaryDirectory() as upper, \
        EncryptedTempDirectory(upper_dir=upper) as lower:


In the above example, both temporary directories are deleted as soon as the __exit__() method is called (triggered by the close of the with clause). So make sure that anything you need to do with these objects, you do before leaving the with clause.


This class depends on eCryptfs, so it will need to be installed on the system to work properly. Similarly, this class depends on the following Unix tools/devices:

  • head
  • ecryptfs-add-passphrase
  • mount
  • keyctl
  • /dev/urandom

On Debian/Ubuntu-based systems, you can install these with:

sudo apt-get install coreutils mount keyutils ecryptfs-utils

For more information, see the following resources:

  • upper_dir (str) – Path where the encrypted directory will be mounted, and where the unencrypted version of the files will be accessible.
  • kwargs – Additional parameters to pass to the constructor of the TemporaryDirectory class.