HOWTO: Recover files from encrypted ecryptfs home directory

[Linux_Lobo]

Here are the steps I used to recover my files so hopefully others can avoid problems:

1) Log onto your PC
1.1) Create a bootable USB drive of the linux Mint live CD https://linuxmint-installation-guide.re ... /burn.html
1.2) Boot into a session of Linux Mint using the Live CD https://linuxmint-installation-guide.re ... /boot.html

2) Find Your Mount Passphase (This is different to your Login Passphrase)
2.1) Select "Computer" from the top left of the desktop and select the volume with your data stored on it

Computer

2.2) My folder directory appeared as follows:

Files

2.3) Make sure hidden files are visible: view/"show hidden files".
2.4) Select the home folder and right click and select the option "open as root"
2.5) navigate to find the folder that contains the file "wrapped-passphrase". Eg

wrapped-passphrase

2.6 ) Go back a level and right click on the .ecryptfs folder and select the option "open in terminal". Then enter into the Terminal: sudo ecryptfs-unwrap-passphrase ./wrapped-passphrase
2.7) When prompted enter your login passphrase/password and the output will be your Mount Passphrase. Copy and save it.

Code: Select all

root@mint:/media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/home/.ecryptfs/userx/.ecryptfs# sudo ecryptfs-unwrap-passphrase ./wrapped-passphrase
Passphrase: 
52e77e0bbec4edfe3d7e8581536a54fe

3) Find the Filename Encryption Key
Add th e filename encryption key to the keyring. In a new Terminal window enter: sudo ecryptfs-add-passphrase --fnek
- Enter your Mount Passphrase when prompted (NOT your login passphrase/password).
- No feedback will be given so pasting it works best.
- NOTE: using your login passphrase will generate incorrect keys.

Code: Select all

mint@mint:~$ sudo ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [3c4b10f3dcadf302] into the user session keyring
Inserted auth tok with sig [0d690d0b3dafaee3] into the user session keyring

Record the second key listed for use in the next section. In my case it is 0d690d0b3dafaee3

4) Mount your Encrypted Drive
- You need to locate the directory of the .Private file using a file browser. In my case the code was: sudo mount -t ecryptfs /media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/home/.ecryptfs/userx/.Private /media/
- Enter your Mount Passphrase when prompted (as in Step 1). See code below for option selections and use your own unique Filename Encryption key from Step 1 above)

Code: Select all

mint@mint:~$ sudo mount  -t ecryptfs /media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/home/.ecryptfs/userx/.Private /media/
Passphrase:
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: aesNavigate to the target file or folder
Right click the file or folder
Select Properties
Click on the Permissions tab
Click on the Access files in the Others section
Select key bytes: 
 1) 16https://images.examples.com/wp-content/uploads/2018/03/Travel-Packing-Check-List.pdf.zip
 2) 32
 3) 24
- Enter your [b]Mount Passphrase[/b] when p
Selection [16]: 16
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [3c4b10f3dcadf302]: 0d690d0b3dafaee3
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=0d690d0b3dafaee3
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=3c4b10f3dcadf302folderfolder
Mounted eCryptfs

You should see Mounted eCryptfs!!
In my case, the files were mounted in /media and were accessible. Now you can save these files to another location. If you don't, you will need to repeat the previous steps again once you reboot and you've probably had enough fun for the day already!

Useful link:
https://pfertyk.me/2017/05/recovering-e ... in-ubuntu/

[deck_luck]

As a friendly suggestion you might consider changing the title to include the ecryptfs home directory. Many Linux user are using the dm-crypt+LUKS and depending on their Linux technical knowledge they might confuse it with ecryptfs.

It looks like a nice article, and I am still reading it.

[lbesnard]

Thanks so much. It worked perfectly. Really annoying that in the install of mint you dont get told at all about this passphrase thing.

[Gilbert]

Thank you, for a very nice tutorial.

My question is: So anybody that is a little (or more) tech savy can decrypt my encrypted home folder ?

Where is the security then !

Gilbert.

[rene]

My question is: So anybody that is a little (or more) tech savy can decrypt my encrypted home folder ?

No, they need the login password, i.e., same between when the encrypted home folder is in fact still a home folder and when it is a to be recovered home folder somewhere.

[Gilbert]

Thank You

Gilbert

[pbear]

Moreover, in my understanding, if the login password is changed by someone else, the procedure described here won't work.

If you change your password while you are logged in, the passphrase will be automatically rewrapped with the new password. If another user changes your password you can lock yourself out of your account because the passphrase will not be wrapped with your new password (as long as you have the mount passphrase you can always retrieve your files though). This happens for example when running some command or program as root, to change your password with that.

[rene]

Moreover, in my understanding, if the login password is changed by someone else, the procedure described here won't work.

Well, as to the procedure described here, we're more or less past the encrypted directory being an actual current home directory, and as such, "the login password" from my above reply is to say "the forever frozen in time login password of the user who's encrypted home directory this was". As long as you know that. you can apply this procedure.

As to the directory encryption itself only the mount passphrase is relevant and it is in turn encrypted with the user's login password. If a user uses (say) passwd to update their password, the mount passphrase is decrypted with the old, re-encrypted with the new password automatically but yes, if said user uses say sudo passwd <user>, i.e., changes their password as root, this does not happen, the old password being at the very least conceptually unavailable for decryption of the mount passphrase.

We've seen that happen on the forum but changing a login password isn't really the issue then here in this specific post any more: if (and only if, optimistically) the login password of the user who's encrypted home directory a to be recovered encrypted directory once was is available, the method works.

[Solaire]

Can anyone explain step 4?

