[RESOLVED] Recover files from encrypted data before Linux crashed

[kuzman1]

Can someone please guide me to recover my encrypted files and data before Linux crashed.

I have been trying to recover it but have not been successful. I can post what I have been doing but I think I might have missed something important. It might be better if someone could please guide me to the proper procedure.

I went to Devices and copied the 'home' folder into an external hard drive. The size of this 'home' folder was 434GB and I think the data is in it and it is still encrypted and hidden. Can I now fresh install (and erase the old data) from the laptop and try to get it from the external hard drive?

Background:
Linux was running fine until I got one of these kernel updates which I installed. After this update, there was a tear in the screen sometimes appearing wherever I open new windows or applications, that did not bother me as much as the laptop did not shutdown for a few of days. I went to update drivers and it recommended to update the driver for the NVIDIA card, I installed it. It then asked to start the laptop. When it restarted it I could not get back to Linux!

I created a bootable/live USB with Linux Mint 17.3. I insert that in the laptop before I start it and it gives me the 'Start Linux Mint 17.3 Cinnamon 64-bit' option. After selecting it, I get the screen that enables me to install Linux. On the desktop it has 'Computer' folder, Home folder and 'install Linux Mint'.

I had Linux Mint 17.3 so I created a USB and installed Linux Mint 17.3 (not the comparability one), there was a large partition (which I am sure the data was stored in it) and I installed Mint 17.3 on this partition. As I said I did not erase anything. Now that I have installed Linux Mint, the (original) hard drive appears as a device with 434GB of data. When I go to this device it has a number of folders. When I open the 'home' folder, it has a folder called 'dave' opening this there are two files:

-'Read me' a txt file. Opening it is says:

THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA.

From the graphical desktop, click on:
"Access Your Private Data"

or

From the command line, run:
ecryptfs-mount-private


-'Access-Your-Private_Data. desktop file.

When I click on 'Access-Your-Private_Data. desktop: nothing happens.

[Joe2Shoe]

Some help here:
viewtopic.php?f=46&t=251774&p=1354381&h ... s#p1354381

That's why I keep all my data on a separate partition (Data1) and encrypt/decrypt it at will with LUKS. I also backup the LUKS headers, etc. to Data1.
Good luck.

[kuzman1]

Thanks Joe

In file manager, under devices, I can see my old data is mounted (434 GB). When I open it it has a number of folders one of them is 'home'. I copied that into an external hard drive and it now connected to the laptop.

I went to the terminal and done this

Code: Select all

dave@dave ~ $ sudo ecryptfs-recover-private
[sudo] password for dave: 
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/home/dave/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Inserted auth tok with sig [62c819ddbcdd90f1] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.g8YPeRqz].
INFO: Found [/media/dave/206603df-6f5c-4600-84d4-a3dd6289b828/home/.ecryptfs/dave/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Inserted auth tok with sig [91a0649db3664d37] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.wzps13vP].
dave@dave ~ $ 

Am I on the right path?
what is the next step?

[Joe2Shoe]

Not sure. I have never attempted that scenario.
Just search for "recover encrypted data" in the search bar.
Good luck.

[kuzman1]

Thanks again Joe.
I opened the file manager and done the search, it could not find it

[Thaddeus-maximus]

Thanks again Joe.
I opened the file manager and done the search, it could not find it

i think he was referring to the website not the file manager. i don't encrypt so i can't help you, sorry.

[kuzman1]

i think he was referring to the website not the file manager

oh....ok. I have been doing that for two days and going around in circles getting nowhere.

[lostfarmer]

INFO: Success! Private data mounted at [/tmp/ecryptfs.wzps13vP]

that says it is mounted at /tmp/ecryptfs.wzps13vP , did you look ?

Have never used your type of ecryp so not sure.

[kuzman1]

that says it is mounted at /tmp/ecryptfs.wzps13vP , did you look ?

yes, I go there and open the tmp folder and everything inside is hidden. When I check the size of the tmp folder it is 434GB.
I think I may be so close but not there!
I need someone to help me with the next step

[kuzman1]

After my last post with the terminal, I have done this and that was the result:

Code: Select all

dave@dave ~ $ sudo ls /tmp/ecryptfs.wzps13vP
[sudo] password for dave: 
Books		  Documents	 Movies       notebook.zim  Public
Completed Movies  Documents.txt  mozilla.pdf  OLED TV.ods   Templates
Desktop		  Downloads	 Music	      Pictures	    Videos

These are exactly the files I had on my hard drive.
The embarrassing part is; I am looking in my file manager for these files, where are they?

[lostfarmer]

in your file manager you need to get to "/" , you should see on left side 'computer' or 'file system' click on it and then should be able to fine 'tmp' folder. I am on debian and think it uses a different manager. Some one with better instructions should be along soon.

[kuzman1]

lostfarmer » Wed Jan 17, 2018 1:20 am
in your file manager you need to get to "/" , you should see on left side 'computer' or 'file system' click on it and then should be able to fine 'tmp' folder. I am on debian and think it uses a different manager

In the file manager I can fo to the file system and tmp folder. It has a three subfolders that I cannot access three subfolders that I can open (and do not have my old data).

I think my old data files are hidden. If I search one of my old data folders (for example Movies), it cannot find it.

