How do I recover my data from an encrypted home directory?
I solved the problem.
Make a backup all encripted data to *.tar file.
Find hidden password for an encrypted directory - passprase or you find out:
ecryptfs-unwrap-passphrase /home/oldusername/.ecryptfs/wrapped-passphrase
Create a new user with an encrypted home directory (check in the selection).
Log in as a new user, then follow this instructions: Recovering your data in this address in https://help.ubuntu.com/community/EncryptedPrivateDirectory
(sudo mount-t ecryptfs /home/oldusername/.Private /home/username/Private) and finally log to directory Private as root privilage.
Many success Martin
This is a very simple method based on this blog using a 11.04 or 11.10 live cd/usb or if you dual boot a 11.04/11.10 install
http://blog.dustinkirkland.com/2011/04/introducing-ecryptfs-recover-private.html
It does require you know the login password of the user whose encrypted directory is to be recovered. If the username is also known then the copying the recovered files can be greatly simplified, (no reason it shouldn't be known), so will lay the method out first.
If you don't know your wrapped-passphrase
You may be able to recover it by decrypting the file /home/username/.ecryptfs/wrapped-passphrase using your login passphrase.
Step 1
$ sudo ecryptfs-unwrap-passphrase /home/username/.ecryptfs/wrapped-passphrase
Step 2
Type your login passphrase to reveal the mount passphrase it was unable to
For live cd/usb
Boot to the live cd/usb, choose the Try me option. Once on the Desktop click on the power cog indicator > System Settings > User Accounts. If a password is requested just press enter on the keyboard. (no password
Create a new user, use the exact same name as the user whose directory is to be recovered. Click on Account type, pick Administrator. Once created click on "Account disabled" & enable the account. The password doesn't matter, 123456 or whatever is accepted will do.
If using an 11.04 live cd/usb open a terminal & run this command, .on 11.10 or newer no need to
gconftool-2 -s -t bool /apps/indicator-session/suppress_logout_menuitem false
Now log out & at the login screen pick the new user, login. Once logged in open nautilus and mount the parition where the encrypted directory is. Then open a terminal & run this
sudo ecryptfs-recover-private
It may take a bit to find, when prompted, if the directory found is the one desired then choose y
When prompted for a " LOGIN passphrase" use the password of the user whose encrypted files are to be recovered
Here is an Ex.
doug@ubuntu:~$ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/media/03b449b1-3c0b-481d-a917-afeb3e528a5a/home/.ecryptfs/doug/.Private].
Try to recover this directory? [Y/n]: y
INFO: Enter your LOGIN passphrase...
Passphrase:
Inserted auth tok with sig [4b308179ad1441de] into the user session keyring
INFO: Success! Private data mounted read-only at [/tmp/ecryptfs.NgZaH4ds].
Now browse to /tmp, you will be the owner of the ecryptfs.XXXXXXXX directory & can freely view & copy any files
From a dual boot
Basically the same .. A few diff.'s, login to your admin acount
Install ecryptfs-utils
sudo apt-get install ecryptfs-utils
Then same as above, create a new user with the exact same username as the user whose files are to be recovered, login to the new user, mount the partition, run the command, ect.
If for some reason do not wish to recover from an exact same username
Then you can dispense with creating that user & if on on 11.04 live cd/usb no need to change the gconf setting. Otherwise the same as shown above for either live session or dual boot recovery.
The main difference is you'll need to be root to view the recovered files & you'll need to copy any files to a root owned directory. After copying they then can be transferred as normal
One suggested way to view & copy
sudo mkdir /tmp/backup; gksudo nautilus /tmp/backup
Then open another root browser (gksudo nautilus) either from a 2nd terminal or Alt+F2, browse in it to /tmp/the_recovered_directory
Copy whatever you wish to /tmp/backup, then you will be able to copy from /tmp/backup as 'normal'
Short method is find your real home folder in /home/USERNAME/.Private/
There go to .ecryptfs folder. Here you can see settings files needed to recover your home folder. (if don't then may be something went wrong)
You must have a passphrase first. This is different from the one you used to login to your PC. In a terminal enter:
ecryptfs-unwrap-passphrase /home/USERNAME/.Private/.ecryptfs/wrapped-passphrase
Then enter your login password. It will show you an important momble jumble word! For now I call it secret1.
Then find the file Private.sig there. If you cannot find that file (Why?) you can run this:
ecryptfs-add-passphrase --fnek
When it asked you, enter secret1. Consider momble jumble letters from second line of either Private.sig file or output of this command as secret2. I will use it later.
Then run:
mount -t ecryptfs /home/USERNAME/.private/.Private /mnt
Enter secret1 as passphrase. Answer all questions by pressing enter EXCEPT:
Answer "Enable filename encryption " with y Answer "Filename encryption key (FNEK)" with secret2
Here we are. Now go to /mnt and see your files. If you still see momble jumble worlds, then you may forget something or..., I don't know
Standard method
From the graphical desktop, click on: "Access Your Private Data"
or:
From the command line, run:
ecryptfs-mount-private
mount method
cd home # Go to the folder which contains hidden .ecryptfs folder.
USER=$USER # Change it, if your username is different than the current.
SIG1=$(head -n1 .ecryptfs/$USER/.ecryptfs/Private.sig) # Load your 1st signature from the file.
SIG2=$(tail -n1 .ecryptfs/$USER/.ecryptfs/Private.sig) # Load your 2nd signature from the file.
echo Your pass:; PASS=$(ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase | sed s/Passphrase:\ //) # Enter your passphrase, repeat if necessary.
echo $PASS $SIG1 $SIG2 # Verify presence of all 3 hashes.
echo $PASS | sudo ecryptfs-add-passphrase --fnek # Add pass to user session keyring for sig specified in mount option.
sudo mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,ecryptfs_sig=$SIG1,ecryptfs_fnek_sig=$SIG2,passwd=$(echo $PASS) $USER/.Private /mnt
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=12735429868516ff
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=7bdbefd9e2d40429
Or you can check the following scripts:
- Leo's at launchpad (also at superuser)
- slightly modified by ruxkor
Troubleshooting
You can recover the "real" passphrase with tool ecryptfs-unwrap-passphrase, e.g.
ecryptfs-unwrap-passphrase wrapped-passphrase
This tool will ask for "passphrase" which in this case is the same as "login passphrase" which actually is the old login password.
See Daemon Challenge 2: We have a Winner! or Re: How best to crack wrapped-passphrase? for some brute-force attack suggestions.
See also:
- Introducing ecryptfs-recover-private -- Recover your Encrypted Private Directory!
- eCryptFS: How to mount a backup of an encrypted home dir?
- ecrytfs - purpose of Private.sig and Private.mnt?
- Unwrapping passphrase and inserting into the user session keyring failed
- Recovering eCryptfs partition with ecryptfs-recover-private not working
- How to Recover an Encrypted Home Directory on Ubuntu
- source of mount.ecryptfs_private.c