4) Mount your Encrypted Drive
- You need to locate the directory of the .Private file using a file browser. In my case the code was

In that case yes, but what about in other cases??? I don't understand this step.

[rene]

An encrypted home directory of, say, user "userx" is kept on the system as /home/.ecryptfs/userx/.Private. In this case of recovering an encrypted home directory from a boot into the Live system said .Private directory of course doesn't live under /home itself, /home being the Live system's /home, but needs to be located as indicated on a from said Live system visible drive. In the author's case said drive apparently mounted to /media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/ when accessed from the Live system's file-manager, meaning he found the relevant .Private directory as /media/mint/1d8f3bdd-b89d-4ca6-8592-060660799cf0/home/.ecryptfs/userx/.Private.

That's all.

[detimo]

Thank you

[BubbleBobble]

Thanks so much for the detailed tutorial!!! I am not really used to command lines. But for me your tutorial worked! My Situation was that I had my private data on an extra partition on a Linux Mint 19 installation. I then did a clean install of 19.3. thinking "well, a clean install might be less troublesome as an upgrade AND my data is on an extra partition. So nothing to fear about." But I could not access my private data after the clean installation because my private data was encrypted (a fact I obviously forgot ) and my Mint 19 was gone. Argh! But your tutorial helped me recovering it.
For other users: So bottom line is: the tutorial works after clean installation and having your data on an extra partition too
Be careful when you adopt the directory-structure for the commands, about the location from where you execute the commands and be sure you got root-rights.

[KeithGabel77]

I came from this topic (viewtopic.php?f=90&t=323496) as being refereed here by (Kadaitcha Man).

I'm running version 19.3.

Just few points I want to stress on:

- In step 4, where the OP says, "You need to locate the directory of the .Private file using a file browser."

The directory is the same as the one found in step 2.7, just copy and paste it from the terminal.

- In the last step in step 4, the terminal of the OP seems to have some issues, so here is some edits of what I can remember

When asked for "Selection [aes]:", type 1 or aes, can't remember correctly.

When asked for "Select key bytes:", type 1 or 16, can't remember correctly.

You will find a warning that you may have entered the mount phrase I think incorrectly then you will have the "Mounted eCryptfs" message, just ignore the warning.

If you are running the OS inside a virtual machine program, you won't be able to drag/drop or copy/paste your contents to your host machine, just connect a usb flash stick or any other medium to the guest machine, open it as root (IMPORTANT), and move your files to that medium.

[zshlover]

My question is: So anybody that is a little (or more) tech savy can decrypt my encrypted home folder ?

No, they need the login password, i.e., same between when the encrypted home folder is in fact still a home folder and when it is a to be recovered home folder somewhere.

Ah so without the password the data is lost. Took a look at encryptfs, it uses a variant of OpenPGP

[rene]

Ah so without the password the data is lost. Took a look at encryptfs, it uses a variant of OpenPGP

Basically, yes. Of course, if there's reason to believe that the login password was no longer than 8 characters or some such, did not include anything other than lowercase letters, etc., etc., it may be an option to brute-force it, i.e., crack it by scripting an algorithm that just tries all possibilities, but foregoing that, you'd need to be pretty sophisticated to stand a chance indeed.

[BubbleBobble]

In my case, the files were mounted in /media and were accessible. I had problems with having access to other drives once the drive was mounted. Perhaps a root permission issue? However, I did manage to transfer them to an external drive but unfortunately can't recall how I got it working!

I had to encrypt my data today again because of a strange reason. I found no data in that folder I once copied my encrypted data according your tutorial. So I tried your tutorial again. I got the same problem you had in between at step 4) after entering 'sudo mount -t ecryptfs /...'. I got the follwong error-message:

mount(2) Systemaufruf ist fehlgeschlagen: Datei oder Verzeichnis nicht gefunden.
Error mounting eCryptfs: [-1] Operation not permitted
Check your system logs; visit <http://ecryptfs.org/support.html>

I then used in step 4) the terminal with root-rights. Then it worked! I now backed up my data somewhere else. I am still wondering why I have not still the data from my first succesfully try from July 2nd ...

Important note: I noticed that the data is missing again after rebooting. The data backup created by this command is obviously only temporary! So as Linux_Lobo originally suggests: back up the data manually somewhere else!

[tnim_xunil]

Thanx for this tutorial.
I'd like to decrypt my "home" folder, but I only have the password. Is it enough ?

Because

2.7) When prompted enter your login passphrase/password and the output will be your Mount Passphrase. Copy and save it.

asks for "passphrase/password". What is it ? When I enter the home folder password, it does not work. Instead I have "Error: unwrapping passphrase failed" with an error code like "[-2]".

Thanx !

[Moonstone Man]

Thanx !

If the tutorial isn't working for you, start a new thread and reference this thread. To answer your first question about your user password being sufficient, no. You need to know the passphrase that you would have fed to the installer at install time. If it was sufficient then encryption would be pointless.

[rene]

Mmm. So as to avoid confusion on comments on a HOWTO, the immediately above is not in fact true. The only thing you need to recover, i.e., decrypt, the content of what was once a user's home directory, is said user's login password at the time it was said user's home directory. Now, if we are talking about "the standard first Mint user" as created at install time that may of course be "the passphrase that you would have fed to the installer at install time" but unless you do it wrong the actual eventual encryption passphrase is rewrapped with the login password if said login password is updated by the user also post-install, so this need not be the case. Certainly it's not for users with an encrypted home directory created post-install.

Any case, yes, other thread would be good.

[somekindahate]

There is a problem in the code for step 4. It seems like extra stuff was pasted in-between the code you'd receive from the terminal, and it makes it very confusing.