From the Canyon Edge -- :-Dustin

Wednesday, March 4, 2009

Mounting your Encrypted Home from an Ubuntu LiveCD

UPDATE: As of April 28, 2011, please use the ecryptfs-recover-private method instead!


I have received a few questions lately about mounting Ubuntu Encrypted Private or Encrypted Home directories from an Ubuntu LiveCD.

You can do this from a terminal with:
ubuntu@ubuntu$ sudo mount /dev/sda1 /mnt
ubuntu@ubuntu$ sudo mount -o bind /dev /mnt/dev
ubuntu@ubuntu$ sudo mount -o bind /dev/shm /mnt/dev/shm
ubuntu@ubuntu$ sudo mount -o bind /proc /mnt/proc
ubuntu@ubuntu$ sudo mount -o bind /sys /mnt/sys
ubuntu@ubuntu$ sudo chroot /mnt
root@ubuntu$ su - kirkland
kirkland@ubuntu$ ecryptfs-mount-private
Enter your login passphrase:
Warning: Using default salt value (undefined in ~/.ecryptfsrc)
Inserted auth tok with sig [xxx] into the user session keyring
kirkland@ubuntu$ cd $HOME
kirkland@ubuntu$ ls -alF
...
kirkland@ubuntu$ cat .profile
...
The above process assumes that your ~/.ecryptfs/wrapped-passphrase file is available on this system. If you're using 2-factor authentication and storing this elsewhere, you might need to perform an additional mount and symbolic link to make this file available.

Alternatively, if you're trying to recover data, and you've recorded your mount passphrase properly, you would use
kirkland@ubuntu$ ecryptfs-add-passphrase --fnek
just before the ecryptfs-mount-private bit, to manually enter your passphrase (rather than pulling it from ~/.ecryptfs/wrapped-passphrase).

Notes:
  1. /dev/sda1 is the device serving my $HOME/.Private
  2. kirkland is my username, yours will likely be different ;-)
  3. Binding mounting /sys and /proc are critical -- ecryptfs needs access to kernel information shared there
  4. The dash in "su - " is important -- don't forget it!


:-Dustin

48 comments:

  1. Thanks for the info. What I would like to know (and I'm sure it is simpler than I realize) is how to do an rsync backup of the encrypted files. When I'm logged into my Jaunty VM with encrypted home, I cannot see the .Private directory. When I boot into an ISO, I can only see the contents of .Private when I use sudo.

    ReplyDelete
  2. I love how these kinds of instructions (the ones that contain seventeen incomprehensible shell commands you wouldn't want to dictate to your grandmother over the phone) inevitably contain the word "simple".

    For the instructions themselves I thank you -- they'll certainly come in handy.

    ReplyDelete
  3. Hi Dustin,

    I've just tried following your instructions, but I still can't seem to get access to the contents of my home folder?

    FWIW ... I'm trying to recover files from an encrypted install which has just decided that it doesn't want to boot anymore.

    First off, I'm decrypting the drive using "sudo cryptsetup luksOpen /dev/sdc1 mybrokendrive", and then mounting it using "sudo mount /dev/ubuntu-server/root /mnt"

    That works fine, and I can see the contents of my drive *EXCEPT* for my /home folder, because that's obviously still encrypted by Ubuntu as well.

    I've tried following your instructions and everything SEEMS to be working like it should, I get all the same prompts/responses as your post, but I still CAN'T get access to my /home folder.

    When I try listing the folder contents, all I get is:

    david@ubuntu:~$ ls -alF
    total 24
    dr-x------ 3 david david 4096 2009-04-05 04:42 ./
    drwxr-xr-x 3 root root 4096 2009-03-15 10:52 ../
    lrwxrwxrwx 1 root root 56 2009-03-15 10:52 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
    -rw------- 1 root root 300 2009-04-04 22:05 .bash_history
    lrwxrwxrwx 1 root root 23 2009-03-15 10:52 .ecryptfs -> /var/lib/ecryptfs/david/
    drwx------ 51 david david 12288 2009-03-25 18:44 .Private/
    lrwxrwxrwx 1 root root 52 2009-03-15 10:52 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt

    Inside the .Private folder is all still encrypted.

