How to recover ecryptfs encrypted data using password after a broken upgrade?
How did I fixed it :
I fired up the ubuntu installer and wiped my root partition. The new fresh install feels much healthier than the old one, so probably necessary anyway.
Upon first login I got a reminder to save my ecryptfs key in a safe place - I do not recall doing that from my previous install.
When I assembled my home-folder array I found what I thought was my encrypted data:
root@computer:~/mnt/user# ls -la
total 8
dr-x------ 2 user user 4096 jul 2 2011 .
drwxr-xr-x 8 root root 4096 feb 18 2015 ..
lrwxrwxrwx 1 user user 56 jul 2 2011 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
lrwxrwxrwx 1 user user 33 jul 2 2011 .ecryptfs -> /home/.ecryptfs/user/.ecryptfs
lrwxrwxrwx 1 user user 32 jul 2 2011 .Private -> /home/.ecryptfs/user/.Private
lrwxrwxrwx 1 user user 52 jul 2 2011 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt
But I was not able to unlock it.
root@computer:~# ecryptfs-unwrap-passphrase /root/mnt/user/.ecryptfs/wrapped
Passphrase:
ffffffffffffffffffffffffffffffff
root@computer:~# ecryptfs-recover-private /root/mnt/user
INFO: Found [/root/mnt/user].
Try to recover this directory? [Y/n]:
INFO: Could not find your wrapped passphrase file.
INFO: To recover this directory, you MUST have your original MOUNT passphras
INFO: When you first setup your encrypted private directory, you were told t
INFO: your MOUNT passphrase.
INFO: It should be 32 characters long, consisting of [0-9] and [a-f].
Enter your MOUNT passphrase:
INFO: Success! Private data mounted at [/tmp/ecryptfs.lls9FwPj].
root@computer:~# ls -la /tmp/ecryptfs.lls9FwPj
total 8
dr-x------ 2 user user 4096 Jul 2 2011 .
drwxrwxrwt 11 root root 4096 Sep 11 11:08 ..
lrwxrwxrwx 1 user user 32 Jul 2 2011 .Private -> /home/.ecryptfs/user/.
lrwxrwxrwx 1 user user 33 Jul 2 2011 .ecryptfs -> /home/.ecryptfs/user/
lrwxrwxrwx 1 user user 56 Jul 2 2011 Access-Your-Private-Data.desktop -
lrwxrwxrwx 1 user user 52 Jul 2 2011 README.txt -> /usr/share/ecryptfs-
No errors, but the mount point only contain the same unencrypted data as the source folder.
Using ecryptfs-unwrap-passphrase /root/mnt/user/.ecryptfs/wrapped-passphrase
I did get a key, but unfortunately it was the same one I got if I didn't supply the file as an argument, so I guess I only got my current key, not the one for the old data.
Seems both the old and new wrapped-passphrase
files where the same:
root@computer:~# mount | grep md0
/dev/md0 on /root/mnt type ext4 (rw,relatime,data=ordered)
root@computer:~# md5sum /home/user/.ecryptfs/wrapped-passphrase /root/mnt/user/.ecryptfs/wrapped-passphrase
52da6f1ea1ffff114795c7613b5c560e /home/user/.ecryptfs/wrapped-passphrase
52da6f1ea1ffff114795c7613b5c560e /root/mnt/user/.ecryptfs/wrapped-passphrase
I found that very odd, as the md0
was not even assembled during install.
That submystery was however solved by me reading properly:
root@computer:~# ls -l /root/mnt/user/.Private
lrwxrwxrwx 1 user user 32 Jul 2 2011 /root/mnt/user/.Private -> /home/.ecryptfs/user/.Private
Seems I'd been acting on a symlink to the new home folder instead of the old data.
Reading the right file gave another (correct) key!
root@computer:~/mnt/.ecryptfs/user# ecryptfs-unwrap-passphrase /root/mnt/.ecryptfs/user/.ecryptfs/wrapped-passphrase
Passphrase:
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Which is really the answer to my initial question: The wrapped-passphrase
-file is encrypted using my login password, so as long as I have that file and know my password I should be able to access my data.
Using a saner path/key-combination did not unfortunately make much of a difference:
root@computer:~/mnt/.ecryptfs/user# ls -al
total 52
drwxr-xr-x 4 user user 4096 Jul 2 2011 .
drwxr-xr-x 3 root root 4096 Jul 2 2011 ..
drwxr-xr-x 121 user user 36864 Sep 8 14:58 .Private
drwx------ 2 user user 4096 Mar 15 2015 .ecryptfs
root@computer:~/mnt/.ecryptfs/user# ecryptfs-recover-private /root/mnt/.ecryptfs/user
INFO: Found [/root/mnt/.ecryptfs/user].
Try to recover this directory? [Y/n]:
INFO: Could not find your wrapped passphrase file.
INFO: To recover this directory, you MUST have your original MOUNT passphrase.
INFO: When you first setup your encrypted private directory, you were told to record
INFO: your MOUNT passphrase.
INFO: It should be 32 characters long, consisting of [0-9] and [a-f].
Enter your MOUNT passphrase:
INFO: Success! Private data mounted at [/tmp/ecryptfs.dKQkSvjC].
root@computer:~/mnt/.ecryptfs/user# ls -al /tmp/ecryptfs.dKQkSvjC
total 52
drwxr-xr-x 4 user user 4096 Jul 2 2011 .
drwxrwxrwt 12 root root 4096 Sep 11 12:32 ..
drwxr-xr-x 121 user user 36864 Sep 8 14:58 .Private
drwx------ 2 user user 4096 Mar 15 2015 .ecryptfs
Since some of the ecryptfs-tools have hardcoded paths I even tried:
root@computer:~# mount /dev/md0 /home
root@computer:~# su - user
Signature not found in user keyring
Perhaps try the interactive 'ecryptfs-mount-private'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
user@computer:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [e403598bcfe01170] into the user session keyring
mount: No such file or directory
But no cigar there either.
