HOWTO: Recover files from encrypted ecryptfs home directory

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
Post Reply
Linux_Lobo
Level 2
Level 2
Posts: 55
Joined: Mon Jun 18, 2018 6:17 am

HOWTO: Recover files from encrypted ecryptfs home directory

Post by Linux_Lobo »

Here are the steps I used to recover my files so hopefully others can avoid problems:

1) Log onto your PC
1.1) Create a bootable USB drive of the linux Mint live CD https://linuxmint-installation-guide.re ... /burn.html
1.2) Boot into a session of Linux Mint using the Live CD https://linuxmint-installation-guide.re ... /boot.html

2) Find Your Mount Passphase (This is different to your Login Passphrase)
2.1) Select "Computer" from the top left of the desktop and select the volume with your data stored on it
Computer
Computer
2.2) My folder directory appeared as follows:
Files
Files
2.3) Make sure hidden files are visible: view/"show hidden files".
2.4) Select the home folder and right click and select the option "open as root"
2.5) navigate to find the folder that contains the file "wrapped-passphrase". Eg
wrapped-passphrase
wrapped-passphrase
2.6 ) Go back a level and right click on the .ecryptfs folder and select the option "open in terminal". Then enter into the Terminal: sudo ecryptfs-unwrap-passphrase ./wrapped-passphrase
2.7) When prompted enter your login passphrase/password and the output will be your Mount Passphrase. Copy and save it.

Code: Select all

root@mint:/media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/home/.ecryptfs/userx/.ecryptfs# sudo ecryptfs-unwrap-passphrase ./wrapped-passphrase
Passphrase: 
52e77e0bbec4edfe3d7e8581536a54fe
3) Find the Filename Encryption Key
Add th e filename encryption key to the keyring. In a new Terminal window enter: sudo ecryptfs-add-passphrase --fnek
- Enter your Mount Passphrase when prompted (NOT your login passphrase/password).
- No feedback will be given so pasting it works best.
- NOTE: using your login passphrase will generate incorrect keys.

Code: Select all

mint@mint:~$ sudo ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [3c4b10f3dcadf302] into the user session keyring
Inserted auth tok with sig [0d690d0b3dafaee3] into the user session keyring
Record the second key listed for use in the next section. In my case it is 0d690d0b3dafaee3

4) Mount your Encrypted Drive
- You need to locate the directory of the .Private file using a file browser. In my case the code was: sudo mount -t ecryptfs /media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/home/.ecryptfs/userx/.Private /media/
- Enter your Mount Passphrase when prompted (as in Step 1). See code below for option selections and use your own unique Filename Encryption key from Step 1 above)

Code: Select all

mint@mint:~$ sudo mount  -t ecryptfs /media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/home/.ecryptfs/userx/.Private /media/
Passphrase:
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: aesNavigate to the target file or folder
Right click the file or folder
Select Properties
Click on the Permissions tab
Click on the Access files in the Others section
Select key bytes: 
 1) 16https://images.examples.com/wp-content/uploads/2018/03/Travel-Packing-Check-List.pdf.zip
 2) 32
 3) 24
- Enter your [b]Mount Passphrase[/b] when p
Selection [16]: 16
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [3c4b10f3dcadf302]: 0d690d0b3dafaee3
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=0d690d0b3dafaee3
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=3c4b10f3dcadf302folderfolder
Mounted eCryptfs
You should see Mounted eCryptfs!!
In my case, the files were mounted in /media and were accessible. Now you can save these files to another location. If you don't, you will need to repeat the previous steps again once you reboot and you've probably had enough fun for the day already! ;)

Useful link:
https://pfertyk.me/2017/05/recovering-e ... in-ubuntu/
Last edited by Linux_Lobo on Sun Jul 26, 2020 6:36 am, edited 6 times in total.
User avatar
deck_luck
Level 5
Level 5
Posts: 956
Joined: Mon May 27, 2019 6:57 pm
Location: R-4808 North

Re: HOWTO: Recover files from encrypted home directory

Post by deck_luck »

As a friendly suggestion you might consider changing the title to include the ecryptfs home directory. Many Linux user are using the dm-crypt+LUKS and depending on their Linux technical knowledge they might confuse it with ecryptfs.