    ReplyDelete
  4. I'm running into possibly the same roadblock young_einstein is. I can see everything up to the encrypted home folder. Instead I see those two files:

    Access-Your-Private-Data.desktop
    readme.txt


    Additionally, I'm having trouble chrooting in, with this as a result:

    ubuntu@ubuntu:~$ sudo chroot /mnt
    /bin/bash: error while loading shared libraries: /lib/tls/i686/cmov/libdl.so.2: file too short

    ReplyDelete
  5. Hi Dustin,

    I have followed all your instructions above and all function well. I can view the content of my encrypted home folder with the Ubuntu Live-CD Session.
    But now I have a problem: I don't know how can I save my data outside the encrypted home because I don't be able to connect, for instance, an external usb disk and to access this disk from the terminal. I have tried different ways, but every time the external disk is not readeable, or I can't write to it, and so on.
    An external disk can be used with the normal "ubuntu" live session user, but not with the "kirkland" user.
    Have you any suggestion about?

    Many thank's

    ReplyDelete
  6. Hi Dustin!

    Thanks for the instructions, everything worked as it should. Now i want to move on to more advanced stuff.

    I want to do a live backup of my home directory in an unencrypted state. Therefore I put my home directory into an lvm volume, from which I create a snapshot.

    I then mount the snapshot and would like to do a "mount -t ecryptfs" to get to a snapshot of the decrypted data. Unfortunately I was not able to figure out how to do this. Maybe you could give me some hints?

    Thanks
    Martin

    ReplyDelete
  7. Hi Dustin,
    I keep running into problems at the chroot command. I'm trying to get my encrypted home data off a harddrive I took out of a dead 64bit computer. I'm not sure if it is necessary to do this with a computer with the same architecture or if a 32bit computer is possible.
    I expected to be able to go into my encrypted file system like in a tar file - but that doesn't seem to be the case...

    ReplyDelete
  8. Hi Dustin,
    I have a big problem. I have my encrypted home but the partition that had folders /proc and /sys was deleted by a new installation (ubuntu 9.10)
    there is any wave to access my encrypted data?

    Thanks
    Saran

    ReplyDelete
  9. Saran-

    Deleted? You can't delete /proc or /sys. Those are virtual filesystems created by the kernel on boot. There's no persistent data stored there. It's recreated every time you boot. If you carefully follow the instructions above, you will have a working /proc and /sys.

    :-Dustin

    ReplyDelete
  10. schuga-

    Architecture (32 v 64) doesn't matter. Follow the instructions above very carefully.

    :-Dustin

    ReplyDelete
  11. Martin-

    I'm afraid that the mount -t ecryptfs command might be slightly broken in Ubuntu 9.10. There were a number of changes to that code. There's a bug open. I will be working on that shortly.

    :-Dustin

    ReplyDelete
  12. Romeo-

    I usually use NFS. I'll mount a remote filesystem over the network and then use rsync -aP to copy my decrypted data off of the system.

    You should be able to use a USB disk or USB key just fine, too.

    Once you have your data mounted and accessible decrypted, open a *new* terminal, running as the ubuntu (administrative) user. This user should be able to write to the USB disk, and see the decrypted data. Use the 'mount' command to find the correct path to the mounted ecryptfs data outside of the chroot.

    :-Dustin

    ReplyDelete
  13. Matt-

    Looks like you have a faulty LiveCD. Check the md5sum of your ISO, and re-burn your disk (or key) at a slower speed.

    :-Dustin

    ReplyDelete
  14. Thanks for your earlier reply, I still cant mount my home.
    The home folder has a broken symbolic link, pointing to the /var/lib/ecryptfs/saran folder. This folder does not exist, There any wave to mount my home having only .Private folder?
    Thanks again.

    ReplyDelete
  15. Hi Dustin!

    Thanks :)
    I'll try it again when you fixed the bug. So when the mount command works correctly, what should I use as fnek? Or will mount -t ecryptfs automatically calculate it from the passphrase?

    Martin

    ReplyDelete
  16. Dustin,
    I only have my .Private folder,
    This is the out for ecryptfs-mount-private

    ERROR: Encrypted private directory is not setup properly

    I tried everything and not know what else to do.

    Saran.

    ReplyDelete
  17. For Saran, about ecryptfs not being setup properly ... are you using your own account to run the command, or root, or the live ubuntu account? You need to run the command as yourself. I found that out last night.

    I'm not sure if this will work for me, since I have 9.10 & Dustin said there's a bug for 9.10, but I'll keep the information in hopes it will work, or at least hopes I won't need it in the future.
    Two nights ago I had a problem in which Ubuntu stopped booting properly, but last night someone told me to run fsck to fix it, and it did fix it, so I don't need these instructions at the moment.

    Dustin: has the fix been edited into the blog post for 9.10 already, or are you still working on that?

    ReplyDelete
  18. Hello Dustin, Following your info. I could see and manipulate any files, but I cannot recovery them. I tried to mount the files encrypted by my other ubuntu partition.
    I tried to copy the files by this command:
    wildner@widner-desktop:~$ cp /home/wildner/Mariah\ Carey\ -\ I\ Wanna\ Know\ What\ Love\ Is.mp3 /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
    -su: cp: /home/wildner/Mariah Carey - I Wanna Know What Love Is.mp3: Not a directory
    wildner@widner-desktop:~$ cp /home/wildner/Linux /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
    -su: cp: /home/wildner/Linux: No such file or directory
    wildner@widner-desktop:~$ cp /home/wildner/Linux/*.* /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
    -su: cp: /home/wildner/Linux/*.*: No such file or directory
    How do I copy the files to the other partition?

    Thansks in advance

    ReplyDelete
  19. hi,

    I followed your instructions with a 9.04 CD for a crashed 9.10 installation, and after ecryptfs-mount-private I get:
    ecryptfs-insert-wrapped-passphrase-into-keyring: error while loading shared libraries: libecryptfs.so.0: cannot open shared object file: No such file or directory
    what to do now?
    I also tired it with a 9.10 CD, but the result is the same. I have Ubuntu on one ext4 partition

    ReplyDelete
  20. Worked for me on 9.10
    I recovered my data onto a usb drive by typing: sudo mkdir /mnt/usb && sudo mount /dev/sdd1 /mnt/usb

    after the chroot, when I did the su - username , it told me to run ecryptfs-mount-private and that asked me for my passphrase and then I entered my user password and everything worked out just fine

    ReplyDelete
  21. Sweet, thanks Dustin.
    Note that this will not work with the Karmic 9.10 liveCD although you may be able to replace the ecyptfs package with that from the Jaunty repository (not tested). Also, I had a raid0 array with an lvm2 volume. I first had to enable raid and lvm in Jaunty and then mount my logical volume as follows:
    sudo -i
    apt-get update
    apt-get install dmraid mdadm lvm2
    modprobe dm-raid4-5
    vgchange -a y
    mount /dev/mapper/"volume name-root" /mnt
    then continue as above

    ReplyDelete
  22. It sorta' worked for me. If i use the folder GUI browser (nautilus i think its called) my folder is still locked but i can use the terminal to look at a list of what i got and am now trying to copy (cp) to my usb but since i'm not having any success i'm guessing i have to mount my usb too. I have ubuntu 9.10 karmic koala and am new to linux and my HD won't boot. Ubuntu rocks though :p

    ReplyDelete
  23. Hi, Dustin.
    When I go to "su - User" it responds "No directory, logging in with HOME=/". If I continue with ecryptfs-mount-private, then I receive a message: "ERROR: Encrypted private directory is not setup properly". There is some trick here...

    Could you please illuminate it?

    rob

    ReplyDelete
  24. ... To be more clearly?

    [ until this point all right ]
    ubuntu@ubuntu:~$ sudo chroot /mnt
    root@ubuntu:/# <-- answer
    root@ubuntu:/# su - rob
    No directory, logging in with HOME=/
    To run a command as administrator (user "root"), use "sudo ".
    See "man sudo_root" for details.

    rob@ubuntu:/$ <-- answer
    rob@ubuntu:/$ ecryptfs-add-passphrase --fnek
    Passphrase: <-- yes, i have my passphrase
    Inserted auth tok with sig [ee9a16399aeb0e85] into the user session keyring
    Inserted auth tok with sig [9a9c1f340c8ec93e] into the user session keyring
    rob@ubuntu:/$ ecryptfs-mount-private
    ERROR: Encrypted private directory is not setup properly
    rob@ubuntu:/$

    thanxs

    rob (with ubuntu 9.10)

    ReplyDelete
  25. To reiterate what is stated just below "POST A COMMENT" ...

    Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

    Instead, please use Launchpad for Bugs and Questions.
    * bugs.launchpad.net
    * answers.launchpad.net

    Thanks,
    :-Dustin

    ReplyDelete
  26. This guide was also useful for me: http://www.kaijanmaki.net/2009/10/26/recovering-files-from-ecryptfs-encrypted-home/

    ReplyDelete
  27. And one really "excellent" way to get yourself into this state is to use superuser privileges to change your password. This can happen if you are the type who keeps multiple passwords in sync and some other place has a more aggressive notion of password security than does Ubuntu. However, if your Ubuntu installation prohibits password changes in quick succession, and if you are an antique UNIX hacker, what do you do? You use superuser privileges to force the password change, what else??? Unfortunately, this brute-force method apparently fails to update ecryptfs's idea of what your password is.

    The trick in that case is to use Dustin's excellent workaround above, but give your intermediate password (the one that was deemed too weak by some other password-accepting facility) to ecryptfs-mount-private.