I tried this https://help.ubuntu.com/community/Encry ... Passphrase
did not work.
The step when it asks for me to look for partitions, I can only find one partition and under system it shows GPT (Guide Partition Table) not 'Linux' as outlined in this procedure.

After spending hours, I am getting the feeling that I should raise the white flag!

[lostfarmer]

Just remember when you reboot the /tmp/folder will be deleted and require> sudo ecryptfs-recover-private
<< use file manager go to /tmp << right click on open space<< a drop down will open and select open as root<<you should see and able to open /tmp/ecryptfs.wzps13vP

[kuzman1]

Just remember when you reboot the /tmp/folder will be deleted and require> sudo ecryptfs-recover-private

Thanks.
I think that is what I have done? that is why now I can see the tmp folder in the File System?

<< use file manager go to /tmp << right click on open space<< a drop down will open and select open as root<<you should see and able to open /tmp/ecryptfs.wzps13vP

I open the File Manager, go to File System, then tmp folder. Right click and choose 'Open as root'. It asks me for my password, when I entre it it opens the file. Now the locked files can be seen unlocked. However, none of them is the ecryptfs.wzps13vP!

I opened all the subfolders in the tmp folder. My data is not visible there

[lostfarmer]

not sure what is going on. when you run << sudo ecryptfs-recover-private >> do you get the same that you posted on Mon Jan 15, 2018 6:41 pm ?

[kuzman1]

Thanks

when you run << sudo ecryptfs-recover-private >> do you get the same that you posted on Mon Jan 15, 2018 6:41 pm ?

pretty much.

Here is the terminal

Code: Select all

dave@dave ~ $ sudo ecryptfs-recover-private
[sudo] password for dave: 
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/home/dave/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: To recover this directory, you MUST have your original MOUNT passphrase.
INFO: When you first setup your encrypted private directory, you were told to record
INFO: your MOUNT passphrase.
INFO: It should be 32 characters long, consisting of [0-9] and [a-f].

Enter your MOUNT passphrase: 
INFO: Success!  Private data mounted at [/tmp/ecryptfs.9AVG36Cs].
dave@dave ~ $ sudo ls /tmp/ecryptfs.9AVG36Cs

I open the File Manager, open the File System folder>tmp folder, right click and choose 'Open as root'>it opens the folder and I can see a folder called '/tmp/ecryptfs.9AVG36Cs' with a lock on it, which means it is still encrypted.

[kuzman1]

Please note that now when I have the command:

Code: Select all

dave@dave ~ $ sudo ls /tmp/ecryptfs.9AVG36Cs

it does not proceed with asking me for my password and then gives me the results I had before on Tue Jan 16, 2018 5:50 pm .

[lostfarmer]

your first use of >> sudo ecryptfs-recover-private>> it has

Found [/media/dave/206603df-6f5c-4600-84d4-a3dd6289b828/home/.ecryptfs/dave/.Private].

did you have a different partition/hdd mounted ? I think it is finding your new installed ecrypfts not the old one.

[kuzman1]

double post

[kuzman1]

Thanks A MILLION lostfammer.
You gave me the clue and I found it . Without it, I was going around in circles.

In regard to your latest response:

did you have a different partition/hdd mounted ? I think it is finding your new installed ecrypfts not the old one.

I was getting this because I copied /home/ (encrypted and hidden contents) into an external hard drive. Last time I went to the terminal, I did not connect the external hard drive and did not have this.



To help anyone who will get this problem I will start from scratch and go in detail to all the steps:


1. Reboot using a live USB

2. !!! make sure that your target system's hard drive is mounted !!!.

If you will not do that you will not proceed beyond a certain point .

3. Open the terminal and run

Code: Select all

sudo ecryptfs-recover-private

4. When everything goes well, you will get something like
INFO: Success! Private data mounted at [/tmp/ecryptfs.UF1BZJLH].
Which means that the encrypted data is now mounted on /tmp/ as ecryptfs.UF1BZJLH

5.

Code: Select all

 sudo ls /tmp/ecryptfs.UF1BZJLH

6. You still cannot see your files in the File Manager. The terminal will show all the folders you had in /home/, but you must see them.

7. to see the old data files, open the File Manager >> go to File System >> open tmp folder. This will show a folder (in this example) /ecryptfs.UF1BZJLH/ and it will have a lock, right click on this one and choose 'Open as root'. This will display the old data file.

!!! done !!!

Here is the terminal

Code: Select all

dave@dave ~ $ sudo ecryptfs-recover-private
[sudo] password for dave: 
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/home/dave/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Inserted auth tok with sig [62c819ddbcdd90f1] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.BKpZ34gr].
INFO: Found [/media/dave/206603df-6f5c-4600-84d4-a3dd6289b828/home/.ecryptfs/dave/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Inserted auth tok with sig [91a0649db3664d37] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.UF1BZJLH].
dave@dave ~ $ sudo ls /tmp/ecryptfs.UF1BZJLH
Books		  Documents	 Movies       notebook.zim  Public
Completed Movies  Documents.txt  mozilla.pdf  OLED TV.ods   Templates
Desktop		  Downloads	 Music	      Pictures	    Videos
dave@dave ~ $