Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, April 21, 2010

eCryptfs Encrypted Home

Source by kaijanmaki.net © 2010
thanks to Antti Kaijanmäki!

To recover an eCryptfs encrypted home directory created with ubuntu jaunty installer from a backup.
I thought that it would go smoothly, after all I had written down the recovery passphrase when I installed the system some time a go. Well, it wasn’t all that smooth.
After like 1,5 hours or so I finally had the backup decrypted and I thought that it would be useful to others, too, if I share my findings as I discovered from emergency googling that others are struggling from the same problem and no one has provided any complete solution.
The backup was on external USB HDD, but it should not matter as long as you have your old encrypted .Private somewhere at hand.
First you need to make sure ecryptfs-utils is installed:
$ sudo aptitude install ecryptfs-utils
Create a directory where the backup is opened:
$ cd /mnt
$ sudo mkdir OldHome
Then create a symbolic link to your backup of your old .Private:
$ sudo ln -s /media/3e8ea0ac-xxxx-xxxx-a35a-8ff17406fdb8/home/user/.Private OldPrivate
Now, here’s the part that was missing from all the instructions. At least Ubuntu is using filename encryption to hide the real filenames. You need two keys for accessing: one for accessing the file content and one to decrypt the filenames to be meaningful. To get the key do:
$ sudo ecryptfs-add-passphrase --fnek
Passphrase:
Enter the recovery passphrase: the long one you had to manually write down to a piece of paper when you installed the system. Then you should have a similar output as the following:
Inserted auth tok with sig [xxxxxxxxxxxxxxx] into the user session keyring
Inserted auth tok with sig [yyyyyyyyyyyyyyyy] into the user session keyring
Now, write down the second signature [yyyyyyyyyyyyyyyy].
Now you are ready to decrypt the backup:
$ sudo mount -t ecryptfs OldPrivate OldHome/
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxxxxx]: yyyyyyyyyyyyyyyy
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=yyyyyyyyyyyyyyyy
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=xxxxxxxxxxxxxxx
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [df3c98e4c85db0c5] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs
Now you ara able to access the decrypted backup in OldHome directory and you also have correct filenames.

