How to recover ecryptfs encrypted data using password after a broken upgrade?

16.04 password encryption ecryptfs do-release-upgrade
7,524

How did I fixed it :

I fired up the ubuntu installer and wiped my root partition. The new fresh install feels much healthier than the old one, so probably necessary anyway.

Upon first login I got a reminder to save my ecryptfs key in a safe place - I do not recall doing that from my previous install.

When I assembled my home-folder array I found what I thought was my encrypted data:

root@computer:~/mnt/user# ls -la
total 8
dr-x------ 2 user user 4096 jul  2  2011 .
drwxr-xr-x 8 root    root    4096 feb 18  2015 ..
lrwxrwxrwx 1 user user   56 jul  2  2011 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
lrwxrwxrwx 1 user user   33 jul  2  2011 .ecryptfs -> /home/.ecryptfs/user/.ecryptfs
lrwxrwxrwx 1 user user   32 jul  2  2011 .Private -> /home/.ecryptfs/user/.Private
lrwxrwxrwx 1 user user   52 jul  2  2011 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt

But I was not able to unlock it.

root@computer:~# ecryptfs-unwrap-passphrase /root/mnt/user/.ecryptfs/wrapped
Passphrase:
ffffffffffffffffffffffffffffffff
root@computer:~# ecryptfs-recover-private /root/mnt/user
INFO: Found [/root/mnt/user].
Try to recover this directory? [Y/n]:
INFO: Could not find your wrapped passphrase file.
INFO: To recover this directory, you MUST have your original MOUNT passphras
INFO: When you first setup your encrypted private directory, you were told t
INFO: your MOUNT passphrase.
INFO: It should be 32 characters long, consisting of [0-9] and [a-f].

Enter your MOUNT passphrase:
INFO: Success!  Private data mounted at [/tmp/ecryptfs.lls9FwPj].
root@computer:~# ls -la /tmp/ecryptfs.lls9FwPj
total 8
dr-x------  2 user user 4096 Jul  2  2011 .
drwxrwxrwt 11 root    root    4096 Sep 11 11:08 ..
lrwxrwxrwx  1 user user   32 Jul  2  2011 .Private -> /home/.ecryptfs/user/.
lrwxrwxrwx  1 user user   33 Jul  2  2011 .ecryptfs -> /home/.ecryptfs/user/
lrwxrwxrwx  1 user user   56 Jul  2  2011 Access-Your-Private-Data.desktop -
lrwxrwxrwx  1 user user   52 Jul  2  2011 README.txt -> /usr/share/ecryptfs-

No errors, but the mount point only contain the same unencrypted data as the source folder.

Using ecryptfs-unwrap-passphrase /root/mnt/user/.ecryptfs/wrapped-passphrase I did get a key, but unfortunately it was the same one I got if I didn't supply the file as an argument, so I guess I only got my current key, not the one for the old data.

Seems both the old and new wrapped-passphrase files where the same:

root@computer:~# mount | grep md0
/dev/md0 on /root/mnt type ext4 (rw,relatime,data=ordered)
root@computer:~# md5sum /home/user/.ecryptfs/wrapped-passphrase /root/mnt/user/.ecryptfs/wrapped-passphrase  
52da6f1ea1ffff114795c7613b5c560e  /home/user/.ecryptfs/wrapped-passphrase
52da6f1ea1ffff114795c7613b5c560e  /root/mnt/user/.ecryptfs/wrapped-passphrase

I found that very odd, as the md0 was not even assembled during install.

That submystery was however solved by me reading properly:

root@computer:~# ls -l /root/mnt/user/.Private
lrwxrwxrwx 1 user user 32 Jul  2  2011 /root/mnt/user/.Private -> /home/.ecryptfs/user/.Private

Seems I'd been acting on a symlink to the new home folder instead of the old data.

Reading the right file gave another (correct) key!

root@computer:~/mnt/.ecryptfs/user# ecryptfs-unwrap-passphrase /root/mnt/.ecryptfs/user/.ecryptfs/wrapped-passphrase 
Passphrase:
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

Which is really the answer to my initial question: The wrapped-passphrase-file is encrypted using my login password, so as long as I have that file and know my password I should be able to access my data.