It looks like a nice article, and I am still reading it.
Last edited by deck_luck on Mon May 18, 2020 11:07 am, edited 2 times in total.
🐧Linux Mint 19 XFCE 💡Give a friend a fish, and you feed them for a day. Teach a friend how to fish, and you feed them for a lifetime. ✝️ Proverbs 4:7 Wisdom is the principal thing; therefore get wisdom: and with all thy getting get understanding.
lbesnard
Level 1
Level 1
Posts: 1
Joined: Mon May 18, 2020 12:40 am

Re: HOWTO: Recover files from encrypted home directory

Post by lbesnard »

Thanks so much. It worked perfectly. Really annoying that in the install of mint you dont get told at all about this passphrase thing.
User avatar
Gilbert
Level 1
Level 1
Posts: 12
Joined: Sat Dec 22, 2018 9:29 am
Location: Montreal, Qc, Canada

Re: HOWTO: Recover files from encrypted home directory

Post by Gilbert »

Thank you, for a very nice tutorial. :)

My question is: So anybody that is a little (or more) tech savy can decrypt my encrypted home folder ? :?

Where is the security then !

Gilbert.
Thank You.
Have a nice day.
Gilbert
rene
Level 16
Level 16
Posts: 6681
Joined: Sun Mar 27, 2016 6:58 pm

Re: HOWTO: Recover files from encrypted home directory

Post by rene »

Gilbert wrote:
Thu May 28, 2020 3:26 pm
My question is: So anybody that is a little (or more) tech savy can decrypt my encrypted home folder ? :?
No, they need the login password, i.e., same between when the encrypted home folder is in fact still a home folder and when it is a to be recovered home folder somewhere.
User avatar
Gilbert
Level 1
Level 1
Posts: 12
Joined: Sat Dec 22, 2018 9:29 am
Location: Montreal, Qc, Canada

Re: HOWTO: Recover files from encrypted home directory

Post by Gilbert »

Thank You

Gilbert
Thank You.
Have a nice day.
Gilbert
pbear
Level 14
Level 14
Posts: 5367
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: HOWTO: Recover files from encrypted home directory

Post by pbear »

Moreover, in my understanding, if the login password is changed by someone else, the procedure described here won't work.
xenopeek wrote:
Thu Apr 25, 2019 3:29 pm
If you change your password while you are logged in, the passphrase will be automatically rewrapped with the new password. If another user changes your password you can lock yourself out of your account because the passphrase will not be wrapped with your new password (as long as you have the mount passphrase you can always retrieve your files though). This happens for example when running some command or program as root, to change your password with that.
rene
Level 16
Level 16
Posts: 6681
Joined: Sun Mar 27, 2016 6:58 pm

Re: HOWTO: Recover files from encrypted home directory

Post by rene »

pbear wrote:
Sat May 30, 2020 3:03 pm
Moreover, in my understanding, if the login password is changed by someone else, the procedure described here won't work.
Well, as to the procedure described here, we're more or less past the encrypted directory being an actual current home directory, and as such, "the login password" from my above reply is to say "the forever frozen in time login password of the user who's encrypted home directory this was". As long as you know that. you can apply this procedure.

As to the directory encryption itself only the mount passphrase is relevant and it is in turn encrypted with the user's login password. If a user uses (say) passwd to update their password, the mount passphrase is decrypted with the old, re-encrypted with the new password automatically but yes, if said user uses say sudo passwd <user>, i.e., changes their password as root, this does not happen, the old password being at the very least conceptually unavailable for decryption of the mount passphrase.

We've seen that happen on the forum but changing a login password isn't really the issue then here in this specific post any more: if (and only if, optimistically) the login password of the user who's encrypted home directory a to be recovered encrypted directory once was is available, the method works.
Solaire
Level 1
Level 1
Posts: 3
Joined: Sun May 31, 2020 5:56 am

Re: HOWTO: Recover files from encrypted home directory

Post by Solaire »

Can anyone explain step 4?
4) Mount your Encrypted Drive
- You need to locate the directory of the .Private file using a file browser. In my case the code was
In that case yes, but what about in other cases??? I don't understand this step.
rene
Level 16
Level 16
Posts: 6681
Joined: Sun Mar 27, 2016 6:58 pm

Re: HOWTO: Recover files from encrypted home directory

Post by rene »

An encrypted home directory of, say, user "userx" is kept on the system as /home/.ecryptfs/userx/.Private. In this case of recovering an encrypted home directory from a boot into the Live system said .Private directory of course doesn't live under /home itself, /home being the Live system's /home, but needs to be located as indicated on a from said Live system visible drive. In the author's case said drive apparently mounted to /media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/ when accessed from the Live system's file-manager, meaning he found the relevant .Private directory as /media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/home/.ecryptfs/userx/.Private.