18 Responses to “Recovering Files From eCryptfs Encrypted Home”

  1. Gyrlano Says:
    could help me solve the following problem:
    Inserted auth tok with sig [ff4aae46a4d814b4] into the user session keyring
    Inserted auth tok with sig [5c53936d7608a270] into the user session keyring
    gyrlano@gyrlano:/$ sudo mount -t ecryptfs OldPrivate OldHome/
    Passphrase:
    Select cipher:
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
    Selection [aes]: 1
    Select key bytes:
    1) 16
    2) 32
    3) 24
    Selection [16]: 1
    Enable plaintext passthrough (y/n) [n]:
    Enable filename encryption (y/n) [n]: y
    Filename Encryption Key (FNEK) Signature [ff4aae46a4d814b4]: 5c53936d7608a270
    Attempting to mount with the following options:
    ecryptfs_unlink_sigs
    ecryptfs_fnek_sig=5c53936d7608a270
    ecryptfs_key_bytes=16
    ecryptfs_cipher=aes
    ecryptfs_sig=ff4aae46a4d814b4
    WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
    it looks like you have never mounted with this key
    before. This could mean that you have typed your
    passphrase wrong.
    Would you like to proceed with the mount (yes/no)? : yes
    Would you like to append sig [ff4aae46a4d814b4] to
    [/root/.ecryptfs/sig-cache.txt]
    in order to avoid this warning in the future (yes/no)? : no
    Not adding sig to user sig cache file; continuing with mount.
    Error mounting eCryptfs: [-2] No such file or directory
    Check your system logs; visit
    gyrlano@gyrlano:/$
    I will be grateful.
  2. antti Says:
    You could first check that Filename Ecryption is used (ls , does the names look cryptic?) and then check output of dmesg command for clues what goes wrong. And also try to reboot and start over, too. I had multiple tries first without a reboot when I had the same error and when I rebooted and tried again it worked. I probably had wrong keys in my keyring due to experimenting different things.
  3. Eitan Says:
    Super awesome! Thank you very much. I’ve been trying to figure this out for weeks.
  4. GodGen Says:
    /*/*/
    Antti, you’re the world’s largest. ThankS!!!!! !!!!! !!!!!
    /*/*/
  5. Cliff Says:
    Thank you a million times! I ran across several instructions for recovering an encrypted home from another install/system and your instructions were the only ones that worked for me. Just like you, I successfully mounted my private folder only to find that the filenames and content were still hopelessly encrypted. Thank you once again…
  6. Cliff Says:
    @Grylano
    I got this error when the mount-point directory didn’t exist prior to the mount:
    Error mounting eCryptfs: [-2] No such file or directory
    It has nothing to do with encryption and should really have occurred after a sanity check on the mount syntax (as oppossed to having you type a whole bunch of stuff and then failing).
  7. Paddy Says:
    Thank you!
    Why on earth isn’t it in the official documentation?
  8. Matt Says:
    Thanks, this was very helpful. Found your post on the Ubuntu Forums and it led me here.
  9. Hector Diaz Says:
    you are my hero!!!!!
  10. Drew S. Says:
    “Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxxxxx]: yyyyyyyyyyyyyyyy”
    That’s the secret sauce that I always manage to forget! Thank you!
  11. Wyn Williams Says:
    I think I love you ! I had 83,000 bloody files decrypted with fuc**d up file names, now I see them.
    I searched for two days for this solution so a MASSIVE THANKYOU !!!!
  12. Angelverde Says:
    Increible, muchas gracias, en ningun lugar encontre solución similar.
    Haré un post y te enlazo, sino te importa.
  13. Recuperar los archivos y carpetas encriptadas con eCryptfs « El tux Angelverde Says:
    [...] passphrase siempre la tuve a la mano y después de buscar por toda la red me tope con la respuesta, una respuesta que parece ser la única solución y sin asumir perdida alguna. Yo olvide mi contraseña pero es muy probable que hayas hecho una [...]
  14. Jul Says:
    Thanks a lot. I tried to decrypt my old home directory for hours.
  15. Ed Says:
    Thanks for this post. It just helped me migrate a bunch of files off of a flaky Wubi install to a shiny new native install.
    I have a couple things to add:
    1) Don’t skip on the ’sudo’. I went in circles a couple of times because I ran ‘ecryptfs-add-passphrase –fnek’ as myself.
    2) If you didn’t write down your recovery passphrase, but still have your .ecrypt directory, you can run ‘ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase’ to get it back.
    3) You need to enter that recovery passphrase for both the ‘ecryptfs-add-passphrase’ and ‘mount’ command. (Yeah, I put in my login password for the mount a few times before I realized that was wrong.)
  16. Seb Has Says:
    Man you are gooooooooooooooooooooood!
  17. Gotit Says:
    Well, I’ve tried I don’t know how many times but it just won’t give me permission! Could you please take a look and tell me what I’m doing wring? This is on a Karmic install if that makes a difference:
    ubuntu@ubuntu:/mnt$ sudo ecryptfs-add-passphrase –fnek
    Passphrase:
    Inserted auth tok with sig [9feeafb7d362cca0] into the user session keyring
    Inserted auth tok with sig [50f4f62c9ec87247] into the user session keyring
    ubuntu@ubuntu:/mnt$ sudo mount -t ecryptfs OldPrivate OldHome/
    Passphrase:
    Select cipher:
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
    Selection [aes]:
    Select key bytes:
    1) 16
    2) 32
    3) 24
    Selection [16]:
    Enable plaintext passthrough (y/n) [n]:
    Enable filename encryption (y/n) [n]: y
    Filename Encryption Key (FNEK) Signature [9feeafb7d362cca0]: 50f4f62c9ec87247
    Attempting to mount with the following options:
    ecryptfs_unlink_sigs
    ecryptfs_fnek_sig=50f4f62c9ec87247
    ecryptfs_key_bytes=16
    ecryptfs_cipher=aes
    ecryptfs_sig=9feeafb7d362cca0
    WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
    it looks like you have never mounted with this key
    before. This could mean that you have typed your
    passphrase wrong.
    Would you like to proceed with the mount (yes/no)? : yes
    Would you like to append sig [9feeafb7d362cca0] to
    [/root/.ecryptfs/sig-cache.txt]
    in order to avoid this warning in the future (yes/no)? : no
    Not adding sig to user sig cache file; continuing with mount.
    Mounted eCryptfs
    ubuntu@ubuntu:/mnt$ dir
    OldHome OldPrivate
    ubuntu@ubuntu:/mnt$ cd OldHome
    bash: cd: OldHome: Permission denied
    ubuntu@ubuntu:/mnt$
    Thanks
  18. antti Says:
    Gotit: original file permissions apply even when you try to access the files on a different machine or live-CD. Live-CD user is just a regular user who does not have a permission to access your unencrypted home directory. Only root can access any files.
    You either have to access the backup as root:
    Mounted eCryptfs
    $ sudo su
    # cd OldHome
    or you have to change the owner of the directory and files:
    Mounted eCryptfs
    $ sudo chown $USER OldHome/ -R
    $ cd OldHome

No comments: