You can do this from a terminal with:
The above process assumes that your ~/.ecryptfs/wrapped-passphrase file is available on this system. If you're using 2-factor authentication and storing this elsewhere, you might need to perform an additional mount and symbolic link to make this file available.ubuntu@ubuntu$ sudo mount /dev/sda1 /mnt
ubuntu@ubuntu$ sudo mount -o bind /dev /mnt/dev
ubuntu@ubuntu$ sudo mount -o bind /dev/shm /mnt/dev/shm
ubuntu@ubuntu$ sudo mount -o bind /proc /mnt/proc
ubuntu@ubuntu$ sudo mount -o bind /sys /mnt/sys
ubuntu@ubuntu$ sudo chroot /mnt
root@ubuntu$ su - kirkland
kirkland@ubuntu$ ecryptfs-mount-private
Enter your login passphrase:
Warning: Using default salt value (undefined in ~/.ecryptfsrc)
Inserted auth tok with sig [xxx] into the user session keyring
kirkland@ubuntu$ cd $HOME
kirkland@ubuntu$ ls -alF
...
kirkland@ubuntu$ cat .profile
...
Alternatively, if you're trying to recover data, and you've recorded your mount passphrase properly, you would use
just before the ecryptfs-mount-private bit, to manually enter your passphrase (rather than pulling it from ~/.ecryptfs/wrapped-passphrase).kirkland@ubuntu$ ecryptfs-add-passphrase --fnek
Notes:
- /dev/sda1 is the device serving my $HOME/.Private
- kirkland is my username, yours will likely be different ;-)
- Binding mounting /sys and /proc are critical -- ecryptfs needs access to kernel information shared there
- The dash in "su - " is important -- don't forget it!
35 comments:
Thanks for the info. What I would like to know (and I'm sure it is simpler than I realize) is how to do an rsync backup of the encrypted files. When I'm logged into my Jaunty VM with encrypted home, I cannot see the .Private directory. When I boot into an ISO, I can only see the contents of .Private when I use sudo.
I love how these kinds of instructions (the ones that contain seventeen incomprehensible shell commands you wouldn't want to dictate to your grandmother over the phone) inevitably contain the word "simple".
For the instructions themselves I thank you -- they'll certainly come in handy.
Hi Dustin,
I've just tried following your instructions, but I still can't seem to get access to the contents of my home folder?
FWIW ... I'm trying to recover files from an encrypted install which has just decided that it doesn't want to boot anymore.
First off, I'm decrypting the drive using "sudo cryptsetup luksOpen /dev/sdc1 mybrokendrive", and then mounting it using "sudo mount /dev/ubuntu-server/root /mnt"
That works fine, and I can see the contents of my drive *EXCEPT* for my /home folder, because that's obviously still encrypted by Ubuntu as well.
I've tried following your instructions and everything SEEMS to be working like it should, I get all the same prompts/responses as your post, but I still CAN'T get access to my /home folder.
When I try listing the folder contents, all I get is:
david@ubuntu:~$ ls -alF
total 24
dr-x------ 3 david david 4096 2009-04-05 04:42 ./
drwxr-xr-x 3 root root 4096 2009-03-15 10:52 ../
lrwxrwxrwx 1 root root 56 2009-03-15 10:52 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
-rw------- 1 root root 300 2009-04-04 22:05 .bash_history
lrwxrwxrwx 1 root root 23 2009-03-15 10:52 .ecryptfs -> /var/lib/ecryptfs/david/
drwx------ 51 david david 12288 2009-03-25 18:44 .Private/
lrwxrwxrwx 1 root root 52 2009-03-15 10:52 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt
Inside the .Private folder is all still encrypted.
I'm running into possibly the same roadblock young_einstein is. I can see everything up to the encrypted home folder. Instead I see those two files:
Access-Your-Private-Data.desktop
readme.txt
Additionally, I'm having trouble chrooting in, with this as a result:
ubuntu@ubuntu:~$ sudo chroot /mnt
/bin/bash: error while loading shared libraries: /lib/tls/i686/cmov/libdl.so.2: file too short
Hi Dustin,
I have followed all your instructions above and all function well. I can view the content of my encrypted home folder with the Ubuntu Live-CD Session.
But now I have a problem: I don't know how can I save my data outside the encrypted home because I don't be able to connect, for instance, an external usb disk and to access this disk from the terminal. I have tried different ways, but every time the external disk is not readeable, or I can't write to it, and so on.
An external disk can be used with the normal "ubuntu" live session user, but not with the "kirkland" user.
Have you any suggestion about?
Many thank's
Hi Dustin!
Thanks for the instructions, everything worked as it should. Now i want to move on to more advanced stuff.
I want to do a live backup of my home directory in an unencrypted state. Therefore I put my home directory into an lvm volume, from which I create a snapshot.