Doing the same thing withouth mounting md0
to /home
does not work either however.
user@computer:~$ dash -e -x `which ecryptfs-mount-private`
+ PRIVATE_DIR=Private
+ WRAPPING_PASS=LOGIN
+ PW_ATTEMPTS=3
+ TEXTDOMAIN=ecryptfs-utils
+ gettext Enter your login passphrase:
+ MESSAGE=Enter your login passphrase:
+ [ -f /home/user/.ecryptfs/wrapping-independent ]
+ WRAPPED_PASSPHRASE_FILE=/home/user/.ecryptfs/wrapped-passphrase
+ MOUNT_PASSPHRASE_SIG_FILE=/home/user/.ecryptfs/Private.sig
+ /sbin/mount.ecryptfs_private
+ [ -f /home/user/.ecryptfs/wrapped-passphrase -a -f /home/user/.ecryptfs/Private.sig ]
+ tries=0
+ stty -g
+ stty_orig=2d00:5:bd:ca1b:3:1c:7f:1f:4:0:1:0:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
+ [ 0 -lt 3 ]
+ echo -n Enter your login passphrase:
Enter your login passphrase:+ stty -echo
+ head -n1
+ LOGINPASS=MyLoginPassword
+ stty 2d00:5:bd:ca1b:3:1c:7f:1f:4:0:1:0:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
+ echo
+ wc -l
+ [ 2 = 1 ]
+ printf %s\0 MyLoginPassword
+ ecryptfs-insert-wrapped-passphrase-into-keyring /home/user/.ecryptfs/wrapped-passphrase -
Inserted auth tok with sig [93196f7a8af1fdfe] into the user session keyring
+ break
+ [ 0 -ge 3 ]
+ /sbin/mount.ecryptfs_private
mount: No such file or directory
user@computer:~$ ls -l /sbin/mount.ecryptfs*
-rwxr-xr-x 1 root root 25944 jul 13 19:13 /sbin/mount.ecryptfs
-rwsr-xr-x 1 root root 19024 jul 13 19:13 /sbin/mount.ecryptfs_private
So there is probably some magic happening (via PAM?) during normal login that's missing in my example.
Booting a live-cd I was able to access the data!
root@ubuntu:~# apt install mdadm
Reading package lists... Done
[...]
root@ubuntu:~# mdadm --assemble /dev/md0 /dev/sd[bc]1
mdadm: /dev/md0 has been started with 2 drives.
root@ubuntu:~# mount /dev/md0 /home
root@ubuntu:/home# ecryptfs-recover-private /home/.ecryptfs/user/.PrivateINFO: Found [/home/.ecryptfs/user/.Private].
Try to recover this directory? [Y/n]:
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] Y
INFO: Enter your LOGIN passphrase...
Passphrase:
Inserted auth tok with sig [f403498bcfd01070] into the user session keyring
INFO: Success! Private data mounted at [/tmp/ecryptfs.uHQ0z177].
root@ubuntu:/home# ls /tmp/ecryptfs.uHQ0z177/ | grep Doc
Documents
But even then the tools work less then perfectly:
root@ubuntu:/home# ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
find: ‘/run/user/999/gvfs’: Permission denied
find: File system loop detected; ‘/sys/kernel/debug/pinctrl’ is part of the same file system loop as ‘/sys/kernel/debug’.
So I'm starting to think that most problems I've had with this is just that ecryptfs could probably be quite a bit improved on the usability side of things.
Rebooting into my real install I'm now able to access the data:
root@computer:~# mount /dev/md0 mnt
root@computer:~/mnt/.ecryptfs/user/.Private# cd /root/mnt/.ecryptfs/user/.Private/
root@computer:~/mnt/.ecryptfs/user/.Private# ecryptfs-recover-private .
INFO: Found [.].
Try to recover this directory? [Y/n]:
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n]
INFO: Enter your LOGIN passphrase...
Passphrase:
Inserted auth tok with sig [f4f3498bcfd01070] into the user session keyring
INFO: Success! Private data mounted at [/tmp/ecryptfs.ZMqBVhRu].
root@computer:~/mnt/.ecryptfs/user/.Private# ls /tmp/ecryptfs.ZMqBVhRu | grep Doc
Documents
EDIT :
Seems the "search"-tool ecryptfs-recover-private
is not that good at locating .Private
folders. Giving the right absolute path works as it should.
ecryptfs-recover-private
only searches when not supplied with any argument. If a path is supplied it must be pointing to the .Private
folder.
In this example:
ecryptfs-recover-private /root/mnt/.ecryptfs/user/.Private
And, yes, wrapped-passphrase
is obfuscated using your LOGIN password, if you know your password and have the file you do not need the actual KEY printout.
Sorry for the long post, but hopefully my "diary" here can save someone else a few hours.
Related videos on Youtube
azzid
Updated on September 18, 2022Comments
-
azzid over 1 year
I recently took the plunge and accepted the upgrade from 14.04 to 16.04. I left the computer while it was installing packages, when I got back to it I had a black screen with only a single cursor blinkning.
Upon reset I reached the conclusion that it was borked beyond being worth to fix.
How to recover encrypted data ?
-
mxdsp about 7 yearsThis seems like a quality ask/answer question, so I took the liberty to move your solution description inside your accepted answer, to improve readability. Feel free to rearrange both, keeping in mind that when asking/answering your own question, "solutions steps" should be in your answer, not in your question.
-