NixOS
diff --git a/‎nixos/doc/manual/release-notes/rl-2605.section.md‎
Lines changed: 2 additions & 0 deletions b/‎nixos/doc/manual/release-notes/rl-2605.section.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎nixos/modules/misc/locate.nix‎
Lines changed: 0 additions & 1 deletion b/‎nixos/modules/misc/locate.nix‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎nixos/modules/module-list.nix‎
Lines changed: 0 additions & 2 deletions b/‎nixos/modules/module-list.nix‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎nixos/modules/programs/ecryptfs.nix‎
Lines changed: 0 additions & 35 deletions b/‎nixos/modules/programs/ecryptfs.nix‎
Lines changed: 0 additions & 35 deletions
diff --git a/‎nixos/modules/security/pam.nix‎
Lines changed: 1 addition & 26 deletions b/‎nixos/modules/security/pam.nix‎
Lines changed: 1 addition & 26 deletions
diff --git a/‎nixos/modules/tasks/filesystems/ecryptfs.nix‎
Lines changed: 0 additions & 29 deletions b/‎nixos/modules/tasks/filesystems/ecryptfs.nix‎
Lines changed: 0 additions & 29 deletions
diff --git a/‎nixos/tests/all-tests.nix‎
Lines changed: 0 additions & 1 deletion b/‎nixos/tests/all-tests.nix‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎nixos/tests/ecryptfs.nix‎
Lines changed: 0 additions & 87 deletions b/‎nixos/tests/ecryptfs.nix‎
Lines changed: 0 additions & 87 deletions
diff --git a/‎pkgs/by-name/ec/ecryptfs/package.nix‎
Lines changed: 0 additions & 107 deletions b/‎pkgs/by-name/ec/ecryptfs/package.nix‎
Lines changed: 0 additions & 107 deletions
diff --git a/‎pkgs/top-level/aliases.nix‎
Lines changed: 1 addition & 0 deletions b/‎pkgs/top-level/aliases.nix‎
Lines changed: 1 addition & 0 deletions
@@ -71,6 +71,8 @@ of pulling the upstream container image from Docker Hub. If you want the old beh
 
 - Support for `reiserfs` in nixpkgs has been removed, following the removal in Linux 6.13.
 
+- support for `ecryptfs` in nixpkgs has been removed.
+
 - The `networking.wireless` module has been security hardened: the `wpa_supplicant` daemon now runs under an unprivileged user with restricted access to the system.
 
   As part of these changes, `/etc/wpa_supplicant.conf` has been deprecated: the NixOS-generated configuration file is now linked to `/etc/wpa_supplicant/nixos.conf` and `/etc/wpa_supplicant/imperative.conf` has been added for imperatively configuring `wpa_supplicant` or when using [allowAuxiliaryImperativeNetworks](#opt-networking.wireless.allowAuxiliaryImperativeNetworks).
 
@@ -89,7 +89,6 @@ in
         "devfs"
         "devpts"
         "devtmpfs"
-        "ecryptfs"
         "eventpollfs"
         "exofs"
         "futexfs"
 
@@ -202,7 +202,6 @@
   ./programs/droidcam.nix
   ./programs/dsearch.nix
   ./programs/dublin-traceroute.nix
-  ./programs/ecryptfs.nix
   ./programs/ente-auth.nix
   ./programs/environment.nix
   ./programs/envision.nix
@@ -1918,7 +1917,6 @@
   ./tasks/filesystems/bindfs.nix
   ./tasks/filesystems/btrfs.nix
   ./tasks/filesystems/cifs.nix
-  ./tasks/filesystems/ecryptfs.nix
   ./tasks/filesystems/envfs.nix
   ./tasks/filesystems/erofs.nix
   ./tasks/filesystems/exfat.nix
 
@@ -965,8 +965,7 @@ let
                   (
                     (cfg.unixAuth || config.services.homed.enable)
                     && (
-                      config.security.pam.enableEcryptfs
-                      || config.security.pam.enableFscrypt
+                      config.security.pam.enableFscrypt
                       || cfg.pamMount
                       || cfg.kwallet.enable
                       || cfg.enableGnomeKeyring
@@ -996,15 +995,6 @@ let
                         likeauth = true;
                       };
                     }
-                    {
-                      name = "ecryptfs";
-                      enable = config.security.pam.enableEcryptfs;
-                      control = "optional";
-                      modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so";
-                      settings = {
-                        unwrap = true;
-                      };
-                    }
                     {
                       name = "fscrypt";
                       enable = config.security.pam.enableFscrypt;
@@ -1191,12 +1181,6 @@ let
                   yescrypt = true;
                 };
               }
-              {
-                name = "ecryptfs";
-                enable = config.security.pam.enableEcryptfs;
-                control = "optional";
-                modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so";
-              }
               {
                 name = "fscrypt";
                 enable = config.security.pam.enableFscrypt;
@@ -1331,12 +1315,6 @@ let
                   silent = true;
                 };
               }
-              {
-                name = "ecryptfs";
-                enable = config.security.pam.enableEcryptfs;
-                control = "optional";
-                modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so";
-              }
               # Work around https://github.com/systemd/systemd/issues/8598
               # Skips the pam_fscrypt module for systemd-user sessions which do not have a password
               # anyways.
@@ -2223,7 +2201,6 @@ in
 
     security.pam.enableUMask = lib.mkEnableOption "umask PAM module";
 
-    security.pam.enableEcryptfs = lib.mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)";
     security.pam.enableFscrypt = lib.mkEnableOption ''
       fscrypt, to automatically unlock directories with the user's login password.
 
@@ -2324,8 +2301,6 @@ in
       ++ lib.optionals config.security.pam.enableFscrypt [ pkgs.fscrypt-experimental ]
       ++ lib.optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ];
 
-    boot.supportedFilesystems = lib.mkIf config.security.pam.enableEcryptfs [ "ecryptfs" ];
-
     security.wrappers = {
       unix_chkpwd = {
         setuid = true;
 
@@ -502,7 +502,6 @@ in
   ec2-image = runTest ./ec2-image.nix;
   ec2-nixops = (handleTestOn [ "x86_64-linux" ] ./ec2.nix { }).boot-ec2-nixops or { };
   echoip = runTest ./echoip.nix;
-  ecryptfs = runTest ./ecryptfs.nix;
   ejabberd = runTest ./xmpp/ejabberd.nix;
   elk = handleTestOn [ "x86_64-linux" ] ./elk.nix { };
   emacs-daemon = runTest ./emacs-daemon.nix;
 
@@ -566,6 +566,7 @@ mapAliases {
   easyloggingpp = throw "easyloggingpp has been removed, as it is deprecated upstream and does not build with CMake 4"; # Added 2025-09-17
   EBTKS = throw "'EBTKS' has been renamed to/replaced by 'ebtks'"; # Converted to throw 2025-10-27
   ec2-utils = throw "'ec2-utils' has been renamed to/replaced by 'amazon-ec2-utils'"; # Converted to throw 2025-10-27
+  ecryptfs = throw "ecryptfs has been removed due to lack of maintenance. Consideer using fscrypt, gocryptfs or cryfs instead."; # Added 2026-01-14
   edid-decode = v4l-utils; # Added 2025-06-20
   eidolon = throw "eidolon was removed as it is unmaintained upstream."; # Added 2025-05-28
   eintopf = throw "'eintopf' has been renamed to/replaced by 'lauti'"; # Converted to throw 2025-10-27