How can I protect my key?

Make a copy and store it in a physically secure location. For instance, copy your public/private keypair to a USB flash drive or write your passphrase onto a sheet of paper. Then, lock the drive and paper in your desk drawer or put them in a safe deposit box (depending on the sensitivity of the data that the keys protect). Future versions of eCryptfs userspace utilities may implement key splitting functions to provide even more paranoid levels of key protection.

Do not store your keys under the same physical security context in which you are storing your media. It should be much harder for an attacker to get to your keys than it is for him to get to your media.

When you use public key mode and generate a new key using ecryptfs-manager, the generated key file is the one that you must back up in order to access your files.

When mounting with a new key, I recommend performing a full mount, creating a new file, unmounting, clearing the user session keyring (keyctl clear @u), mounting again, and then trying to access the newly created file. This minimizes the likelihood that you will mistype a passphrase and create files that you will not be able to later recover. When mounting in passphrase mode, make sure that the ecryptfs_sig value matches between mounts. To help avoid the pitfall of mistyping a passphrase on mount, eCryptfs stores a cache of previous ecryptfs_sig values and warns the user if a mount passphrase does not match any passphrases used for previous mounts.