Kaijanmaki.net

“People said I should accept the world. Bullshit! I don't accept the world.'' –rms

My Amazon.com Wish List

Licensed under CC-BY-SA 3.0

Recovering Files From eCryptfs Encrypted Home

2009-10-26: Antti Kaijanmäki @ 10:50

update 2010-08-10: It seems that the directory structure has changed in new Ubuntu releases. See comment #31. The information in this posting seems to be outdated in newer installations, so I recommend anyone seeking how to manually restore encrypted data to turn to help.ubuntu.com manual.

Last weekend I had to recover an eCryptfs encrypted home directory created with ubuntu jaunty installer from a backup. I thought that it would go smoothly, after all I had written down the recovery passphrase when I installed the system some time a go. Well, it wasn’t all that smooth.

After like 1,5 hours or so I finally had the backup decrypted and I thought that it would be useful to others, too, if I share my findings as I discovered from emergency googling that others are struggling from the same problem and no one has provided any complete solution.

The backup was on external USB HDD, but it should not matter as long as you have your old encrypted .Private somewhere at hand.

First you need to make sure ecryptfs-utils is installed:

$ sudo aptitude install ecryptfs-utils

Create a directory where the backup is opened:

$ cd /mnt
$ sudo mkdir OldHome

Then create a symbolic link to your backup of your old .Private:

$ sudo ln -s /media/3e8ea0ac-xxxx-xxxx-a35a-8ff17406fdb8/home/user/.Private OldPrivate

Now, here’s the part that was missing from all the instructions. At least Ubuntu is using filename encryption to hide the real filenames. You need two keys for accessing: one for accessing the file content and one to decrypt the filenames to be meaningful. To get the key do:

$ sudo ecryptfs-add-passphrase --fnek
Passphrase:

Enter the recovery passphrase: the long one you had to manually write down to a piece of paper when you installed the system. Then you should have a similar output as the following:

Inserted auth tok with sig [xxxxxxxxxxxxxxx] into the user session keyring
Inserted auth tok with sig [yyyyyyyyyyyyyyyy] into the user session keyring

Now, write down the second signature [yyyyyyyyyyyyyyyy].

Now you are ready to decrypt the backup:

$ sudo mount -t ecryptfs OldPrivate OldHome/
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxxxxx]: yyyyyyyyyyyyyyyy
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=yyyyyyyyyyyyyyyy
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=xxxxxxxxxxxxxxx
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [df3c98e4c85db0c5] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs

Now you are able to access the decrypted backup in OldHome directory and you also have correct filenames.

61 Responses to “Recovering Files From eCryptfs Encrypted Home”

  1. Gyrlano says:

    could help me solve the following problem:

    Inserted auth tok with sig [ff4aae46a4d814b4] into the user session keyring
    Inserted auth tok with sig [5c53936d7608a270] into the user session keyring
    gyrlano@gyrlano:/$ sudo mount -t ecryptfs OldPrivate OldHome/
    Passphrase:
    Select cipher:
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
    Selection [aes]: 1
    Select key bytes:
    1) 16
    2) 32
    3) 24
    Selection [16]: 1
    Enable plaintext passthrough (y/n) [n]:
    Enable filename encryption (y/n) [n]: y
    Filename Encryption Key (FNEK) Signature [ff4aae46a4d814b4]: 5c53936d7608a270
    Attempting to mount with the following options:
    ecryptfs_unlink_sigs
    ecryptfs_fnek_sig=5c53936d7608a270
    ecryptfs_key_bytes=16
    ecryptfs_cipher=aes
    ecryptfs_sig=ff4aae46a4d814b4
    WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
    it looks like you have never mounted with this key
    before. This could mean that you have typed your
    passphrase wrong.

    Would you like to proceed with the mount (yes/no)? : yes
    Would you like to append sig [ff4aae46a4d814b4] to
    [/root/.ecryptfs/sig-cache.txt]
    in order to avoid this warning in the future (yes/no)? : no
    Not adding sig to user sig cache file; continuing with mount.
    Error mounting eCryptfs: [-2] No such file or directory
    Check your system logs; visit
    gyrlano@gyrlano:/$

    I will be grateful.

  2. antti says:

    You could first check that Filename Ecryption is used (ls <Private Directory>, does the names look cryptic?) and then check output of dmesg command for clues what goes wrong. And also try to reboot and start over, too. I had multiple tries first without a reboot when I had the same error and when I rebooted and tried again it worked. I probably had wrong keys in my keyring due to experimenting different things.

  3. Eitan says:

    Super awesome! Thank you very much. I’ve been trying to figure this out for weeks.

