Difference between revisions of "Ubuntu: Restore your encrypted home directory"

From Tomelec
Jump to: navigation, search
(Created page with "=What you need= * A running Ubuntu * Access to the disk from which you want to restore * Your user password of the system you want to restore from OR the passphrase you might hav...")
 
(Step 3: Mount the encrypted home directory)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
Here is an easy 3-step guide on how to access your encrypted home directory on Ubuntu. It should work on Ubuntu 9.10 and later. I last tested it on Ubuntu 12.04.
 +
 
=What you need=
 
=What you need=
 
* A running Ubuntu
 
* A running Ubuntu
 
* Access to the disk from which you want to restore
 
* Access to the disk from which you want to restore
* Your user password of the system you want to restore from OR the passphrase you might have recorded earlier
+
* Your user password of the system you want to restore from '''or''' the passphrase you might have recorded earlier
  
 
=How it works=
 
=How it works=
Line 8: Line 10:
 
It can be done with Nautilus or on the text console. Change to the directory with the encrypted home which might look like that:
 
It can be done with Nautilus or on the text console. Change to the directory with the encrypted home which might look like that:
 
  <nowiki>user@ubuntu:/media/my_disk/home/.ecryptfs/username$</nowiki>
 
  <nowiki>user@ubuntu:/media/my_disk/home/.ecryptfs/username$</nowiki>
==Optional: Get the passphrase==
+
 
The passphrase is '''not''' the user password. It is a random key, stored in the file ''wrapped-passphrase'' and encrypted with the user´s password. Unwrap it:
+
==Step 1: Get the passphrase (optional)==
 +
The passphrase is '''not''' the user password. It is a random key, stored in the file ''wrapped-passphrase'' and encrypted with the user´s password. It´s unlikely that you´ve got that passphrase writen down somewhere but if you do so, skip that step. Else unwrap it:
 
  <nowiki>user@ubuntu:/media/my_disk/home/.ecryptfs/username$ ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase
 
  <nowiki>user@ubuntu:/media/my_disk/home/.ecryptfs/username$ ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase
Passphrase:
+
Passphrase: <enter user´s password here>
 
2dac479b16e0efd2ac7b8e9e7690f8f7</nowiki>
 
2dac479b16e0efd2ac7b8e9e7690f8f7</nowiki>
 +
This got us the passphrase, for exmaple ''2dac479b16e0efd2ac7b8e9e7690f8f7''.
 +
 +
==Step 2: Get the signature for filename encryption==
 +
Enter<br>'''sudo ecryptfs-add-passphrase --fnek'''<br>You might have to provide your admin password, then the passphrase from step 1.
 +
<nowiki>user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo ecryptfs-add-passphrase --fnek
 +
[sudo] password for user: <your admin password>
 +
Passphrase: <passphrase from step 1, eg. 2dac479b16e0efd2ac7b8e9e7690f8f7>
 +
Inserted auth tok with sig [bdcb4b20bbc91ae6] into the user session keyring
 +
Inserted auth tok with sig [b89f3c3b1512e0a2] into the user session keyring</nowiki>
 +
Note the 2nd signature (''b89f3c3b1512e0a2'' in this example) - we will need it later.
 +
 +
==Step 3: Mount the encrypted home directory==
 +
Use<br>'''sudo mount -t ecryptfs .Private /mnt'''<br>to mount the directory to ''/mnt'' or any other mountpoint of your choice. Add other mount parameters if necessary, eg. ''ro'' for read only access.<br>Follow the steps, ecryptfs provides and be careful not to mix-up the password, passphrase and signature.
 +
* enter the passphrase from step1, eg. ''2dac479b16e0efd2ac7b8e9e7690f8f7''
 +
* select cipher '''aes''', just press return
 +
* select '''16''' byte key length
 +
* plaintext passthrough: '''n'''
 +
* filename encryption: '''y'''
 +
* enter the signature from step 2, '''not''' the one given by ecryptfs
 +
* ignore the warning and proceed with '''yes'''
 +
* answer '''no''' to not append the signature
 +
 +
<nowiki>user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo mount -t ecryptfs .Private /mnt
 +
Passphrase: <passphrase from step 1>
 +
Select cipher:
 +
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
 +
2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 +
3) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 +
4) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
 +
Selection [aes]: <return>
 +
Select key bytes:
 +
1) 16
 +
2) 32
 +
3) 24
 +
Selection [16]: <return>
 +
Enable plaintext passthrough (y/n) [n]: n
 +
Enable filename encryption (y/n) [n]: y
 +
Filename Encryption Key (FNEK) Signature [bdcb4b20bbc91ae6]: b89f3c3b1512e0a2
 +
Attempting to mount with the following options:
 +
  ecryptfs_unlink_sigs
 +
  ecryptfs_fnek_sig=b89f3c3b1512e0a2
 +
  ecryptfs_key_bytes=16
 +
  ecryptfs_cipher=aes
 +
  ecryptfs_sig=bdcb4b20bbc91ae6
 +
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
 +
it looks like you have never mounted with this key
 +
before. This could mean that you have typed your
 +
passphrase wrong.
 +
 +
Would you like to proceed with the mount (yes/no)? : yes
 +
Would you like to append sig [caa34ede7e65051c] to
 +
[/root/.ecryptfs/sig-cache.txt]
 +
in order to avoid this warning in the future (yes/no)? : no
 +
Not adding sig to user sig cache file; continuing with mount.
 +
Mounted eCryptfs</nowiki>
 +
 +
Your data should now be mounted to the mountpoint specified.
 +
 +
= Your comments are welcome! =
 +
<comments>