That's all.
User avatar
detimo
Level 1
Level 1
Posts: 47
Joined: Sun Jun 21, 2020 9:56 am

Re: HOWTO: Recover files from encrypted home directory

Post by detimo »

Thank you
BubbleBobble
Level 1
Level 1
Posts: 2
Joined: Thu Jul 02, 2020 12:37 pm

Re: HOWTO: Recover files from encrypted ecryptfs home directory

Post by BubbleBobble »

Thanks so much for the detailed tutorial!!! I am not really used to command lines. But for me your tutorial worked! My Situation was that I had my private data on an extra partition on a Linux Mint 19 installation. I then did a clean install of 19.3. thinking "well, a clean install might be less troublesome as an upgrade AND my data is on an extra partition. So nothing to fear about." But I could not access my private data after the clean installation because my private data was encrypted (a fact I obviously forgot :oops: ) and my Mint 19 was gone. Argh! :x But your tutorial helped me recovering it. :D
For other users: So bottom line is: the tutorial works after clean installation and having your data on an extra partition too
Be careful when you adopt the directory-structure for the commands, about the location from where you execute the commands and be sure you got root-rights.
KeithGabel77
Level 1
Level 1
Posts: 9
Joined: Thu Jul 02, 2020 3:55 am

Re: HOWTO: Recover files from encrypted ecryptfs home directory

Post by KeithGabel77 »

I came from this topic (viewtopic.php?f=90&t=323496) as being refereed here by (Kadaitcha Man).

I'm running version 19.3.

Just few points I want to stress on:

- In step 4, where the OP says, "You need to locate the directory of the .Private file using a file browser."

The directory is the same as the one found in step 2.7, just copy and paste it from the terminal.

- In the last step in step 4, the terminal of the OP seems to have some issues, so here is some edits of what I can remember

When asked for "Selection [aes]:", type 1 or aes, can't remember correctly.

When asked for "Select key bytes:", type 1 or 16, can't remember correctly.

You will find a warning that you may have entered the mount phrase I think incorrectly then you will have the "Mounted eCryptfs" message, just ignore the warning.

If you are running the OS inside a virtual machine program, you won't be able to drag/drop or copy/paste your contents to your host machine, just connect a usb flash stick or any other medium to the guest machine, open it as root (IMPORTANT), and move your files to that medium.
User avatar
zshlover
Level 1
Level 1
Posts: 21
Joined: Sun Jul 05, 2020 8:34 am

Re: HOWTO: Recover files from encrypted home directory

Post by zshlover »

rene wrote:
Thu May 28, 2020 3:52 pm
Gilbert wrote:
Thu May 28, 2020 3:26 pm
My question is: So anybody that is a little (or more) tech savy can decrypt my encrypted home folder ? :?
No, they need the login password, i.e., same between when the encrypted home folder is in fact still a home folder and when it is a to be recovered home folder somewhere.
Ah so without the password the data is lost. Took a look at encryptfs, it uses a variant of OpenPGP
Learn Python: pythonspot.com, pyqt
rene
Level 16
Level 16
Posts: 6681
Joined: Sun Mar 27, 2016 6:58 pm

Re: HOWTO: Recover files from encrypted home directory

Post by rene »

zshlover wrote:
Mon Jul 06, 2020 6:30 am
Ah so without the password the data is lost. Took a look at encryptfs, it uses a variant of OpenPGP
Basically, yes. Of course, if there's reason to believe that the login password was no longer than 8 characters or some such, did not include anything other than lowercase letters, etc., etc., it may be an option to brute-force it, i.e., crack it by scripting an algorithm that just tries all possibilities, but foregoing that, you'd need to be pretty sophisticated to stand a chance indeed.
Phairnix
Level 1
Level 1
Posts: 17
Joined: Tue Jul 07, 2020 6:24 am

Re: HOWTO: Recover files from encrypted ecryptfs home directory

Post by Phairnix »

