Difference between revisions of "Ubuntu: Restore your encrypted home directory"

From Tomelec
Jump to: navigation, search
Line 71: Line 71:
  
 
Your data should now be mounted to the mountpoint specified.
 
Your data should now be mounted to the mountpoint specified.
 +
 +
= Your comments are welcome! =
 +
<comments>

Revision as of 19:28, 27 January 2013

What you need

  • A running Ubuntu
  • Access to the disk from which you want to restore
  • Your user password of the system you want to restore from or the passphrase you might have recorded earlier

How it works

Mount the disk or partition with the encrypted home on it

It can be done with Nautilus or on the text console. Change to the directory with the encrypted home which might look like that:

user@ubuntu:/media/my_disk/home/.ecryptfs/username$

Step 1: Get the passphrase (optional)

The passphrase is not the user password. It is a random key, stored in the file wrapped-passphrase and encrypted with the user´s password. It´s unlikely that you´ve got that passphrase writen down somewhere but if you do so, skip that step. Else unwrap it:

user@ubuntu:/media/my_disk/home/.ecryptfs/username$ ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase
Passphrase: <enter user´s password here>
2dac479b16e0efd2ac7b8e9e7690f8f7

This got us the passphrase, for exmaple 2dac479b16e0efd2ac7b8e9e7690f8f7.

Step 2: Get the signature for filename encryption

Enter
sudo ecryptfs-add-passphrase --fnek
You might have to provide your admin password, then the passphrase from step 1.

user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo ecryptfs-add-passphrase --fnek
[sudo] password for user: <your admin password>
Passphrase: <passphrase from step 1, eg. 2dac479b16e0efd2ac7b8e9e7690f8f7>
Inserted auth tok with sig [bdcb4b20bbc91ae6] into the user session keyring
Inserted auth tok with sig [b89f3c3b1512e0a2] into the user session keyring

Note the 2nd signature (b89f3c3b1512e0a2 in this example) - we will need it later.

Step 3: Mount the encrypted home directory

Use
sudo mount -t ecryptfs .Private /mnt
to mount the directory to /mnt or any other mountpoint of your choice. Follow the steps, ecryptfs provides and be careful not to mix-up the password, passphrase and signature.

  • enter the passphrase from step1, eg. 2dac479b16e0efd2ac7b8e9e7690f8f7
  • select cipher aes, just press return
  • select 16 byte key length
  • plaintext passthrough: n
  • filename encryption: y
  • enter the signature from step 2, not the one given by ecryptfs
  • ignore the warning and proceed with yes
  • answer no to not append the signature
user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo mount -t ecryptfs .Private /mnt
Passphrase: <passphrase from step 1>
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
 2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 3) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 4) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: <return>
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]: <return>
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [bdcb4b20bbc91ae6]: b89f3c3b1512e0a2
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=b89f3c3b1512e0a2
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=bdcb4b20bbc91ae6
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [caa34ede7e65051c] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs

Your data should now be mounted to the mountpoint specified.

Your comments are welcome!

<comments>