  4. GodGen says:

    /*/*/
    Antti, you’re the world’s largest. ThankS!!!!! !!!!! !!!!!
    /*/*/

  5. Cliff says:

    Thank you a million times! I ran across several instructions for recovering an encrypted home from another install/system and your instructions were the only ones that worked for me. Just like you, I successfully mounted my private folder only to find that the filenames and content were still hopelessly encrypted. Thank you once again…

  6. Cliff says:

    @Grylano
    I got this error when the mount-point directory didn’t exist prior to the mount:

    Error mounting eCryptfs: [-2] No such file or directory

    It has nothing to do with encryption and should really have occurred after a sanity check on the mount syntax (as oppossed to having you type a whole bunch of stuff and then failing).

  7. Paddy says:

    Thank you!

    Why on earth isn’t it in the official documentation?

  8. Matt says:

    Thanks, this was very helpful. Found your post on the Ubuntu Forums and it led me here.

  9. Hector Diaz says:

    you are my hero!!!!!

  10. Drew S. says:

    “Filename Encryption Key (FNEK) Signature [xxxxxxxxxxxxxxx]: yyyyyyyyyyyyyyyy”

    That’s the secret sauce that I always manage to forget! Thank you!

  11. Wyn Williams says:

    I think I love you ! I had 83,000 bloody files decrypted with fuc**d up file names, now I see them.

    I searched for two days for this solution so a MASSIVE THANKYOU !!!!

  12. Angelverde says:

    Increible, muchas gracias, en ningun lugar encontre solución similar.

    Haré un post y te enlazo, sino te importa.

  13. [...] passphrase siempre la tuve a la mano y después de buscar por toda la red me tope con la respuesta, una respuesta que parece ser la única solución y sin asumir perdida alguna. Yo olvide mi contraseña pero es muy probable que hayas hecho una [...]

  14. Jul says:

    Thanks a lot. I tried to decrypt my old home directory for hours.

  15. Ed says:

    Thanks for this post. It just helped me migrate a bunch of files off of a flaky Wubi install to a shiny new native install.

    I have a couple things to add:
    1) Don’t skip on the ‘sudo’. I went in circles a couple of times because I ran ‘ecryptfs-add-passphrase –fnek’ as myself.
    2) If you didn’t write down your recovery passphrase, but still have your .ecrypt directory, you can run ‘ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase’ to get it back.
    3) You need to enter that recovery passphrase for both the ‘ecryptfs-add-passphrase’ and ‘mount’ command. (Yeah, I put in my login password for the mount a few times before I realized that was wrong.)

  16. Seb Has says:

    Man you are gooooooooooooooooooooood!

  17. Gotit says:

    Well, I’ve tried I don’t know how many times but it just won’t give me permission! Could you please take a look and tell me what I’m doing wring? This is on a Karmic install if that makes a difference:

    ubuntu@ubuntu:/mnt$ sudo ecryptfs-add-passphrase –fnek
    Passphrase:
    Inserted auth tok with sig [9feeafb7d362cca0] into the user session keyring
    Inserted auth tok with sig [50f4f62c9ec87247] into the user session keyring
    ubuntu@ubuntu:/mnt$ sudo mount -t ecryptfs OldPrivate OldHome/
    Passphrase:
    Select cipher:
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
    Selection [aes]:
    Select key bytes:
    1) 16
    2) 32
    3) 24
    Selection [16]:
    Enable plaintext passthrough (y/n) [n]:
    Enable filename encryption (y/n) [n]: y
    Filename Encryption Key (FNEK) Signature [9feeafb7d362cca0]: 50f4f62c9ec87247
    Attempting to mount with the following options:
    ecryptfs_unlink_sigs
    ecryptfs_fnek_sig=50f4f62c9ec87247
    ecryptfs_key_bytes=16
    ecryptfs_cipher=aes
    ecryptfs_sig=9feeafb7d362cca0
    WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
    it looks like you have never mounted with this key
    before. This could mean that you have typed your
    passphrase wrong.

    Would you like to proceed with the mount (yes/no)? : yes
    Would you like to append sig [9feeafb7d362cca0] to
    [/root/.ecryptfs/sig-cache.txt]
    in order to avoid this warning in the future (yes/no)? : no
    Not adding sig to user sig cache file; continuing with mount.
    Mounted eCryptfs
    ubuntu@ubuntu:/mnt$ dir
    OldHome OldPrivate
    ubuntu@ubuntu:/mnt$ cd OldHome
    bash: cd: OldHome: Permission denied
    ubuntu@ubuntu:/mnt$

    Thanks

  18. antti says:

    Gotit: original file permissions apply even when you try to access the files on a different machine or live-CD. Live-CD user is just a regular user who does not have a permission to access your unencrypted home directory. Only root can access any files.

