UPDATE: As of April 28, 2011, please use the ecryptfs-recover-private method instead!
I have received a few questions lately about mounting Ubuntu Encrypted Private or Encrypted Home directories from an Ubuntu LiveCD.
You can do this from a terminal with:
The above process assumes that your ~/.ecryptfs/wrapped-passphrase file is available on this system. If you're using 2-factor authentication and storing this elsewhere, you might need to perform an additional mount and symbolic link to make this file available.ubuntu@ubuntu$ sudo mount /dev/sda1 /mnt ubuntu@ubuntu$ sudo mount -o bind /dev /mnt/dev ubuntu@ubuntu$ sudo mount -o bind /dev/shm /mnt/dev/shm ubuntu@ubuntu$ sudo mount -o bind /proc /mnt/proc ubuntu@ubuntu$ sudo mount -o bind /sys /mnt/sys ubuntu@ubuntu$ sudo chroot /mnt root@ubuntu$ su - kirkland kirkland@ubuntu$ ecryptfs-mount-private Enter your login passphrase: Warning: Using default salt value (undefined in ~/.ecryptfsrc) Inserted auth tok with sig [xxx] into the user session keyring kirkland@ubuntu$ cd $HOME kirkland@ubuntu$ ls -alF ... kirkland@ubuntu$ cat .profile ...
Alternatively, if you're trying to recover data, and you've recorded your mount passphrase properly, you would use
just before the ecryptfs-mount-private bit, to manually enter your passphrase (rather than pulling it from ~/.ecryptfs/wrapped-passphrase).kirkland@ubuntu$ ecryptfs-add-passphrase --fnek
Notes:
- /dev/sda1 is the device serving my $HOME/.Private
- kirkland is my username, yours will likely be different ;-)
- Binding mounting /sys and /proc are critical -- ecryptfs needs access to kernel information shared there
- The dash in "su - " is important -- don't forget it!
:-Dustin
Thanks for the info. What I would like to know (and I'm sure it is simpler than I realize) is how to do an rsync backup of the encrypted files. When I'm logged into my Jaunty VM with encrypted home, I cannot see the .Private directory. When I boot into an ISO, I can only see the contents of .Private when I use sudo.
ReplyDeleteI love how these kinds of instructions (the ones that contain seventeen incomprehensible shell commands you wouldn't want to dictate to your grandmother over the phone) inevitably contain the word "simple".
ReplyDeleteFor the instructions themselves I thank you -- they'll certainly come in handy.
Hi Dustin,
ReplyDeleteI've just tried following your instructions, but I still can't seem to get access to the contents of my home folder?
FWIW ... I'm trying to recover files from an encrypted install which has just decided that it doesn't want to boot anymore.
First off, I'm decrypting the drive using "sudo cryptsetup luksOpen /dev/sdc1 mybrokendrive", and then mounting it using "sudo mount /dev/ubuntu-server/root /mnt"
That works fine, and I can see the contents of my drive *EXCEPT* for my /home folder, because that's obviously still encrypted by Ubuntu as well.
I've tried following your instructions and everything SEEMS to be working like it should, I get all the same prompts/responses as your post, but I still CAN'T get access to my /home folder.
When I try listing the folder contents, all I get is:
david@ubuntu:~$ ls -alF
total 24
dr-x------ 3 david david 4096 2009-04-05 04:42 ./
drwxr-xr-x 3 root root 4096 2009-03-15 10:52 ../
lrwxrwxrwx 1 root root 56 2009-03-15 10:52 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
-rw------- 1 root root 300 2009-04-04 22:05 .bash_history
lrwxrwxrwx 1 root root 23 2009-03-15 10:52 .ecryptfs -> /var/lib/ecryptfs/david/
drwx------ 51 david david 12288 2009-03-25 18:44 .Private/
lrwxrwxrwx 1 root root 52 2009-03-15 10:52 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt
Inside the .Private folder is all still encrypted.
I'm running into possibly the same roadblock young_einstein is. I can see everything up to the encrypted home folder. Instead I see those two files:
ReplyDeleteAccess-Your-Private-Data.desktop
readme.txt
Additionally, I'm having trouble chrooting in, with this as a result:
ubuntu@ubuntu:~$ sudo chroot /mnt
/bin/bash: error while loading shared libraries: /lib/tls/i686/cmov/libdl.so.2: file too short
Hi Dustin,
ReplyDeleteI have followed all your instructions above and all function well. I can view the content of my encrypted home folder with the Ubuntu Live-CD Session.
