Rescure Your Data from EcryptFS

Until you have a hardware malfunction and need to restore that data to another machine. I had the privilege of setting up a shiny new Ubuntu installation on a new hard drive, with my data trapped inside an ecryptfs file on another drive, which wasn’t a reliable drive, so I had to get as much of my data off soon. Ugh, what am I to do? The only thing I could do, find out how to decrypt and mount my old home directory.

The first piece of information you are going to need is your ecryptfs mount pass-phrase, which you can recover, if you don’t remember. Here is how I recovered my pass-phrase. Notice, I have the partition with the encrypted directory mount at /mnt.

$ sudo ecryptfs-unwrap-passphrase /mnt/home/.ecryptfs/jonathan/.ecryptfs/wrapped-passphrase
Passphrase: Login Password
2290da56f373d4807dac2bf0da52d09e

Now that I had the mount pass-phase, I needed to add it to the keyring.

$ sudo ecryptfs-add-passphrase --fnek
Passphrase: Passphrase from ecryptfs-unwrap-passphrase command
Inserted auth tok with sig [ae0722789dbed358] into the user session keyring
Inserted auth tok with sig [c0c6192a76fb1fdc] into the user session keyring

I included the –fnek switch because my setup used filename encryption. Take note of the second signature, you will use it when mounting the protected directory.

$ sudo mount -t ecryptfs /mnt/home/.ecryptfs/jonathan/.Private/ /secret
Passphrase: Passphrase from ecryptfs-unwrap-passphrase command
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [ae0722789dbed358]: c0c6192a76fb1fdc
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=c0c6192a76fb1fdc
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=ae0722789dbed358
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [ae0722789dbed358] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Mounted eCryptfs

You should be able to rescue your data, like I did. Thanks for reading, I hope you are successful as I was in retrieving your data. I will update this post with a shell script to do most of the work for you, when I get a chance to write it.

Enjoy.

Mar 5, 2011 - Filed in: Linux
Words: 500