I then mount the snapshot and would like to do a "mount -t ecryptfs" to get to a snapshot of the decrypted data. Unfortunately I was not able to figure out how to do this. Maybe you could give me some hints?
Thanks
Martin
Hi Dustin,
I keep running into problems at the chroot command. I'm trying to get my encrypted home data off a harddrive I took out of a dead 64bit computer. I'm not sure if it is necessary to do this with a computer with the same architecture or if a 32bit computer is possible.
I expected to be able to go into my encrypted file system like in a tar file - but that doesn't seem to be the case...
Hi Dustin,
I have a big problem. I have my encrypted home but the partition that had folders /proc and /sys was deleted by a new installation (ubuntu 9.10)
there is any wave to access my encrypted data?
Thanks
Saran
Saran-
Deleted? You can't delete /proc or /sys. Those are virtual filesystems created by the kernel on boot. There's no persistent data stored there. It's recreated every time you boot. If you carefully follow the instructions above, you will have a working /proc and /sys.
:-Dustin
schuga-
Architecture (32 v 64) doesn't matter. Follow the instructions above very carefully.
:-Dustin
Martin-
I'm afraid that the mount -t ecryptfs command might be slightly broken in Ubuntu 9.10. There were a number of changes to that code. There's a bug open. I will be working on that shortly.
:-Dustin
Romeo-
I usually use NFS. I'll mount a remote filesystem over the network and then use rsync -aP to copy my decrypted data off of the system.
You should be able to use a USB disk or USB key just fine, too.
Once you have your data mounted and accessible decrypted, open a *new* terminal, running as the ubuntu (administrative) user. This user should be able to write to the USB disk, and see the decrypted data. Use the 'mount' command to find the correct path to the mounted ecryptfs data outside of the chroot.
:-Dustin
Matt-
Looks like you have a faulty LiveCD. Check the md5sum of your ISO, and re-burn your disk (or key) at a slower speed.
:-Dustin
Thanks for your earlier reply, I still cant mount my home.
The home folder has a broken symbolic link, pointing to the /var/lib/ecryptfs/saran folder. This folder does not exist, There any wave to mount my home having only .Private folder?
Thanks again.
Hi Dustin!
Thanks :)
I'll try it again when you fixed the bug. So when the mount command works correctly, what should I use as fnek? Or will mount -t ecryptfs automatically calculate it from the passphrase?
Martin
Dustin,
I only have my .Private folder,
This is the out for ecryptfs-mount-private
ERROR: Encrypted private directory is not setup properly
I tried everything and not know what else to do.
Saran.
For Saran, about ecryptfs not being setup properly ... are you using your own account to run the command, or root, or the live ubuntu account? You need to run the command as yourself. I found that out last night.
I'm not sure if this will work for me, since I have 9.10 & Dustin said there's a bug for 9.10, but I'll keep the information in hopes it will work, or at least hopes I won't need it in the future.
Two nights ago I had a problem in which Ubuntu stopped booting properly, but last night someone told me to run fsck to fix it, and it did fix it, so I don't need these instructions at the moment.
Dustin: has the fix been edited into the blog post for 9.10 already, or are you still working on that?
Hello Dustin, Following your info. I could see and manipulate any files, but I cannot recovery them. I tried to mount the files encrypted by my other ubuntu partition.
I tried to copy the files by this command:
wildner@widner-desktop:~$ cp /home/wildner/Mariah\ Carey\ -\ I\ Wanna\ Know\ What\ Love\ Is.mp3 /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
-su: cp: /home/wildner/Mariah Carey - I Wanna Know What Love Is.mp3: Not a directory
wildner@widner-desktop:~$ cp /home/wildner/Linux /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
-su: cp: /home/wildner/Linux: No such file or directory
wildner@widner-desktop:~$ cp /home/wildner/Linux/*.* /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
-su: cp: /home/wildner/Linux/*.*: No such file or directory
How do I copy the files to the other partition?
Thansks in advance
hi,
I followed your instructions with a 9.04 CD for a crashed 9.10 installation, and after ecryptfs-mount-private I get:
ecryptfs-insert-wrapped-passphrase-into-keyring: error while loading shared libraries: libecryptfs.so.0: cannot open shared object file: No such file or directory
what to do now?
I also tired it with a 9.10 CD, but the result is the same. I have Ubuntu on one ext4 partition
Worked for me on 9.10
I recovered my data onto a usb drive by typing: sudo mkdir /mnt/usb && sudo mount /dev/sdd1 /mnt/usb
after the chroot, when I did the su - username , it told me to run ecryptfs-mount-private and that asked me for my passphrase and then I entered my user password and everything worked out just fine
Sweet, thanks Dustin.