But now I have a problem: I don't know how can I save my data outside the encrypted home because I don't be able to connect, for instance, an external usb disk and to access this disk from the terminal. I have tried different ways, but every time the external disk is not readeable, or I can't write to it, and so on.
An external disk can be used with the normal "ubuntu" live session user, but not with the "kirkland" user.
Have you any suggestion about?
Many thank's
Hi Dustin!
ReplyDeleteThanks for the instructions, everything worked as it should. Now i want to move on to more advanced stuff.
I want to do a live backup of my home directory in an unencrypted state. Therefore I put my home directory into an lvm volume, from which I create a snapshot.
I then mount the snapshot and would like to do a "mount -t ecryptfs" to get to a snapshot of the decrypted data. Unfortunately I was not able to figure out how to do this. Maybe you could give me some hints?
Thanks
Martin
Hi Dustin,
ReplyDeleteI keep running into problems at the chroot command. I'm trying to get my encrypted home data off a harddrive I took out of a dead 64bit computer. I'm not sure if it is necessary to do this with a computer with the same architecture or if a 32bit computer is possible.
I expected to be able to go into my encrypted file system like in a tar file - but that doesn't seem to be the case...
Hi Dustin,
ReplyDeleteI have a big problem. I have my encrypted home but the partition that had folders /proc and /sys was deleted by a new installation (ubuntu 9.10)
there is any wave to access my encrypted data?
Thanks
Saran
Saran-
ReplyDeleteDeleted? You can't delete /proc or /sys. Those are virtual filesystems created by the kernel on boot. There's no persistent data stored there. It's recreated every time you boot. If you carefully follow the instructions above, you will have a working /proc and /sys.
:-Dustin
schuga-
ReplyDeleteArchitecture (32 v 64) doesn't matter. Follow the instructions above very carefully.
:-Dustin
Martin-
ReplyDeleteI'm afraid that the mount -t ecryptfs command might be slightly broken in Ubuntu 9.10. There were a number of changes to that code. There's a bug open. I will be working on that shortly.
:-Dustin
Romeo-
ReplyDeleteI usually use NFS. I'll mount a remote filesystem over the network and then use rsync -aP to copy my decrypted data off of the system.
You should be able to use a USB disk or USB key just fine, too.
Once you have your data mounted and accessible decrypted, open a *new* terminal, running as the ubuntu (administrative) user. This user should be able to write to the USB disk, and see the decrypted data. Use the 'mount' command to find the correct path to the mounted ecryptfs data outside of the chroot.
:-Dustin
Matt-
ReplyDeleteLooks like you have a faulty LiveCD. Check the md5sum of your ISO, and re-burn your disk (or key) at a slower speed.
:-Dustin
Thanks for your earlier reply, I still cant mount my home.
ReplyDeleteThe home folder has a broken symbolic link, pointing to the /var/lib/ecryptfs/saran folder. This folder does not exist, There any wave to mount my home having only .Private folder?
Thanks again.
Hi Dustin!
ReplyDeleteThanks :)
I'll try it again when you fixed the bug. So when the mount command works correctly, what should I use as fnek? Or will mount -t ecryptfs automatically calculate it from the passphrase?
Martin
Dustin,
ReplyDeleteI only have my .Private folder,
This is the out for ecryptfs-mount-private
ERROR: Encrypted private directory is not setup properly
I tried everything and not know what else to do.
Saran.
For Saran, about ecryptfs not being setup properly ... are you using your own account to run the command, or root, or the live ubuntu account? You need to run the command as yourself. I found that out last night.
ReplyDeleteI'm not sure if this will work for me, since I have 9.10 & Dustin said there's a bug for 9.10, but I'll keep the information in hopes it will work, or at least hopes I won't need it in the future.
Two nights ago I had a problem in which Ubuntu stopped booting properly, but last night someone told me to run fsck to fix it, and it did fix it, so I don't need these instructions at the moment.
Dustin: has the fix been edited into the blog post for 9.10 already, or are you still working on that?
Hello Dustin, Following your info. I could see and manipulate any files, but I cannot recovery them. I tried to mount the files encrypted by my other ubuntu partition.
