eCryptfs Encrypted Home

Source by kaijanmaki.net © 2010
thanks to Antti Kaijanmäki!

To recover an eCryptfs encrypted home directory created with ubuntu jaunty installer from a backup.
I thought that it would go smoothly, after all I had written down the recovery passphrase when I installed the system some time a go. Well, it wasn’t all that smooth.
After like 1,5 hours or so I finally had the backup decrypted and I thought that it would be useful to others, too, if I share my findings as I discovered from emergency googling that others are struggling from the same problem and no one has provided any complete solution.
The backup was on external USB HDD, but it should not matter as long as you have your old encrypted .Private somewhere at hand.
First you need to make sure ecryptfs-utils is installed:

$ sudo aptitude install ecryptfs-utils

Create a directory where the backup is opened:

$ cd /mnt
$ sudo mkdir OldHome

Then create a symbolic link to your backup of your old .Private:

$ sudo ln -s /media/3e8ea0ac-xxxx-xxxx-a35a-8ff17406fdb8/home/user/.Private OldPrivate

Now, here’s the part that was missing from all the instructions. At least Ubuntu is using filename encryption to hide the real filenames. You need two keys for accessing: one for accessing the file content and one to decrypt the filenames to be meaningful. To get the key do:

$ sudo ecryptfs-add-passphrase --fnek
Passphrase:

Enter the recovery passphrase: the long one you had to manually write down to a piece of paper when you installed the system. Then you should have a similar output as the following:

Inserted auth tok with sig [xxxxxxxxxxxxxxx] into the user session keyring
Inserted auth tok with sig [yyyyyyyyyyyyyyyy] into the user session keyring

Now, write down the second signature [yyyyyyyyyyyyyyyy].
Now you are ready to decrypt the backup:

$ sudo mount -t ecryptfs OldPrivate OldHome/
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxxxxx]: yyyyyyyyyyyyyyyy
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=yyyyyyyyyyyyyyyy
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=xxxxxxxxxxxxxxx
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [df3c98e4c85db0c5] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs

Now you ara able to access the decrypted backup in OldHome directory and you also have correct filenames.

1. Gyrlano Says:
   October 28th, 2009 at 06:08 could help me solve the following problem:
   Inserted auth tok with sig [ff4aae46a4d814b4] into the user session keyring
   Inserted auth tok with sig [5c53936d7608a270] into the user session keyring
   gyrlano@gyrlano:/$ sudo mount -t ecryptfs OldPrivate OldHome/
   Passphrase:
   Select cipher:
   1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
   3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
   4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
   6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
   Selection [aes]: 1
   Select key bytes:
   1) 16
   2) 32
   3) 24
   Selection [16]: 1
   Enable plaintext passthrough (y/n) [n]:
   Enable filename encryption (y/n) [n]: y
   Filename Encryption Key (FNEK) Signature [ff4aae46a4d814b4]: 5c53936d7608a270
   Attempting to mount with the following options:
   ecryptfs_unlink_sigs
   ecryptfs_fnek_sig=5c53936d7608a270
   ecryptfs_key_bytes=16
   ecryptfs_cipher=aes
   ecryptfs_sig=ff4aae46a4d814b4
   WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
   it looks like you have never mounted with this key
   before. This could mean that you have typed your
   passphrase wrong.
   Would you like to proceed with the mount (yes/no)? : yes
   Would you like to append sig [ff4aae46a4d814b4] to
   [/root/.ecryptfs/sig-cache.txt]
   in order to avoid this warning in the future (yes/no)? : no
   Not adding sig to user sig cache file; continuing with mount.
   Error mounting eCryptfs: [-2] No such file or directory
   Check your system logs; visit
   gyrlano@gyrlano:/$
   I will be grateful.
   
2. antti Says:
   October 28th, 2009 at 16:39 You could first check that Filename Ecryption is used (ls , does the names look cryptic?) and then check output of dmesg command for clues what goes wrong. And also try to reboot and start over, too. I had multiple tries first without a reboot when I had the same error and when I rebooted and tried again it worked. I probably had wrong keys in my keyring due to experimenting different things.
   
3. Eitan Says:
   October 31st, 2009 at 22:28 Super awesome! Thank you very much. I’ve been trying to figure this out for weeks.
   
4. GodGen Says:
   November 5th, 2009 at 02:42 /*/*/
   Antti, you’re the world’s largest. ThankS!!!!! !!!!! !!!!!
   /*/*/
   
5. Cliff Says:
   December 10th, 2009 at 03:58 Thank you a million times! I ran across several instructions for recovering an encrypted home from another install/system and your instructions were the only ones that worked for me. Just like you, I successfully mounted my private folder only to find that the filenames and content were still hopelessly encrypted. Thank you once again…
   
6. Cliff Says:
   December 10th, 2009 at 04:01 @Grylano
   I got this error when the mount-point directory didn’t exist prior to the mount:
   Error mounting eCryptfs: [-2] No such file or directory
   It has nothing to do with encryption and should really have occurred after a sanity check on the mount syntax (as oppossed to having you type a whole bunch of stuff and then failing).
   