Note that this will not work with the Karmic 9.10 liveCD although you may be able to replace the ecyptfs package with that from the Jaunty repository (not tested). Also, I had a raid0 array with an lvm2 volume. I first had to enable raid and lvm in Jaunty and then mount my logical volume as follows:
sudo -i
apt-get update
apt-get install dmraid mdadm lvm2
modprobe dm-raid4-5
vgchange -a y
mount /dev/mapper/"volume name-root" /mnt
then continue as above
It sorta' worked for me. If i use the folder GUI browser (nautilus i think its called) my folder is still locked but i can use the terminal to look at a list of what i got and am now trying to copy (cp) to my usb but since i'm not having any success i'm guessing i have to mount my usb too. I have ubuntu 9.10 karmic koala and am new to linux and my HD won't boot. Ubuntu rocks though :p
Hi, Dustin.
When I go to "su - User" it responds "No directory, logging in with HOME=/". If I continue with ecryptfs-mount-private, then I receive a message: "ERROR: Encrypted private directory is not setup properly". There is some trick here...
Could you please illuminate it?
rob
... To be more clearly?
[ until this point all right ]
ubuntu@ubuntu:~$ sudo chroot /mnt
root@ubuntu:/# <-- answer
root@ubuntu:/# su - rob
No directory, logging in with HOME=/
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
rob@ubuntu:/$ <-- answer
rob@ubuntu:/$ ecryptfs-add-passphrase --fnek
Passphrase: <-- yes, i have my passphrase
Inserted auth tok with sig [ee9a16399aeb0e85] into the user session keyring
Inserted auth tok with sig [9a9c1f340c8ec93e] into the user session keyring
rob@ubuntu:/$ ecryptfs-mount-private
ERROR: Encrypted private directory is not setup properly
rob@ubuntu:/$
thanxs
rob (with ubuntu 9.10)
To reiterate what is stated just below "POST A COMMENT" ...
Please do not use blog comments for support requests! Blog comments do not scale well to this effect.
Instead, please use Launchpad for Bugs and Questions.
* bugs.launchpad.net
* answers.launchpad.net
Thanks,
:-Dustin
This guide was also useful for me: http://www.kaijanmaki.net/2009/10/26/recovering-files-from-ecryptfs-encrypted-home/
And one really "excellent" way to get yourself into this state is to use superuser privileges to change your password. This can happen if you are the type who keeps multiple passwords in sync and some other place has a more aggressive notion of password security than does Ubuntu. However, if your Ubuntu installation prohibits password changes in quick succession, and if you are an antique UNIX hacker, what do you do? You use superuser privileges to force the password change, what else??? Unfortunately, this brute-force method apparently fails to update ecryptfs's idea of what your password is.
The trick in that case is to use Dustin's excellent workaround above, but give your intermediate password (the one that was deemed too weak by some other password-accepting facility) to ecryptfs-mount-private.
Thanks for the workaround, Dustin!!! Saved me a huge amount of time!!!
hi dustin, I tried to follow the procedure but I get stuck here:
ubuntu@ubuntu:~$ sudo chroot /mnt
chroot: cannot run command `/bin/bash': No such file or directory
i feel like i'm missing something.
thanks in advance
luke
Is there a way to do this from Windows?
why so damn complicated? I didn't get your description but figured out how to do this the easy way:
#!/bin/bash
# 1. paste home-passphrase 2 times (use unwrap.. to get this)
# 2. aes/16/no plaintext passthrough
# 3. filename enc yes
# 4. enter the pair to the 1st key, which is the second line
MOUNTEDFOLDER="decryptedHome"
ENCED_HOME_PARTITION="/media/oldHome"
cd /mnt
sudo mkdir $MOUNTEDFOLDER
sudo ecryptfs-add-passphrase --fnek
sudo mount -t ecryptfs $ENCED_HOME_PARTITION/.ecryptfs/YOURUSERNAME/.Private $MOUNTEDFOLDER/
ls $MOUNTEDFOLDER
where can i find passphrase:
i only know login name and password
Hey this is what i did when i first installed ubuntu like 5 years ago!
It's the thing you are warned to write down somewhere safe when you installed your system. In case you were a bad boy and did not do so, execute "ecryptfs-unwrap-passphrase" in the terminal.
Yes you need to do that from within the installation you want to mount. So if you lost your installation you might be in bad luck.
you guys might want to read on this https://help.ubuntu.com/community/EncryptedPrivateDirectory
THANK YOU THIS SAVES MY BUTT!!!!!!
Post a Comment
Please do not use blog comments for support requests! Blog comments do not scale well to this effect.
Instead, please use Launchpad for Bugs and Questions.
* bugs.launchpad.net
* answers.launchpad.net
Thanks,
:-Dustin