[SOLVED] recovering encrypted /home

[fabien85]

Hi,
so I am testing installation with an encrypted home. One drawback of encryption is that it's harder to recover your files in case of a system crash. So before venturing further, I wanted to test and find the methodology to be able to read my encrypted home with a live USB. That turned out much harder than I thought.
I will describe the things I have tried, maybe someone will be able to point out mistakes.
In the install I did, not only is the home encrypted, it's also on a separate partition, maybe that can explain some of my difficulties.


So I booted my live USB (LM18.1 Cinnamon, I checked the ISO and the integrity of the medium). Then I first followed instructions from howtogeek which tell to mount the partition, open a terminal and issue

Code: Select all

sudo ecryptfs-recover-private

I tried that with only the /home partition mounted, or with both / and /home mounted. In both cases I got the error :

Code: Select all

INFO: Searching for encrypted private directories (this might take a while)...
find: ‘/run/user/999/gvfs’: Permission denied
find: File system loop detected; ‘/sys/kernel/debug/pinctrl’ is part of the same file system loop as ‘/sys/kernel/debug’.

Next thing I tried was to directly mount the private data, so I mounted the /home, cd to it, then

Code: Select all

sudo mount -t ecryptfs fabien/ fabien/

was a wild guess which didnt work. It asked me for many things (cipher, key bytes...) that I didnt know, I just went with the defaults, at the end it said "Mounted eCryptfs", but in /home/fabien I didnt have my files, I still had

Code: Select all

Access-Your-Private-Data.desktop  README.txt

It's quite possible I didnt give the good arguments to "mount-t ecryptfs", I dont really understand what I should give here so I gave up that route.


Next I adapted instructions from https://www.cyberciti.biz/faq/ubuntu-mo ... om-livecd/, mixed with chroot instructions from https://sites.google.com/site/easylinuxtipsproject/6. sdb2 was the / and sdb3 the /home of the installed system (the computer has another internal hard drive sda that I'm not using at the moment), so I did

Code: Select all

sudo mount /dev/sdb2 /mnt
sudo mount /dev/sdb3 /mnt/home
for i in /dev /dev/pts /proc /sys; do sudo mount -B $i /mnt$i; done
chroot /mnt

and I was chrooted, the terminal prompt changed to root@mint / #
following the instructions of the cyberciti link, I tried switching to my user

Code: Select all

 # su fabien
open: Permission denied
Error locking counter

I dont know why I got an error, but still the prompt changed to fabien@mint ~ $, and whoami returned "fabien".
Full of hope I issued the final command

Code: Select all

$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [blabla] into the user session keyring
open: Permission denied
Error locking counter
$ ls /home/fabien/
Access-Your-Private-Data.desktop  README.txt

so that didnt work.
I also tried sudo mount -a to mount the fstab, still there is only Access-Your-Private-Data.desktop README.txt in my home.


Only thing that worked is that, still being chrooted, I issued

Code: Select all

$ sudo ecryptfs-recover-private 
sudo: unable to resolve host mint: Connection refused
[sudo] password for fabien: 
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/home/.ecryptfs/fabien/.Private].
Try to recover this directory? [Y/n]: Y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] Y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Inserted auth tok with sig [blabla] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.blabla2].

and indeed I recovered my home :

Code: Select all

$ ls /tmp/ecryptfs.blabla2/
Desktop  Documents  Downloads  Music  Pictures	Public	Templates  Videos

Now that's quite a long and complicated route. Did I go wrong somewhere ?

Edit:fixed typos, added references I used

[fabien85]

Ok I found a much simpler solution :
just mount the /home partition (e.g. click on it in the file manager), open a terminal and cd to said partition (or from the file manager go to the partition and right-click > Open in Terminal), then issue :

Code: Select all

sudo ecryptfs-recover-private .ecryptfs/username/.Private/

you will asked whether you want to recover this directory (Yes! why on earth would you do this command to say No ?...), then it says it found your wrapped-passphrase and asks if you know your login passphrase, if so you enter it and the decrypted directory gets mounted at /tmp/ecryptfs.something
By default it gets mounted read-only (but you can change that by adding the option --rw to ecryptfs-recover-private). And it has owner the uid of username (e.g. the default 1000 if the user was the first to be created on the installed system), which I guess makes sense, but on a live USB your user is "mint" with uid 999 so you need to use sudo to be able to read the /tmp/ecryptfs.something, cd into it etc. A small complication (but that would be the same with a normal unencrypted directory I'm guessing).

I didnt get yet the method to mount the private data at /home/username as it should, through the chroot method of https://www.cyberciti.biz/faq/ubuntu-mo ... om-livecd/.
I see this could be useful in some cases, as you preserve the whole structure of the filesystem.
But I will persist, I found many more detailed instructions on https://help.ubuntu.com/community/Encry ... eDirectory. Will report if I succeed.

[fabien85]

I retried and the mount through chroot worked this time. I think the only difference is that I issued sudo -s from the start.
Since last time I even made the situation more complicated by having another partition on another hard drive encrypted and mounted at /home/fabien/data (i.e. after the encrypted home is mounted. Two levels where things can go wrong)

My partitions : / = sdb2 ; /home = sdb3 ; /data = sda2 (later decrypted and mounted at /home/fabien/data)
What I did :

Code: Select all

sudo -s
mount /dev/sdb2 /mnt
mount /dev/sdb3 /mnt/home
mount /dev/sda2 /mnt/data
D=/mnt
mount -o bind /dev $D/dev
mount -o bind /sys $D/sys
mount -o bind /dev/shm $D/dev/shm
mount -o bind /proc $D/proc
chroot $D

Then (including terminal outputs now)

Code: Select all

root@mint / # su fabien
Signature not found in user keyring
Perhaps try the interactive 'ecryptfs-mount-private'
fabien@mint / $ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [blabla] into the user session keyring

and it works, I can see all my home. Stays one thing : decrypt and mount /data at /home/fabien/data. I had done the setup through instructions by rcoup here, so I have a script to decrypt and mount said partition. It sufficed to execute the scripts :

Code: Select all

fabien@mint / $ ./home/fabien/scripts/automount_ecryptfs.extra

and bingo the /data partition is now decrypted and mounted at /home/fabien/data
So I'm now basically chrooted into my full system with all partitions mounted as they should on a running system. I can copy files and everything via the chrooted terminal, or graphically using nemo as root (right click on a folder > Open as root).

Everything solved.