Using a saner path/key-combination did not unfortunately make much of a difference:

root@computer:~/mnt/.ecryptfs/user# ls -al
total 52
drwxr-xr-x   4 user user  4096 Jul  2  2011 .
drwxr-xr-x   3 root    root     4096 Jul  2  2011 ..
drwxr-xr-x 121 user user 36864 Sep  8 14:58 .Private
drwx------   2 user user  4096 Mar 15  2015 .ecryptfs
root@computer:~/mnt/.ecryptfs/user# ecryptfs-recover-private /root/mnt/.ecryptfs/user
INFO: Found [/root/mnt/.ecryptfs/user].
Try to recover this directory? [Y/n]:
INFO: Could not find your wrapped passphrase file.
INFO: To recover this directory, you MUST have your original MOUNT passphrase.
INFO: When you first setup your encrypted private directory, you were told to record
INFO: your MOUNT passphrase.
INFO: It should be 32 characters long, consisting of [0-9] and [a-f].

Enter your MOUNT passphrase:
INFO: Success!  Private data mounted at [/tmp/ecryptfs.dKQkSvjC].
root@computer:~/mnt/.ecryptfs/user# ls -al /tmp/ecryptfs.dKQkSvjC
total 52
drwxr-xr-x   4 user user  4096 Jul  2  2011 . 
drwxrwxrwt  12 root    root     4096 Sep 11 12:32 ..
drwxr-xr-x 121 user user 36864 Sep  8 14:58 .Private
drwx------   2 user user  4096 Mar 15  2015 .ecryptfs

Since some of the ecryptfs-tools have hardcoded paths I even tried:

root@computer:~# mount /dev/md0 /home
root@computer:~# su - user
Signature not found in user keyring
Perhaps try the interactive 'ecryptfs-mount-private'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

user@computer:~$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [e403598bcfe01170] into the user session keyring
mount: No such file or directory

But no cigar there either.

Doing the same thing withouth mounting md0 to /home does not work either however.

user@computer:~$ dash -e -x `which ecryptfs-mount-private`
+ PRIVATE_DIR=Private
+ WRAPPING_PASS=LOGIN
+ PW_ATTEMPTS=3
+ TEXTDOMAIN=ecryptfs-utils
+ gettext Enter your login passphrase:
+ MESSAGE=Enter your login passphrase:
+ [ -f /home/user/.ecryptfs/wrapping-independent ]
+ WRAPPED_PASSPHRASE_FILE=/home/user/.ecryptfs/wrapped-passphrase
+ MOUNT_PASSPHRASE_SIG_FILE=/home/user/.ecryptfs/Private.sig
+ /sbin/mount.ecryptfs_private
+ [ -f /home/user/.ecryptfs/wrapped-passphrase -a -f /home/user/.ecryptfs/Private.sig ] 
+ tries=0
+ stty -g
+ stty_orig=2d00:5:bd:ca1b:3:1c:7f:1f:4:0:1:0:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
+ [ 0 -lt 3 ]
+ echo -n Enter your login passphrase:
Enter your login passphrase:+ stty -echo
+ head -n1
+ LOGINPASS=MyLoginPassword
+ stty 2d00:5:bd:ca1b:3:1c:7f:1f:4:0:1:0:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
+ echo

+ wc -l
+ [ 2 = 1 ]
+ printf %s\0 MyLoginPassword
+ ecryptfs-insert-wrapped-passphrase-into-keyring /home/user/.ecryptfs/wrapped-passphrase -
Inserted auth tok with sig [93196f7a8af1fdfe] into the user session keyring
+ break
+ [ 0 -ge 3 ]
+ /sbin/mount.ecryptfs_private
mount: No such file or directory
user@computer:~$ ls -l /sbin/mount.ecryptfs*
-rwxr-xr-x 1 root root 25944 jul 13 19:13 /sbin/mount.ecryptfs
-rwsr-xr-x 1 root root 19024 jul 13 19:13 /sbin/mount.ecryptfs_private

So there is probably some magic happening (via PAM?) during normal login that's missing in my example.

