Можно ли заставить ecryptfs-setup-private использовать 256-битный ключ AES (вместо длины по умолчанию 128-битного ключа)?

Ну, длинный ответ может быть "да, но знать о проигрывающей совместимости к 16 байтам закодировал каталоги".

Применение следующего патча против недавних ecryptfs-utils-104 источников должно сделать задание - однако, это просто изменяет значение hardcoded на 32 без возможности выбрать. Но если это полезно для кого-то:

diff -ruN ecryptfs-utils-104/README ecryptfs-utils-104-32byte/README
--- ecryptfs-utils-104/README   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/README    2015-01-23 05:43:43.206773596 +0100
@@ -278,13 +278,13 @@
 You should get something like this:

 ---
-/secret /secret ecryptfs rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=16,ecryptfs_cipher=aes 0 0
+/secret /secret ecryptfs rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=32,ecryptfs_cipher=aes 0 0
 ---

 Add ``user'' and ``noauto'' to the mount options:

 ---
-/secret /secret ecryptfs user,noauto,rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=16,ecryptfs_cipher=aes 0 0
+/secret /secret ecryptfs user,noauto,rw,ecryptfs_sig=deadbeefdeadbeef,ecryptfs_key_bytes=32,ecryptfs_cipher=aes 0 0
 ---

 Append your edited line to your /etc/fstab file. Now it's time to test
diff -ruN ecryptfs-utils-104/doc/manpage/mount.ecryptfs_private.1 ecryptfs-utils-104-32byte/doc/manpage/mount.ecryptfs_private.1
--- ecryptfs-utils-104/doc/manpage/mount.ecryptfs_private.1 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/doc/manpage/mount.ecryptfs_private.1  2015-01-23 05:43:43.206773596 +0100
@@ -29,7 +29,7 @@
   - mount SOURCE onto DESTINATION
   - as an ecryptfs filesystem
   - using the AES cipher
-  - with a key length of 16 bytes
+  - with a key length of 32 bytes
   - using the passphrase whose signature is in ~/.ecryptfs/Private.sig

 The only setuid operation in this program is the call to \fBmount\fP(8) or \fBumount\fP(8).
diff -ruN ecryptfs-utils-104/src/include/ecryptfs.h ecryptfs-utils-104-32byte/src/include/ecryptfs.h
--- ecryptfs-utils-104/src/include/ecryptfs.h   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/include/ecryptfs.h    2015-01-23 05:43:43.207773542 +0100
@@ -144,7 +144,7 @@
 #define ECRYPTFS_ECHO_OFF 0

 #define ECRYPTFS_AES_BLOCK_SIZE 16
-#define ECRYPTFS_AES_KEY_BYTES 16
+#define ECRYPTFS_AES_KEY_BYTES 32

 #define ECRYPTFS_DEFAULT_WRAPPED_PASSPHRASE_FILENAME "wrapped-passphrase"

diff -ruN ecryptfs-utils-104/src/utils/ecryptfs-recover-private ecryptfs-utils-104-32byte/src/utils/ecryptfs-recover-private
--- ecryptfs-utils-104/src/utils/ecryptfs-recover-private   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/utils/ecryptfs-recover-private    2015-01-23 05:43:43.207773542 +0100
@@ -101,12 +101,12 @@
        1)
            mount_sig=$(echo "$sigs" | head -n1)
            fnek_sig=
-           mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+           mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
        ;;
        2)
            mount_sig=$(echo "$sigs" | head -n1)
            fnek_sig=$(echo "$sigs" | tail -n1)
-           mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=16"
+           mount_opts="$opts,ecryptfs_sig=$mount_sig,ecryptfs_fnek_sig=$fnek_sig,ecryptfs_cipher=aes,ecryptfs_key_bytes=32"
        ;;
        *)
            continue
diff -ruN ecryptfs-utils-104/src/utils/ecryptfs-setup-private ecryptfs-utils-104-32byte/src/utils/ecryptfs-setup-private
--- ecryptfs-utils-104/src/utils/ecryptfs-setup-private 2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/utils/ecryptfs-setup-private  2015-01-23 05:43:43.208773488 +0100
@@ -13,7 +13,8 @@
 TEXTDOMAIN="ecryptfs-utils"
 MESSAGE="$(gettext 'Enter your login passphrase')"
 CIPHER="aes"
-KEYBYTES="16"
+KEYBYTES="32"
+SIGBYTES="16"
 FNEK=