ReplyDeleteI tried to copy the files by this command:
wildner@widner-desktop:~$ cp /home/wildner/Mariah\ Carey\ -\ I\ Wanna\ Know\ What\ Love\ Is.mp3 /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
-su: cp: /home/wildner/Mariah Carey - I Wanna Know What Love Is.mp3: Not a directory
wildner@widner-desktop:~$ cp /home/wildner/Linux /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
-su: cp: /home/wildner/Linux: No such file or directory
wildner@widner-desktop:~$ cp /home/wildner/Linux/*.* /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
-su: cp: /home/wildner/Linux/*.*: No such file or directory
How do I copy the files to the other partition?
Thansks in advance
hi,
ReplyDeleteI followed your instructions with a 9.04 CD for a crashed 9.10 installation, and after ecryptfs-mount-private I get:
ecryptfs-insert-wrapped-passphrase-into-keyring: error while loading shared libraries: libecryptfs.so.0: cannot open shared object file: No such file or directory
what to do now?
I also tired it with a 9.10 CD, but the result is the same. I have Ubuntu on one ext4 partition
Worked for me on 9.10
ReplyDeleteI recovered my data onto a usb drive by typing: sudo mkdir /mnt/usb && sudo mount /dev/sdd1 /mnt/usb
after the chroot, when I did the su - username , it told me to run ecryptfs-mount-private and that asked me for my passphrase and then I entered my user password and everything worked out just fine
Sweet, thanks Dustin.
ReplyDeleteNote that this will not work with the Karmic 9.10 liveCD although you may be able to replace the ecyptfs package with that from the Jaunty repository (not tested). Also, I had a raid0 array with an lvm2 volume. I first had to enable raid and lvm in Jaunty and then mount my logical volume as follows:
sudo -i
apt-get update
apt-get install dmraid mdadm lvm2
modprobe dm-raid4-5
vgchange -a y
mount /dev/mapper/"volume name-root" /mnt
then continue as above
It sorta' worked for me. If i use the folder GUI browser (nautilus i think its called) my folder is still locked but i can use the terminal to look at a list of what i got and am now trying to copy (cp) to my usb but since i'm not having any success i'm guessing i have to mount my usb too. I have ubuntu 9.10 karmic koala and am new to linux and my HD won't boot. Ubuntu rocks though :p
ReplyDeleteHi, Dustin.
ReplyDeleteWhen I go to "su - User" it responds "No directory, logging in with HOME=/". If I continue with ecryptfs-mount-private, then I receive a message: "ERROR: Encrypted private directory is not setup properly". There is some trick here...
Could you please illuminate it?
rob
... To be more clearly?
ReplyDelete[ until this point all right ]
ubuntu@ubuntu:~$ sudo chroot /mnt
root@ubuntu:/# <-- answer
root@ubuntu:/# su - rob
No directory, logging in with HOME=/
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
rob@ubuntu:/$ <-- answer
rob@ubuntu:/$ ecryptfs-add-passphrase --fnek
Passphrase: <-- yes, i have my passphrase
Inserted auth tok with sig [ee9a16399aeb0e85] into the user session keyring
Inserted auth tok with sig [9a9c1f340c8ec93e] into the user session keyring
rob@ubuntu:/$ ecryptfs-mount-private
ERROR: Encrypted private directory is not setup properly
rob@ubuntu:/$
thanxs
rob (with ubuntu 9.10)
To reiterate what is stated just below "POST A COMMENT" ...
ReplyDeletePlease do not use blog comments for support requests! Blog comments do not scale well to this effect.
Instead, please use Launchpad for Bugs and Questions.
* bugs.launchpad.net
* answers.launchpad.net
Thanks,
:-Dustin
This guide was also useful for me: http://www.kaijanmaki.net/2009/10/26/recovering-files-from-ecryptfs-encrypted-home/
ReplyDeleteAnd one really "excellent" way to get yourself into this state is to use superuser privileges to change your password. This can happen if you are the type who keeps multiple passwords in sync and some other place has a more aggressive notion of password security than does Ubuntu. However, if your Ubuntu installation prohibits password changes in quick succession, and if you are an antique UNIX hacker, what do you do? You use superuser privileges to force the password change, what else??? Unfortunately, this brute-force method apparently fails to update ecryptfs's idea of what your password is.
