How do I recover my data from an encrypted home directory?

I solved the problem.

Make a backup all encripted data to *.tar file.

Find hidden password for an encrypted directory - passprase or you find out:

ecryptfs-unwrap-passphrase /home/oldusername/.ecryptfs/wrapped-passphrase

Create a new user with an encrypted home directory (check in the selection).

Log in as a new user, then follow this instructions: Recovering your data in this address in https://help.ubuntu.com/community/EncryptedPrivateDirectory

(sudo mount-t ecryptfs /home/oldusername/.Private /home/username/Private) and finally log to directory Private as root privilage.

Many success Martin


This is a very simple method based on this blog using a 11.04 or 11.10 live cd/usb or if you dual boot a 11.04/11.10 install

http://blog.dustinkirkland.com/2011/04/introducing-ecryptfs-recover-private.html

It does require you know the login password of the user whose encrypted directory is to be recovered. If the username is also known then the copying the recovered files can be greatly simplified, (no reason it shouldn't be known), so will lay the method out first.


If you don't know your wrapped-passphrase

You may be able to recover it by decrypting the file /home/username/.ecryptfs/wrapped-passphrase using your login passphrase.

Step 1

$ sudo ecryptfs-unwrap-passphrase /home/username/.ecryptfs/wrapped-passphrase

Step 2

Type your login passphrase to reveal the mount passphrase it was unable to


For live cd/usb

Boot to the live cd/usb, choose the Try me option. Once on the Desktop click on the power cog indicator > System Settings > User Accounts. If a password is requested just press enter on the keyboard. (no password

Create a new user, use the exact same name as the user whose directory is to be recovered. Click on Account type, pick Administrator. Once created click on "Account disabled" & enable the account. The password doesn't matter, 123456 or whatever is accepted will do.

If using an 11.04 live cd/usb open a terminal & run this command, .on 11.10 or newer no need to

gconftool-2 -s -t bool  /apps/indicator-session/suppress_logout_menuitem false

Now log out & at the login screen pick the new user, login. Once logged in open nautilus and mount the parition where the encrypted directory is. Then open a terminal & run this

sudo ecryptfs-recover-private

It may take a bit to find, when prompted, if the directory found is the one desired then choose y

When prompted for a " LOGIN passphrase" use the password of the user whose encrypted files are to be recovered

Here is an Ex.

doug@ubuntu:~$ sudo ecryptfs-recover-private 
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/media/03b449b1-3c0b-481d-a917-afeb3e528a5a/home/.ecryptfs/doug/.Private].
Try to recover this directory? [Y/n]: y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Inserted auth tok with sig [4b308179ad1441de] into the user session keyring
INFO: Success!  Private data mounted read-only at [/tmp/ecryptfs.NgZaH4ds]. 

Now browse to /tmp, you will be the owner of the ecryptfs.XXXXXXXX directory & can freely view & copy any files

From a dual boot

Basically the same .. A few diff.'s, login to your admin acount

Install ecryptfs-utils

sudo apt-get install ecryptfs-utils

Then same as above, create a new user with the exact same username as the user whose files are to be recovered, login to the new user, mount the partition, run the command, ect.

If for some reason do not wish to recover from an exact same username

Then you can dispense with creating that user & if on on 11.04 live cd/usb no need to change the gconf setting. Otherwise the same as shown above for either live session or dual boot recovery.

The main difference is you'll need to be root to view the recovered files & you'll need to copy any files to a root owned directory. After copying they then can be transferred as normal

One suggested way to view & copy

sudo mkdir /tmp/backup; gksudo nautilus /tmp/backup

Then open another root browser (gksudo nautilus) either from a 2nd terminal or Alt+F2, browse in it to /tmp/the_recovered_directory

Copy whatever you wish to /tmp/backup, then you will be able to copy from /tmp/backup as 'normal'


Short method is find your real home folder in /home/USERNAME/.Private/ There go to .ecryptfs folder. Here you can see settings files needed to recover your home folder. (if don't then may be something went wrong) You must have a passphrase first. This is different from the one you used to login to your PC. In a terminal enter:

ecryptfs-unwrap-passphrase /home/USERNAME/.Private/.ecryptfs/wrapped-passphrase

Then enter your login password. It will show you an important momble jumble word! For now I call it secret1.

Then find the file Private.sig there. If you cannot find that file (Why?) you can run this:

ecryptfs-add-passphrase --fnek

When it asked you, enter secret1. Consider momble jumble letters from second line of either Private.sig file or output of this command as secret2. I will use it later.

Then run:

mount -t ecryptfs /home/USERNAME/.private/.Private /mnt

Enter secret1 as passphrase. Answer all questions by pressing enter EXCEPT:

Answer "Enable filename encryption " with y Answer "Filename encryption key (FNEK)" with secret2

Here we are. Now go to /mnt and see your files. If you still see momble jumble worlds, then you may forget something or..., I don't know


Standard method

From the graphical desktop, click on: "Access Your Private Data"

or:

From the command line, run:

ecryptfs-mount-private

mount method

cd home # Go to the folder which contains hidden .ecryptfs folder.
USER=$USER # Change it, if your username is different than the current.
SIG1=$(head -n1 .ecryptfs/$USER/.ecryptfs/Private.sig) # Load your 1st signature from the file.
SIG2=$(tail -n1 .ecryptfs/$USER/.ecryptfs/Private.sig) # Load your 2nd signature from the file.
echo Your pass:; PASS=$(ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase | sed s/Passphrase:\ //) # Enter your passphrase, repeat if necessary.
echo $PASS $SIG1 $SIG2 # Verify presence of all 3 hashes.
echo $PASS | sudo ecryptfs-add-passphrase --fnek # Add pass to user session keyring for sig specified in mount option.
sudo mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,ecryptfs_sig=$SIG1,ecryptfs_fnek_sig=$SIG2,passwd=$(echo $PASS) $USER/.Private /mnt
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=12735429868516ff
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=7bdbefd9e2d40429

Or you can check the following scripts:

  • Leo's at launchpad (also at superuser)
  • slightly modified by ruxkor

Troubleshooting

You can recover the "real" passphrase with tool ecryptfs-unwrap-passphrase, e.g.

ecryptfs-unwrap-passphrase wrapped-passphrase

This tool will ask for "passphrase" which in this case is the same as "login passphrase" which actually is the old login password.

See Daemon Challenge 2: We have a Winner! or Re: How best to crack wrapped-passphrase? for some brute-force attack suggestions.

See also:

  • Introducing ecryptfs-recover-private -- Recover your Encrypted Private Directory!
  • eCryptFS: How to mount a backup of an encrypted home dir?
  • ecrytfs - purpose of Private.sig and Private.mnt?
  • Unwrapping passphrase and inserting into the user session keyring failed
  • Recovering eCryptfs partition with ecryptfs-recover-private not working
  • How to Recover an Encrypted Home Directory on Ubuntu
  • source of mount.ecryptfs_private.c