Cryptohome manages directories as follows:
/home/.shadow: Location for the system salt and individual users' salt/key/vault
/home/.shadow/<salted_hash_of_username>: Each Chrome OS user gets a directory in the shadow root where their salts, keys, and vault are stored (s_h_o_u).
/home/.shadow/<s_h_o_u>/vault: The user's vault (the encrypted version of their home directory)
/home/.shadow/<s_h_o_u>/master.0: Vault keyset for the user. The vault keyset contains the encrypted file encryption key and encrypted filename encryption key. It also contains the salt used to convert the user's passkey to an AES key, and may contain the TPM-encrypted intermediate key when TPM protection is enabled (see tpm.h for details).
/home/.shadow/<s_h_o_u>/mount: On successful login, the user‘s vault directory is mounted here using the symmetric key decrypted from master.X by the user’s passkey.
/home/user/<s_h_o_u>: bind mount of /home/.shadow/<s_h_o_u>/mount/user (applications should prefer this mount point for interacting with cryptohome)
/home/root/<s_h_o_u>: bind mount of /home/.shadow/<s_h_o_u>/mount/root
/home/chronos/u-<s_h_o_u>: bind mount of /home/.shadow/<s_h_o_u>/mount/user used for multi-user support. (deprecated)
/home/chronos/user: bind mount of the active user /home/.shadow/<s_h_o_u>/mount/user, for backward compatibility. (the usage of the mount point is discouraged)
The underlying filesystem mechanisms are using one of the following: ecryptfs (deprecated, used on old kernels), fscrypt (current, v1 is used on 4.x boards and v2 is used on 5.4+ boards) and lvm+dmcrypt (upcoming vault management and encryption mechanism). The filesystem encryption keys are themselves encrypted via various mechanisms (see [vkk.md]).