ReplyDeleteThe trick in that case is to use Dustin's excellent workaround above, but give your intermediate password (the one that was deemed too weak by some other password-accepting facility) to ecryptfs-mount-private.
Thanks for the workaround, Dustin!!! Saved me a huge amount of time!!!
hi dustin, I tried to follow the procedure but I get stuck here:
ReplyDeleteubuntu@ubuntu:~$ sudo chroot /mnt
chroot: cannot run command `/bin/bash': No such file or directory
i feel like i'm missing something.
thanks in advance
luke
Is there a way to do this from Windows?
ReplyDeletewhy so damn complicated? I didn't get your description but figured out how to do this the easy way:
ReplyDelete#!/bin/bash
# 1. paste home-passphrase 2 times (use unwrap.. to get this)
# 2. aes/16/no plaintext passthrough
# 3. filename enc yes
# 4. enter the pair to the 1st key, which is the second line
MOUNTEDFOLDER="decryptedHome"
ENCED_HOME_PARTITION="/media/oldHome"
cd /mnt
sudo mkdir $MOUNTEDFOLDER
sudo ecryptfs-add-passphrase --fnek
sudo mount -t ecryptfs $ENCED_HOME_PARTITION/.ecryptfs/YOURUSERNAME/.Private $MOUNTEDFOLDER/
ls $MOUNTEDFOLDER
where can i find passphrase:
ReplyDeletei only know login name and password
Hey this is what i did when i first installed ubuntu like 5 years ago!
ReplyDeleteIt's the thing you are warned to write down somewhere safe when you installed your system. In case you were a bad boy and did not do so, execute "ecryptfs-unwrap-passphrase" in the terminal.
ReplyDeleteYes you need to do that from within the installation you want to mount. So if you lost your installation you might be in bad luck.
you guys might want to read on this https://help.ubuntu.com/community/EncryptedPrivateDirectory
ReplyDeleteTHANK YOU THIS SAVES MY BUTT!!!!!!
ReplyDeletekickass, thanks.
ReplyDeletesuyog@ubuntu:~$ ecryptfs-mount-private
ReplyDeleteEnter your login passphrase:
Error: Unwrapping passphrase and inserting into the user session keyring failed [-5]
Info: Check the system log for more information from libecryptfs
ERROR: Your passphrase is incorrect
Enter your login passphrase:
hi dustin,
ReplyDeletei am working on ubuntu 1.0.04.
all my data on my desktop and my /home/suyog has disappeared , and i get this file Access-Your-Private-Data.desktop
..how to resolve this ?
and i followed the above procedure but i again got a error regarding login passphrase
suyog@ubuntu:~$ ecryptfs-mount-private
Enter your login passphrase:
Error: Unwrapping passphrase and inserting into the user session keyring failed [-5]
Info: Check the system log for more information from libecryptfs
ERROR: Your passphrase is incorrect
Enter your login passphrase:
Just a word to THANK YOU!
ReplyDeleteI followed your instructions and could recover a backuped home directory after a system fail and a reinstall.
You just rock :)
if you get
ReplyDeleteecryptfs-mount-private mount operation not permitted
it is probably because you used the automount from the live cd and did not do a manual mount.
took me while to figure this one out....
Gracias :-)
ReplyDeleteThis website has some good information.
ReplyDeletehttp://goshawknest.wordpress.com/2010/04/16/how-to-recover-crypted-home-directory-in-ubuntu/
I wrote a guide on this so I hope this will help other people.
ReplyDeletehttps://help.ubuntu.com/community/EncryptedPrivateDirectory#Live%20CD%20method%20of%20opening%20a%20encrypted%20home%20directory
Thank you for saving my ass.
ReplyDeleteThanks, works perfectly for me on Ubuntu 10.04.
ReplyDeleteHi,
ReplyDeleteI executed the second command(mount -o bind /dev /mnt/dev) from instructions given above. It says: can not create directory 'dev': Read only file system.
How to get data back from encrypted /home in 11.04?
Please use ecryptfs-recover-private:
ReplyDelete* http://blog.dustinkirkland.com/2011/04/introducing-ecryptfs-recover-private.html
Hi Dustin
ReplyDeleteIf I create a new user in live cd with the comand ecryptfs-mount-private it finds the directory
but wont accept what was the original user password.
YOur instructions
ecryptfs-mount-private
gives errore private directory is not setup properly
Anyhthing I can do?
Thanks