7. Paddy Says:
   December 10th, 2009 at 15:02 Thank you!
   Why on earth isn’t it in the official documentation?
   
8. Matt Says:
   December 14th, 2009 at 08:15 Thanks, this was very helpful. Found your post on the Ubuntu Forums and it led me here.
   
9. Hector Diaz Says:
   December 17th, 2009 at 08:26 you are my hero!!!!!
   
10. Drew S. Says:
    January 23rd, 2010 at 20:56 “Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxxxxx]: yyyyyyyyyyyyyyyy”
    That’s the secret sauce that I always manage to forget! Thank you!
    
11. Wyn Williams Says:
    February 10th, 2010 at 13:28 I think I love you ! I had 83,000 bloody files decrypted with fuc**d up file names, now I see them.
    I searched for two days for this solution so a MASSIVE THANKYOU !!!!
    
12. Angelverde Says:
    February 21st, 2010 at 08:47 Increible, muchas gracias, en ningun lugar encontre solución similar.
    Haré un post y te enlazo, sino te importa.
    
13. Recuperar los archivos y carpetas encriptadas con eCryptfs « El tux Angelverde Says:
    February 21st, 2010 at 11:17 [...] passphrase siempre la tuve a la mano y después de buscar por toda la red me tope con la respuesta, una respuesta que parece ser la única solución y sin asumir perdida alguna. Yo olvide mi contraseña pero es muy probable que hayas hecho una [...]
    
14. Jul Says:
    March 13th, 2010 at 19:30 Thanks a lot. I tried to decrypt my old home directory for hours.
    
15. Ed Says:
    March 14th, 2010 at 04:27 Thanks for this post. It just helped me migrate a bunch of files off of a flaky Wubi install to a shiny new native install.
    I have a couple things to add:
    1) Don’t skip on the ’sudo’. I went in circles a couple of times because I ran ‘ecryptfs-add-passphrase –fnek’ as myself.
    2) If you didn’t write down your recovery passphrase, but still have your .ecrypt directory, you can run ‘ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase’ to get it back.
    3) You need to enter that recovery passphrase for both the ‘ecryptfs-add-passphrase’ and ‘mount’ command. (Yeah, I put in my login password for the mount a few times before I realized that was wrong.)
    
16. Seb Has Says:
    April 16th, 2010 at 21:35 Man you are gooooooooooooooooooooood!
    
17. Gotit Says:
    April 19th, 2010 at 04:06 Well, I’ve tried I don’t know how many times but it just won’t give me permission! Could you please take a look and tell me what I’m doing wring? This is on a Karmic install if that makes a difference:
    ubuntu@ubuntu:/mnt$ sudo ecryptfs-add-passphrase –fnek
    Passphrase:
    Inserted auth tok with sig [9feeafb7d362cca0] into the user session keyring
    Inserted auth tok with sig [50f4f62c9ec87247] into the user session keyring
    ubuntu@ubuntu:/mnt$ sudo mount -t ecryptfs OldPrivate OldHome/
    Passphrase:
    Select cipher:
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
    Selection [aes]:
    Select key bytes:
    1) 16
    2) 32
    3) 24
    Selection [16]:
    Enable plaintext passthrough (y/n) [n]:
    Enable filename encryption (y/n) [n]: y
    Filename Encryption Key (FNEK) Signature [9feeafb7d362cca0]: 50f4f62c9ec87247
    Attempting to mount with the following options:
    ecryptfs_unlink_sigs
    ecryptfs_fnek_sig=50f4f62c9ec87247
    ecryptfs_key_bytes=16
    ecryptfs_cipher=aes
    ecryptfs_sig=9feeafb7d362cca0
    WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
    it looks like you have never mounted with this key
    before. This could mean that you have typed your
    passphrase wrong.
    Would you like to proceed with the mount (yes/no)? : yes
    Would you like to append sig [9feeafb7d362cca0] to
    [/root/.ecryptfs/sig-cache.txt]
    in order to avoid this warning in the future (yes/no)? : no
    Not adding sig to user sig cache file; continuing with mount.
    Mounted eCryptfs
    ubuntu@ubuntu:/mnt$ dir
    OldHome OldPrivate
    ubuntu@ubuntu:/mnt$ cd OldHome
    bash: cd: OldHome: Permission denied
    ubuntu@ubuntu:/mnt$
    Thanks
    
18. antti Says:
    April 19th, 2010 at 08:37 Gotit: original file permissions apply even when you try to access the files on a different machine or live-CD. Live-CD user is just a regular user who does not have a permission to access your unencrypted home directory. Only root can access any files.
    You either have to access the backup as root:
    Mounted eCryptfs
    $ sudo su
    # cd OldHome
    or you have to change the owner of the directory and files:
    Mounted eCryptfs
    $ sudo chown $USER OldHome/ -R
    $ cd OldHome