Ubuntu: Restore your encrypted home directory

From Tomelec
Revision as of 20:32, 27 January 2013 by Tom (talk | contribs) (Step 3: Mount the encrypted home directory)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Here is an easy 3-step guide on how to access your encrypted home directory on Ubuntu. It should work on Ubuntu 9.10 and later. I last tested it on Ubuntu 12.04.

What you need

  • A running Ubuntu
  • Access to the disk from which you want to restore
  • Your user password of the system you want to restore from or the passphrase you might have recorded earlier

How it works

Mount the disk or partition with the encrypted home on it

It can be done with Nautilus or on the text console. Change to the directory with the encrypted home which might look like that:


Step 1: Get the passphrase (optional)

The passphrase is not the user password. It is a random key, stored in the file wrapped-passphrase and encrypted with the user´s password. It´s unlikely that you´ve got that passphrase writen down somewhere but if you do so, skip that step. Else unwrap it:

user@ubuntu:/media/my_disk/home/.ecryptfs/username$ ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase
Passphrase: <enter user´s password here>

This got us the passphrase, for exmaple 2dac479b16e0efd2ac7b8e9e7690f8f7.

Step 2: Get the signature for filename encryption

sudo ecryptfs-add-passphrase --fnek
You might have to provide your admin password, then the passphrase from step 1.

user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo ecryptfs-add-passphrase --fnek
[sudo] password for user: <your admin password>
Passphrase: <passphrase from step 1, eg. 2dac479b16e0efd2ac7b8e9e7690f8f7>
Inserted auth tok with sig [bdcb4b20bbc91ae6] into the user session keyring
Inserted auth tok with sig [b89f3c3b1512e0a2] into the user session keyring

Note the 2nd signature (b89f3c3b1512e0a2 in this example) - we will need it later.

Step 3: Mount the encrypted home directory

sudo mount -t ecryptfs .Private /mnt
to mount the directory to /mnt or any other mountpoint of your choice. Add other mount parameters if necessary, eg. ro for read only access.
Follow the steps, ecryptfs provides and be careful not to mix-up the password, passphrase and signature.

  • enter the passphrase from step1, eg. 2dac479b16e0efd2ac7b8e9e7690f8f7
  • select cipher aes, just press return
  • select 16 byte key length
  • plaintext passthrough: n
  • filename encryption: y
  • enter the signature from step 2, not the one given by ecryptfs
  • ignore the warning and proceed with yes
  • answer no to not append the signature
user@ubuntu:/media/my_disk/home/.ecryptfs/username$ sudo mount -t ecryptfs .Private /mnt
Passphrase: <passphrase from step 1>
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
 2) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 3) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 4) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: <return>
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]: <return>
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [bdcb4b20bbc91ae6]: b89f3c3b1512e0a2
Attempting to mount with the following options:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [caa34ede7e65051c] to
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs

Your data should now be mounted to the mountpoint specified.

Your comments are welcome!