Rescue Your Data from EcryptFS

This post doesn’t have much to do with Cisco hardware, or anything to do with Cisco for that matter, other than the fact that it helped me recover some Cisco related data (Tcl scripts, configurations, etc). I use Ubuntu as my primary desktop machine and like all paranoid people I encrypted my home directory, including filename encryption, ultra super secure, awesome.

Until you have a hardware malfunction and need to restore that data to another machine. I had the privilege of setting up a shiny new Ubuntu installation on a new hard drive, with my data trapped inside an ecryptfs file on another drive, which wasn’t a reliable drive, so I had to get as much of my data off soon. Ugh, what am I to do? The only thing I could do, find out how to decrypt and mount my old home directory.

The first piece of information you are going to need is your ecryptfs mount pass-phrase, which you can recover, if you don’t remember. Here is how I recovered my pass-phrase. Notice, I have the partition with the encrypted directory mount at /mnt.

$ sudo ecryptfs-unwrap-passphrase /mnt/home/.ecryptfs/jonathan/.ecryptfs/wrapped-passphrase
Passphrase: Login Password
2290da56f373d4807dac2bf0da52d09e

Now that I had the mount pass-phase, I needed to add it to the keyring.

$ sudo ecryptfs-add-passphrase --fnek
Passphrase: Passphrase from ecryptfs-unwrap-passphrase command
Inserted auth tok with sig [ae0722789dbed358] into the user session keyring
Inserted auth tok with sig [c0c6192a76fb1fdc] into the user session keyring

I included the –fnek switch because my setup used filename encryption. Take note of the second signature, you will use it when mounting the protected directory.

$ sudo mount -t ecryptfs /mnt/home/.ecryptfs/jonathan/.Private/ /secret
Passphrase: Passphrase from ecryptfs-unwrap-passphrase command
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [ae0722789dbed358]: c0c6192a76fb1fdc
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=c0c6192a76fb1fdc
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=ae0722789dbed358
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [ae0722789dbed358] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

You should be able to rescue your data, like I did. Thanks for reading, I hope you are successful as I was in retrieving your data. I will update this post with a shell script to do most of the work for you, when I get a chance to write it.

Enjoy.

Mar 5th, 2011 • Posted in Linux
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>