Latest revision as of 19:32, 27 January 2013

Here is an easy 3-step guide on how to access your encrypted home directory on Ubuntu. It should work on Ubuntu 9.10 and later. I last tested it on Ubuntu 12.04.

What you need

  • A running Ubuntu
  • Access to the disk from which you want to restore
  • Your user password of the system you want to restore from or the passphrase you might have recorded earlier

How it works

Mount the disk or partition with the encrypted home on it

It can be done with Nautilus or on the text console. Change to the directory with the encrypted home which might look like that:

user@ubuntu:/media/my_disk/home/.ecryptfs/username$

Step 1: Get the passphrase (optional)

The passphrase is not the user password. It is a random key, stored in the file wrapped-passphrase and encrypted with the user´s password. It´s unlikely that you´ve got that passphrase writen down somewhere but if you do so, skip that step. Else unwrap it:

user@ubuntu:/media/my_disk/home/.ecryptfs/username$ ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase
Passphrase: <enter user´s password here>
2dac479b16e0efd2ac7b8e9e7690f8f7

This got us the passphrase, for exmaple 2dac479b16e0efd2ac7b8e9e7690f8f7.

Step 2: Get the signature for filename encryption

Enter
sudo ecryptfs-add-passphrase --fnek
You might have to provide your admin password, then the passphrase from step 1.

user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo ecryptfs-add-passphrase --fnek
[sudo] password for user: <your admin password>
Passphrase: <passphrase from step 1, eg. 2dac479b16e0efd2ac7b8e9e7690f8f7>
Inserted auth tok with sig [bdcb4b20bbc91ae6] into the user session keyring
Inserted auth tok with sig [b89f3c3b1512e0a2] into the user session keyring

Note the 2nd signature (b89f3c3b1512e0a2 in this example) - we will need it later.

Step 3: Mount the encrypted home directory

Use
sudo mount -t ecryptfs .Private /mnt
to mount the directory to /mnt or any other mountpoint of your choice. Add other mount parameters if necessary, eg. ro for read only access.
Follow the steps, ecryptfs provides and be careful not to mix-up the password, passphrase and signature.

  • enter the passphrase from step1, eg. 2dac479b16e0efd2ac7b8e9e7690f8f7
  • select cipher aes, just press return
  • select 16 byte key length
  • plaintext passthrough: n
  • filename encryption: y
  • enter the signature from step 2, not the one given by ecryptfs
  • ignore the warning and proceed with yes
  • answer no to not append the signature
user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo mount -t ecryptfs .Private /mnt
Passphrase: <passphrase from step 1>
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
 2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 3) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 4) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: <return>
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]: <return>
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [bdcb4b20bbc91ae6]: b89f3c3b1512e0a2
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=b89f3c3b1512e0a2
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=bdcb4b20bbc91ae6
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [caa34ede7e65051c] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs

Your data should now be mounted to the mountpoint specified.

Your comments are welcome!

<comments>