update 2010-08-10: It seems that the directory structure has changed in new Ubuntu releases. See comment #31. The information in this posting seems to be outdated in newer installations, so I recommend anyone seeking how to manually restore encrypted data to turn to help.ubuntu.com manual.
Last weekend I had to recover an eCryptfs encrypted home directory created with ubuntu jaunty installer from a backup. I thought that it would go smoothly, after all I had written down the recovery passphrase when I installed the system some time a go. Well, it wasn’t all that smooth.
After like 1,5 hours or so I finally had the backup decrypted and I thought that it would be useful to others, too, if I share my findings as I discovered from emergency googling that others are struggling from the same problem and no one has provided any complete solution.
The backup was on external USB HDD, but it should not matter as long as you have your old encrypted .Private somewhere at hand.
First you need to make sure ecryptfs-utils is installed:
$ sudo aptitude install ecryptfs-utils
Create a directory where the backup is opened:
$ cd /mnt $ sudo mkdir OldHome
Then create a symbolic link to your backup of your old .Private:
$ sudo ln -s /media/3e8ea0ac-xxxx-xxxx-a35a-8ff17406fdb8/home/user/.Private OldPrivate
Now, here’s the part that was missing from all the instructions. At least Ubuntu is using filename encryption to hide the real filenames. You need two keys for accessing: one for accessing the file content and one to decrypt the filenames to be meaningful. To get the key do:
$ sudo ecryptfs-add-passphrase --fnek Passphrase:
Enter the recovery passphrase: the long one you had to manually write down to a piece of paper when you installed the system. Then you should have a similar output as the following:
Inserted auth tok with sig [xxxxxxxxxxxxxxx] into the user session keyring Inserted auth tok with sig [yyyyyyyyyyyyyyyy] into the user session keyring
Now, write down the second signature [yyyyyyyyyyyyyyyy].
Now you are ready to decrypt the backup:
$ sudo mount -t ecryptfs OldPrivate OldHome/ Passphrase: Select cipher: 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded) 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded) 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded) 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded) Selection [aes]: Select key bytes: 1) 16 2) 32 3) 24 Selection : Enable plaintext passthrough (y/n) [n]: Enable filename encryption (y/n) [n]: y Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxxxxx]: yyyyyyyyyyyyyyyy Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=yyyyyyyyyyyyyyyy ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=xxxxxxxxxxxxxxx WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt], it looks like you have never mounted with this key before. This could mean that you have typed your passphrase wrong. Would you like to proceed with the mount (yes/no)? : yes Would you like to append sig [df3c98e4c85db0c5] to [/root/.ecryptfs/sig-cache.txt] in order to avoid this warning in the future (yes/no)? : no Not adding sig to user sig cache file; continuing with mount. Mounted eCryptfs
Now you are able to access the decrypted backup in OldHome directory and you also have correct filenames.