Ubuntu: Restore your encrypted home directory
Here is an easy 3-step guide on how to access your encrypted home directory on Ubuntu. It should work on Ubuntu 9.10 and later. I last tested it on Ubuntu 12.04.
What you need
- A running Ubuntu
- Access to the disk from which you want to restore
- Your user password of the system you want to restore from or the passphrase you might have recorded earlier
How it works
Mount the disk or partition with the encrypted home on it
It can be done with Nautilus or on the text console. Change to the directory with the encrypted home which might look like that:
Step 1: Get the passphrase (optional)
The passphrase is not the user password. It is a random key, stored in the file wrapped-passphrase and encrypted with the user´s password. It´s unlikely that you´ve got that passphrase writen down somewhere but if you do so, skip that step. Else unwrap it:
user@ubuntu:/media/my_disk/home/.ecryptfs/username$ ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase Passphrase: <enter user´s password here> 2dac479b16e0efd2ac7b8e9e7690f8f7
This got us the passphrase, for exmaple 2dac479b16e0efd2ac7b8e9e7690f8f7.
Step 2: Get the signature for filename encryption
sudo ecryptfs-add-passphrase --fnek
You might have to provide your admin password, then the passphrase from step 1.
user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo ecryptfs-add-passphrase --fnek [sudo] password for user: <your admin password> Passphrase: <passphrase from step 1, eg. 2dac479b16e0efd2ac7b8e9e7690f8f7> Inserted auth tok with sig [bdcb4b20bbc91ae6] into the user session keyring Inserted auth tok with sig [b89f3c3b1512e0a2] into the user session keyring
Note the 2nd signature (b89f3c3b1512e0a2 in this example) - we will need it later.
Step 3: Mount the encrypted home directory
sudo mount -t ecryptfs .Private /mnt
to mount the directory to /mnt or any other mountpoint of your choice. Add other mount parameters if necessary, eg. ro for read only access.
Follow the steps, ecryptfs provides and be careful not to mix-up the password, passphrase and signature.
- enter the passphrase from step1, eg. 2dac479b16e0efd2ac7b8e9e7690f8f7
- select cipher aes, just press return
- select 16 byte key length
- plaintext passthrough: n
- filename encryption: y
- enter the signature from step 2, not the one given by ecryptfs
- ignore the warning and proceed with yes
- answer no to not append the signature
user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo mount -t ecryptfs .Private /mnt Passphrase: <passphrase from step 1> Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded) 2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 3) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 4) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: <return> Select key bytes: 1) 16 2) 32 3) 24 Selection : <return> Enable plaintext passthrough (y/n) [n]: n Enable filename encryption (y/n) [n]: y Filename Encryption Key (FNEK) Signature [bdcb4b20bbc91ae6]: b89f3c3b1512e0a2 Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=b89f3c3b1512e0a2 ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=bdcb4b20bbc91ae6 WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes Would you like to append sig [caa34ede7e65051c] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : no Not adding sig to user sig cache file; continuing with mount. Mounted eCryptfs
Your data should now be mounted to the mountpoint specified.
Your comments are welcome!