    Thanks for the workaround, Dustin!!! Saved me a huge amount of time!!!

    ReplyDelete
  28. hi dustin, I tried to follow the procedure but I get stuck here:

    ubuntu@ubuntu:~$ sudo chroot /mnt
    chroot: cannot run command `/bin/bash': No such file or directory

    i feel like i'm missing something.
    thanks in advance

    luke

    ReplyDelete
  29. Is there a way to do this from Windows?

    ReplyDelete
  30. why so damn complicated? I didn't get your description but figured out how to do this the easy way:

    #!/bin/bash
    # 1. paste home-passphrase 2 times (use unwrap.. to get this)
    # 2. aes/16/no plaintext passthrough
    # 3. filename enc yes
    # 4. enter the pair to the 1st key, which is the second line
    MOUNTEDFOLDER="decryptedHome"
    ENCED_HOME_PARTITION="/media/oldHome"

    cd /mnt
    sudo mkdir $MOUNTEDFOLDER

    sudo ecryptfs-add-passphrase --fnek
    sudo mount -t ecryptfs $ENCED_HOME_PARTITION/.ecryptfs/YOURUSERNAME/.Private $MOUNTEDFOLDER/
    ls $MOUNTEDFOLDER

    ReplyDelete
  31. where can i find passphrase:
    i only know login name and password

    ReplyDelete
  32. Hey this is what i did when i first installed ubuntu like 5 years ago!

    ReplyDelete
  33. It's the thing you are warned to write down somewhere safe when you installed your system. In case you were a bad boy and did not do so, execute "ecryptfs-unwrap-passphrase" in the terminal.
    Yes you need to do that from within the installation you want to mount. So if you lost your installation you might be in bad luck.

    ReplyDelete
  34. you guys might want to read on this https://help.ubuntu.com/community/EncryptedPrivateDirectory

    ReplyDelete
  35. THANK YOU THIS SAVES MY BUTT!!!!!!

    ReplyDelete
  36. suyog@ubuntu:~$ ecryptfs-mount-private
    Enter your login passphrase:
    Error: Unwrapping passphrase and inserting into the user session keyring failed [-5]
    Info: Check the system log for more information from libecryptfs
    ERROR: Your passphrase is incorrect
    Enter your login passphrase:

    ReplyDelete
  37. hi dustin,
    i am working on ubuntu 1.0.04.
    all my data on my desktop and my /home/suyog has disappeared , and i get this file Access-Your-Private-Data.desktop
    ..how to resolve this ?
    and i followed the above procedure but i again got a error regarding login passphrase

    suyog@ubuntu:~$ ecryptfs-mount-private
    Enter your login passphrase:
    Error: Unwrapping passphrase and inserting into the user session keyring failed [-5]
    Info: Check the system log for more information from libecryptfs
    ERROR: Your passphrase is incorrect
    Enter your login passphrase:

    ReplyDelete
  38. Just a word to THANK YOU!
    I followed your instructions and could recover a backuped home directory after a system fail and a reinstall.
    You just rock :)

    ReplyDelete
  39. if you get
    ecryptfs-mount-private mount operation not permitted

    it is probably because you used the automount from the live cd and did not do a manual mount.

    took me while to figure this one out....

    ReplyDelete
  40. This website has some good information.

    http://goshawknest.wordpress.com/2010/04/16/how-to-recover-crypted-home-directory-in-ubuntu/

    ReplyDelete
  41. I wrote a guide on this so I hope this will help other people.

    https://help.ubuntu.com/community/EncryptedPrivateDirectory#Live%20CD%20method%20of%20opening%20a%20encrypted%20home%20directory

    ReplyDelete
  42. Thank you for saving my ass.

    ReplyDelete
  43. Thanks, works perfectly for me on Ubuntu 10.04.

    ReplyDelete
  44. Hi,
    I executed the second command(mount -o bind /dev /mnt/dev) from instructions given above. It says: can not create directory 'dev': Read only file system.
    How to get data back from encrypted /home in 11.04?

    ReplyDelete
  45. Please use ecryptfs-recover-private:
    * http://blog.dustinkirkland.com/2011/04/introducing-ecryptfs-recover-private.html

    ReplyDelete
  46. Hi Dustin
    If I create a new user in live cd with the comand ecryptfs-mount-private it finds the directory
    but wont accept what was the original user password.
    YOur instructions
    ecryptfs-mount-private
    gives errore private directory is not setup properly
    Anyhthing I can do?
    Thanks

    ReplyDelete

Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

Instead, please use Launchpad for Bugs and StackExchange for Questions.
* bugs.launchpad.net
* stackexchange.com

Thanks,
:-Dustin

Printfriendly