 # Zero out user-defined GREP_OPTIONS, such as --line-number
@@ -97,7 +98,8 @@
    bytes=$1
    # Pull $1 of random data from /dev/urandom,
    # and convert to a string of hex digits
-   od -x -N $bytes --width=$bytes /dev/urandom | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g"
+   # od -x -N $bytes --width=$bytes /dev/urandom | head -n 1 | sed "s/^0000000//" | sed "s/\s*//g"
+   dd if=/dev/urandom bs=$[$bytes*3/2] count=1 status=none | base64
 }

 filename_encryption_available() {
@@ -393,7 +395,7 @@
    error "$(gettext 'Could not add passphrase to the current keyring')"
 fi
 sig=`echo "$response" | grep "Inserted auth tok" | sed "s/^.*\[//" | sed "s/\].*$//"`
-if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{$KEYBYTES,$KEYBYTES}$"; then
+if ! echo "$sig" | egrep -qs "^[0-9a-fA-F]{$SIGBYTES,$SIGBYTES}$"; then
    error "$(gettext 'Could not obtain the key signature')"
 fi
 temp=`mktemp`
diff -ruN ecryptfs-utils-104/src/utils/mount.ecryptfs_private.c ecryptfs-utils-104-32byte/src/utils/mount.ecryptfs_private.c
--- ecryptfs-utils-104/src/utils/mount.ecryptfs_private.c   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/src/utils/mount.ecryptfs_private.c    2015-01-23 05:43:43.208773488 +0100
@@ -47,7 +47,8 @@
  * by the system administrator (or user?) at run time.  For now, these are set
  * to reasonable values to reduce the burden of input validation.
  */
-#define KEY_BYTES 16
+#define SIG_BYTES 16
+#define KEY_BYTES 32
 #define KEY_CIPHER "aes"
 #define FSTYPE "ecryptfs"
 #define TMP "/dev/shm"
@@ -159,13 +160,13 @@
    sig[0] = NULL;
    sig[1] = NULL;
    for (i=0; i<2; i++) {
-       if ((sig[i] = (char *)malloc(KEY_BYTES*sizeof(char)+2)) == NULL) {
+       if ((sig[i] = (char *)malloc(SIG_BYTES*sizeof(char)+2)) == NULL) {
            perror("malloc");
            goto err;
        }
-       memset(sig[i], '\0', KEY_BYTES+2);
-       /* Read KEY_BYTES characters from line */
-       if (fgets(sig[i], KEY_BYTES+2, fh) == NULL) {
+       memset(sig[i], '\0', SIG_BYTES+2);
+       /* Read SIG_BYTES characters from line */
+       if (fgets(sig[i], SIG_BYTES+2, fh) == NULL) {
            if (i == 0) {
                fputs("Missing file encryption signature", stderr);
                goto err;
@@ -187,7 +188,7 @@
                sig[i][j] = '\0';
            }
        }
-       if (strlen(sig[i]) > 0 && strlen(sig[i]) != KEY_BYTES) {
+       if (strlen(sig[i]) > 0 && strlen(sig[i]) != SIG_BYTES) {
            fputs("Invalid hex signature length\n", stderr);
            goto err;
        }
@@ -489,7 +490,7 @@
  *  - mounts ~/.Private onto ~/Private
  *    - as an ecryptfs filesystem
  *    - using the AES cipher
- *    - with a key length of 16 bytes
+ *    - with a key length of 32 bytes
  *    - and using the signature defined in ~/.ecryptfs/Private.sig
  *    - ONLY IF the user
  *      - has the signature's key in his keyring
diff -ruN ecryptfs-utils-104/tests/lib/etl_funcs.sh ecryptfs-utils-104-32byte/tests/lib/etl_funcs.sh
--- ecryptfs-utils-104/tests/lib/etl_funcs.sh   2014-01-23 19:09:48.000000000 +0100
+++ ecryptfs-utils-104-32byte/tests/lib/etl_funcs.sh    2015-01-23 05:43:43.209773433 +0100
@@ -32,7 +32,7 @@
 default_ext2_opts="user_xattr,acl"
 default_ext3_opts="user_xattr,acl,commit=600,barrier=1,data=ordered"
 default_btrfs_opts="nodatacow"
-default_mount_opts="rw,relatime,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_sig=\${ETL_FEKEK_SIG}"
+default_mount_opts="rw,relatime,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_sig=\${ETL_FEKEK_SIG}"
 default_fne_mount_opts="${default_mount_opts},ecryptfs_fnek_sig=\${ETL_FNEK_SIG}"