Rescure Your Data from EcryptFS
Until you have a hardware malfunction and need to restore that data to another machine. I had the privilege of setting up a shiny new Ubuntu installation on a new hard drive, with my data trapped inside an ecryptfs file on another drive, which wasn’t a reliable drive, so I had to get as much of my data off soon. Ugh, what am I to do? The only thing I could do, find out how to decrypt and mount my old home directory.
The first piece of information you are going to need is your ecryptfs mount pass-phrase, which you can recover, if you don’t remember. Here is how I recovered my pass-phrase. Notice, I have the partition with the encrypted directory mount at /mnt.
$ sudo ecryptfs-unwrap-passphrase /mnt/home/.ecryptfs/jonathan/.ecryptfs/wrapped-passphrase Passphrase: Login Password 2290da56f373d4807dac2bf0da52d09e
Now that I had the mount pass-phase, I needed to add it to the keyring.
$ sudo ecryptfs-add-passphrase --fnek Passphrase: Passphrase from ecryptfs-unwrap-passphrase command Inserted auth tok with sig [ae0722789dbed358] into the user session keyring Inserted auth tok with sig [c0c6192a76fb1fdc] into the user session keyring
I included the –fnek switch because my setup used filename encryption. Take note of the second signature, you will use it when mounting the protected directory.
$ sudo mount -t ecryptfs /mnt/home/.ecryptfs/jonathan/.Private/ /secret Passphrase: Passphrase from ecryptfs-unwrap-passphrase command Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection : Enable plaintext passthrough (y/n) [n]: n Enable filename encryption (y/n) [n]: y Filename Encryption Key (FNEK) Signature [ae0722789dbed358]: c0c6192a76fb1fdc Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=c0c6192a76fb1fdc ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=ae0722789dbed358 WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes Would you like to append sig [ae0722789dbed358] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes Successfully appended new sig to user sig cache file Mounted eCryptfs
You should be able to rescue your data, like I did. Thanks for reading, I hope you are successful as I was in retrieving your data. I will update this post with a shell script to do most of the work for you, when I get a chance to write it.