Recovering an encrypted home partition on Ubuntu

Posted on April 27, 2019 by David Sulc

I recently found myself needing to restore data from a backup of an ecryptfs-encrypted Ubuntu home partition. This didn’t go as smoothly as when testing backup restoration (in part because ecryptfs has since fallen out of favor, replaced by LUKS), I thought I’d document the pertinent steps here.

I used a live Ubuntu system from a USB thumb drive, which I booted from to perform the following operations. Once within the live system, I first had to install the ecryptfs tools, as they’re no longer part of the standard distribution, and in fact aren’t even part of the standard software accessible by apt by default.

We start by installing ecryptfs (make sure you’re connected to the web!). From a terminal, execute

sudo add-apt-repository universe
sudo apt-get update
sudo apt-get install -y ecryptfs-utils

Next make sure your USB drive (or whatever you’re accessing) is mounted, and navigate to the .ecryptfs folder it contains. Typically, this is a sibling of the encrypted Private folder. Note that the .ecryptfs node in a user’s home folder could be a link to a different location. If you can’t `cd` into it, use ls -al to see what it was pointing to on the original system and navigate there manually: often the /home/john/.ecryptfs will actually be a link to /home/.ecryptfs/john/.ecryptfs which was broken when performing the backup.

sudo su
cd /media/ubuntu/my_backup_location/.ecryptfs
ecryptfs-unwrap-passphrase wrapped-passphrase

This will prompt you for the login password of the user whose home directory you’re trying to decrypt. After entering it, you’ll see a 32-character passphrase in the terminal.

Many of the following steps are executed as the superuser when they could also be executed as a normal user. However the recovery command must be executed as root, and the steps to add the passphrase to the keyring must also be executed as root or the passphrase won’t be found when the time comes…

Open a new terminal (this is for convenience, you could also just continue in this one) and execute:

sudo ecryptfs-manager

And select the first option (Add passphrase key to keyring). Follow the instructions, and you should see

eCryptfs key management menu
-------------------------------
	1. Add passphrase key to keyring
	2. Add public key to keyring
	3. Generate new public/private keypair
	4. Exit

Make selection: 1

	Mount-wide passphrase: 
	Confirm passphrase: 
	Using the default salt value

Added key to keyring with signature [ed12d26eafadb530].

You can copy/paste by selecting the passphrase then middle-clicking (or clicking with both mouse buttons simultaneously if you have no middle button) to paste it: note that the terminal will not provide any feedback that you’ve entered text. Just trust in the system ;-)

You may also be told “Passphrase mismatch. Aborting mount” (e.g. if you copy/paste twice or have a typo): repeat the steps until you see one of the success messages above.

(It appears that some users, e.g. on Debian had to execute sudo keyctl link @a @u also.)

Finally, navigate to the encrypted backup again and recover it:

cd /media/ubuntu/my_backup_location
sudo ecryptfs-recover-private .Private

Follow the prompts, and you should be greeted by the following message:

INFO: Found [.Private].
Try to recover this directory? [Y/n]:
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n]
INFO: Enter your LOGIN passphrase...
Passphrase:
Inserted auth tok with sig [c67c3e3ace421e76] into the user session keyring
INFO: Success! Private data mounted at [/tmp/ecryptfs.abcd123].

To access your files graphically, open a new terminal (once again for convenience, you could also continue in the same one) and

sudo nautilus /tmp/ecryptfs.abcd123

You can stop reading here, as I just want to chronicle a few missteps and error messages so that poor souls trying to access their encrypted data after a hardware failure can find this when searching for various error messages.

Normally, the recovery process would consist of simply executing ecryptfs-recover-private and following the prompts. This did indeed work flawlessly when testing my backup system. Unfortunately, when things went sideways it didn’t go as planned. The first problem is that the command may not find your encrypted data when scanning the system for it. Then, even if you point it in the right direction (by providing the argument as we did above), it will typically be unable to mount the decrypted data due to permissions snafu. The error message you’ll see will be something like:

INFO: Found [.Private].
Try to recover this directory? [Y/n]: 
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] 
INFO: Enter your LOGIN passphrase...
Passphrase: 
Inserted auth tok with sig [cdcad9e070a753cf] into the user session keyring
mount: /tmp/ecryptfs.a4m7KhsL: mount(2) system call failed: No such file or directory.
ERROR: Failed to mount private data at [/tmp/ecryptfs.a4m7KhsL].

It also happened that I was able to successfully mount the decrypted data, but all of the filenames were still encrypted. This was resolved by running

sudo ecrypts-add-passphrase --fnek

and entering the passphrase we obtained above (the 32 char string). You should see output similar to

Inserted auth tok with sig [aaaaaaaaaaaaaaaa] into the user session keyring
Inserted auth tok with sig [bbbbbbbbbbbbbbbb] into the user session keyring

Repeating the sudo ecryptfs-recover-private .Private step should then mount the files with decrypted filenames.

This entry was posted in System administration. Bookmark the permalink.