How to mount backup of encrypted home directory
seanh
snhmnd at gmail.com
Mon Feb 7 03:00:35 UTC 2011
I figured it out! It's simple once you know how, but figuring out how
to do this right is _very_ tricky, as you'll see. This blog post got
me there:
http://www.kaijanmaki.net/2009/10/26/recovering-files-from-ecryptfs-encrypted-home/
Here's exactly what to do:
First you need your mount passphrase, the one Ubuntu asks you to write
down after the first time you login to your encrypted home directory.
You can get that with:
$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
Passphrase:
(When it asks you to enter your passphrase supply your login password,
and then it will print out your mount passphrase.)
Second, you need your filename encryption key signature, you can get that with:
$ sudo ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [xxxxxxxxxxxxxxx] into the user session keyring
Inserted auth tok with sig [yyyyyyyyyyyyyyyy] into the user session keyring
This command might ask you for your sudo password first (not shown
above), for that supply your login password again. But when this
command asks you to enter your "passphrase" you should enter the long
mount passphrase that you just unwrapped in the previous command, not
your login password. The second sig that it prints out (yyyy) is the
one that you'll need below.
Then do:
$ mkdir /tmp/restore
$ sudo mount -t ecryptfs /media/BACKUP/path/to/backup/of/your/.Private
/tmp/restore
This last command will ask you some questions. For the first
passphrase it asks for, enter your long mount passphrase again. When
it asks whether to use filename encryption say yes. When it asks for
the filename encryption key signature give the second (yyyy) sig that
you got from the ecryptfs-add-passphrase command. For everything else,
accept the default answers.
This seemed to work for me. This covers the case when you're trying to
recover an encrypted backup of a homedir and you're logged into the
current version of that same homedir. I don't know if this would work
from a Live CD or a different system.
I'll paste my full terminal session below.
What was messing me up was:
First, that you have to ignore the default filename encryption key
signature that the mount command suggests and instead get your fnek
from the ecryptfs-add-passphrase command, ignoring the first sig that
the command prints and using the second one. That's pretty cryptic. I
was using the encrypted home feature and I didn't even know that I had
both an encryption passphrase and a filename encryption key signature
until now.
Second that ecryptfs uses "passphrase" to refer to both your login
password (when the ecryptfs-unwrap-passphrase command asks you to
enter a passphrase) and your long mount passphrase (when the
ecryptfs-add-passphrase and mount commands ask you for a passphrase).
If you supply the wrong "passphrase" to the ecryptfs-add-passphrase
command it looks exactly as it does if you supply the right one, it
prints out a signature, just not the right one.
Btw, when googling for this I actually found an ancient thread started
by myself trying to solve this exact same problem. I've been trying to
figure this out on-and-off for a long time!
Here's my full session:
$ ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
Passphrase:
********************************************
$ sudo ecryptfs-add-passphrase --fnek
[sudo] password for seanh:
Passphrase:
Inserted auth tok with sig [XXXXXXXXXXXXXXXX] into the user session keyring
Inserted auth tok with sig [YYYYYYYYYYYYYYYY] into the user session keyring
$ mkdir /tmp/restore
$ sudo mount -t ecryptfs
/media/BACKUP1/dulip/home/seanh/latest.snapshot /tmp/restore
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [****************]: YYYYYYYYYYYYYYYY
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=1ae4850919115899
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=5f610a2fcee4be96
Mounted eCryptfs
$
On 6 February 2011 20:52, seanh <snhmnd at gmail.com> wrote:
> I use Ubuntu's encrypted home directory and I rsync'd my ~/.Private
> folder to an external hard drive. Now I want to mount that backup to
> restore some files. Can anyone help me to figure out how to mount (and
> decrypt) the backup?
>
> Documentation on this is surprisingly weak, there are various
> complicated how-tos on blogs and the ubuntu wiki, they vary, nothing
> seems authoritative, I can't get it to work. Here's what I did:
>
> seanh at dulip:~ % mkdir /tmp/restore
> seanh at dulip:~ % sudo mount -t ecryptfs
> /media/BACKUP1/dulip/home/seanh/latest.snapshot /tmp/restore
> [sudo] password for seanh:
> Passphrase:
> Select cipher:
> 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
> 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
> 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
> 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
> 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
> 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
> Selection [aes]:
> Select key bytes:
> 1) 16
> 2) 32
> 3) 24
> Selection [16]:
> Enable plaintext passthrough (y/n) [n]:
> Enable filename encryption (y/n) [n]: y
> Filename Encryption Key (FNEK) Signature [****************]:
> Attempting to mount with the following options:
> ecryptfs_unlink_sigs
> ecryptfs_fnek_sig=****************
> ecryptfs_key_bytes=16
> ecryptfs_cipher=aes
> ecryptfs_sig=****************
> WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
> it looks like you have never mounted with this key
> before. This could mean that you have typed your
> passphrase wrong.
>
> Would you like to proceed with the mount (yes/no)? : yes
> Would you like to append sig [****************] to
> [/root/.ecryptfs/sig-cache.txt]
> in order to avoid this warning in the future (yes/no)? : no
> Not adding sig to user sig cache file; continuing with mount.
> Mounted eCryptfs
>
> At first glance this appears to have worked. ls /tmp/restore shows my
> files. But if I then try to access any of those files, e.g. ls
> /tmp/restore/Desktop I get 'file does not exist' errors. If I open
> /tmp/restore in nautilus it shows an empty folder. If I do sudo ls
> /tmp/restore I see the encrypted filenames.
>
> When it asks for 'passphrase' I don't know if it wants my login
> password or the long encryption passphrase that I can get using the
> ecrypts-unwrap-passphrase command. I tried both but neither works. I
> also don't know what the filename encryption key signature should be,
> I tried accepting what it suggests, and also various other things
> found on blogs, but no luck.
>
> The complexity of recovering a backup of an Ubuntu encrypted homedir
> seems to be a problem. Anyone searching for help will find various
> pages listing commands that you don't understand the effect of. Maybe
> if we can figure it out, we can write an authoritative wiki page
> covering the various cases.
>
More information about the ubuntu-users
mailing list