Booting a live-cd I was able to access the data!

root@ubuntu:~# apt install mdadm
Reading package lists... Done
[...]
root@ubuntu:~# mdadm --assemble /dev/md0 /dev/sd[bc]1
mdadm: /dev/md0 has been started with 2 drives.
root@ubuntu:~# mount /dev/md0 /home
root@ubuntu:/home# ecryptfs-recover-private /home/.ecryptfs/user/.PrivateINFO: Found [/home/.ecryptfs/user/.Private].
Try to recover this directory? [Y/n]:
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] Y
INFO: Enter your LOGIN passphrase...
Passphrase:
Inserted auth tok with sig [f403498bcfd01070] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.uHQ0z177].
root@ubuntu:/home# ls /tmp/ecryptfs.uHQ0z177/ | grep Doc
Documents

But even then the tools work less then perfectly:

root@ubuntu:/home# ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...  
find: ‘/run/user/999/gvfs’: Permission denied
find: File system loop detected; ‘/sys/kernel/debug/pinctrl’ is part of the same file system loop as ‘/sys/kernel/debug’.

So I'm starting to think that most problems I've had with this is just that ecryptfs could probably be quite a bit improved on the usability side of things.

Rebooting into my real install I'm now able to access the data:

root@computer:~# mount /dev/md0 mnt
root@computer:~/mnt/.ecryptfs/user/.Private# cd /root/mnt/.ecryptfs/user/.Private/
root@computer:~/mnt/.ecryptfs/user/.Private# ecryptfs-recover-private .
INFO: Found [.].
Try to recover this directory? [Y/n]:
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n]
INFO: Enter your LOGIN passphrase...
Passphrase:
Inserted auth tok with sig [f4f3498bcfd01070] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.ZMqBVhRu].
root@computer:~/mnt/.ecryptfs/user/.Private# ls /tmp/ecryptfs.ZMqBVhRu | grep Doc
Documents

EDIT :

Seems the "search"-tool ecryptfs-recover-private is not that good at locating .Private folders. Giving the right absolute path works as it should.

ecryptfs-recover-private only searches when not supplied with any argument. If a path is supplied it must be pointing to the .Private folder.

In this example:

ecryptfs-recover-private /root/mnt/.ecryptfs/user/.Private

And, yes, wrapped-passphrase is obfuscated using your LOGIN password, if you know your password and have the file you do not need the actual KEY printout.

Sorry for the long post, but hopefully my "diary" here can save someone else a few hours.

Share:
7,524

Related videos on Youtube

azzid
Author by

azzid

Updated on September 18, 2022

Comments

  • azzid
    azzid over 1 year

    I recently took the plunge and accepted the upgrade from 14.04 to 16.04. I left the computer while it was installing packages, when I got back to it I had a black screen with only a single cursor blinkning.

    Upon reset I reached the conclusion that it was borked beyond being worth to fix.

    How to recover encrypted data ?

    • mxdsp
      mxdsp about 7 years
      This seems like a quality ask/answer question, so I took the liberty to move your solution description inside your accepted answer, to improve readability. Feel free to rearrange both, keeping in mind that when asking/answering your own question, "solutions steps" should be in your answer, not in your question.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Recover/change encryption password
“sudo ecryptfs-recover-private” gives “find: ‘/run/user/1000/gvfs’: Permission denied” after botched (?) upgrade
Could not find valid key in user session keyring for sig specified in mount option after upgrade from 16.04 to 18.04
ecryptfs and login passphrase vs mount passphrase
Can root see my encrypted /home folder?
Will changing password re-encrypt my home directory?
Won't boot (drop to busybox) after kernel upgrade (with encrypted disks)
encfs won't decrypt my encrypted folder - password incorrect
Ubuntu 16.04/17.10 Boots to Initramfs
Generate private key encrypted with password using openssl