BubbleBobble wrote:
Thu Jul 02, 2020 12:55 pm
Thanks so much for the detailed tutorial!!! I am not really used to command lines. But for me your tutorial worked! My Situation was that I had my private data on an extra partition on a Linux Mint 19 installation. I then did a clean install of 19.3. thinking "well, a clean install might be less troublesome as an upgrade AND my data is on an extra partition. So nothing to fear about." But I could not access my private data after the clean installation because my private data was encrypted (a fact I obviously forgot :oops: ) and my Mint 19 was gone. Argh! :x But your tutorial helped me recovering it. :D
For other users: So bottom line is: the tutorial works after clean installation and having your data on an extra partition too
Be careful when you adopt the directory-structure for the commands, about the location from where you execute the commands and be sure you got root-rights.
I am planning to do a clean install of Linux Mint 20 and I am facing a somewhat similar problem. As I am still quite new to Linux and I have never done a clean install leaving the home partition intact, I am not quite sure I understood the procedure correctly. Due to my limited knowledge, I am not sure either, if my situation is really relevant to the problem described here. Anyway, I thought I would ask here first, rather than starting a new thread.

My home partition is currently encrypted and I have an additional data partition that is encrypted and mounts at boot. When installing Linux Mint 20, I guess I will be asked if I want to maintain my partition table (option: something else). As the answer is obviously yes, I will have to choose the partition where I want to install Mint 20, which would be the one where Mint 19.3. currently is. Given that I want the home partition to be encrypted, I ask myself what the recovery means in this tutorial, as it is not really explained in the end.

Will I have permanent access to the home partition and will it remain encrypted and automatically mount so at boot? If not, how can I configure it to be that way?

As for the the separate data partition with LUKS encryption, am I correct in the assupmtion that I can simply set it up again to mount at boot?

I hope I can get some advice in order to avoid messing up the clean install.
rene
Level 16
Level 16
Posts: 6681
Joined: Sun Mar 27, 2016 6:58 pm

Re: HOWTO: Recover files from encrypted ecryptfs home directory

Post by rene »

Since I had no idea how the installer handles that (I use nor advise home directory encryption) I just simulated his in VirtualBox and, yes, it's all automatic. I.e., starting with a 19.3 install on two separate partitions for / and /home and with an encrypted home directory for its initial user "rene", when I during the Mint 20 install elected to again place / and /home on those same partitions, of course elected to not format /home, and again created an initial user "rene" with the same password, the installer din't even let me deselect "encrypt my home folder" and I on reboot found myself with my former encrypted home directory still my encrypted home directory.

As to the separate encrypted data partition, yes, I would suppose you just need to arrange for it to be mounted again in the same manner as you did originally.

But together that's to say then that indeed your query is not really related to this post: you have nothing to "recover" as such.
Phairnix
Level 1
Level 1
Posts: 17
Joined: Tue Jul 07, 2020 6:24 am

Re: HOWTO: Recover files from encrypted ecryptfs home directory

Post by Phairnix »

@rene, thanks for the clear response (and the simulation! :D ). Now I understand that I have nothing to recover indeed. No highjacking intended, it was just a misunderstanding of the issue at hand. It seems to be less problematic than I thought it might be.

Anyway, good to know that this tutorial exist in case something goes wrong.

As to the comment that you do not recommend home directory encryption, I would obviously like to know why. I will post a new topic this time.
BubbleBobble
Level 1
Level 1
Posts: 2
Joined: Thu Jul 02, 2020 12:37 pm

Re: HOWTO: Recover files from encrypted ecryptfs home directory

Post by BubbleBobble »

Linux_Lobo wrote:
Thu Mar 26, 2020 1:41 pm
In my case, the files were mounted in /media and were accessible. I had problems with having access to other drives once the drive was mounted. Perhaps a root permission issue? However, I did manage to transfer them to an external drive but unfortunately can't recall how I got it working!
I had to encrypt my data today again because of a strange reason. I found no data in that folder I once copied my encrypted data according your tutorial. :shock: So I tried your tutorial again. I got the same problem you had in between at step 4) after entering 'sudo mount -t ecryptfs /...'. I got the follwong error-message:
mount(2) Systemaufruf ist fehlgeschlagen: Datei oder Verzeichnis nicht gefunden.
Error mounting eCryptfs: [-1] Operation not permitted
Check your system logs; visit <http://ecryptfs.org/support.html>
I then used in step 4) the terminal with root-rights. Then it worked! I now backed up my data somewhere else. I am still wondering why I have not still the data from my first succesfully try from July 2nd ...

Important note: I noticed that the data is missing again after rebooting. The data backup created by this command is obviously only temporary! So as Linux_Lobo originally suggests: back up the data manually somewhere else!
Post Reply

Return to “Tutorials”