    You either have to access the backup as root:

    Mounted eCryptfs
    $ sudo su
    # cd OldHome

    or you have to change the owner of the directory and files:

    Mounted eCryptfs
    $ sudo chown $USER OldHome/ -R
    $ cd OldHome

  19. Gotit says:

    Ah, yes. Thanks… changing to su got me into the OldHome directory but the file names are all still encrypted like this:
    ECRYPTFS_FNEK_ENCRYPTED.FXbnAcxSkQRyikQhdJ7yDRdVYe9a3jCUQMWbXGQ4uWcJyw43WhmmANExXDZd6F5dFLkLIZbs7dBoO52-

    Any suggestions?
    Thanks again!

  20. antti says:

    First, try to go through the whole procedure with a rebooted system. I noticed that sometimes the keys didn’t work if I had messed something up by accident (forgot sudo or something).

    You could check dmesg output after you have mounted the OldHome. There might be some error messages indicating what’s wrong with the FNEK key.

  21. Gotit says:

    antti – sorry for being such a pain on this by my decryption of file names is still NG. I checked the dmesg log but didn’t have anything there. However the syslog shows a bunch of this:
    May 3 18:24:07 ubuntu kernel: [ 1039.372532] EXT4-fs (sda3): mounted filesystem with ordered data mode
    May 3 18:29:46 ubuntu kernel: [ 1378.534829] Could not find key with description: [f3328f5ec1c77ebb]
    May 3 18:29:46 ubuntu kernel: [ 1378.534836] process_request_key_err: No key
    May 3 18:29:46 ubuntu kernel: [ 1378.534840] ecryptfs_parse_tag_70_packet: Error attempting to find auth tok for fnek sig [f3328f5ec1c77ebb]; rc = [-2]
    May 3 18:29:46 ubuntu kernel: [ 1378.534845] ecryptfs_decode_and_decrypt_filename: Could not parse tag 70 packet from filename; copying through filename as-is
    May 3 18:29:46 ubuntu kernel: [ 1378.534853] Could not find key with description: [f3328f5ec1c77ebb]
    May 3 18:29:46 ubuntu kernel: [ 1378.534856] process_request_key_err: No key
    May 3 18:29:46 ubuntu kernel: [ 1378.534859] ecryptfs_parse_tag_70_packet: Error attempting to find auth tok for fnek sig [f3328f5ec1c77ebb]; rc = [-2]
    May 3 18:29:46 ubuntu kernel: [ 1378.534864] ecryptfs_decode_and_decrypt_filename: Could not parse tag 70 packet from filename; copying through filename as-is
    May 3 18:29:46 ubuntu kernel: [ 1378.534871] Could not find key with description: [f3328f5ec1c77ebb]
    May 3 18:29:46 ubuntu kernel: [ 1378.534874] process_request_key_err: No key

    I am a little confused by the key description: [f3328f5ec1c77ebb]. I don’t show that as an output from:
    $ sudo ecryptfs-add-passphrase –fnek
    Passphrase:

    Any other thoughts?

    Again, many thanks!

  22. sebastian says:

    @gotit: I think you have the same problem i had. you did somehow accidently overwrite your wrapping-passphrase file with a different passphrase than the original one. This leads to the following situation. You can mount the encrypted home dir with the loginphrase, but it cant be encrypted because the passphrase is wrong. You need to create a new wrapping-passphrase and private.sig with the exact same passphrase you used during installation. If you dont know it, like me, then you are lost!

  23. Adam says:

    Thanks a million! This guide helped me recover my old home directory from a crashed laptop!

    NOTE: You don’t need the weird pass-phrase if you encrypted your home directory during installation!

    When inserting a external USB drive with the old hard drive, Ubuntu mounts it in /media/Home (at least for me). This is how recover it with only your old password and without the recovery passphrase:

    1. cd /media/Home/youruser/
    2. Make sure .ecryptfs and .Private are links to you CURRENT home directory (this is the wrong ecryptfs data, you don’t want to use your current key to decrypt your old home directory.
    3. Remove the incorrect links: sudo rm .ecryptfs .Private
    4. Add correct link: sudo ln -s /media/Home/.ecryptfs/youruser/.ecryptfs
    5. Add correct link: sudo ln -s /media/Home/.Private/youruser/.Private
    6. cd /media/Home/youruser/.ecryptfs
    7. Recover your old recovery passphrase: ecryptfs-unwrap-passphrase ./wrapped-passphrase
    8. Type in your old password for your old account.
    9. Write down or copy the key you get back, this is your old key that you probably should have written down. :-)
    10. Follow the guide in this blog post!

    Hope this helps.

  24. Gotit says:

    @sebastian: that was it, THANK YOU!
    I’m not sure how I did it, but somehow when creating my encrypted home directory during install it ended up with my log-in password as the “base pass phrase” instead of the one I had entered (at least thought I did).

    Once I ran “ecryptfs-unwrap-passphrase” , used my log-in password and obtained the right “encoded pass phrase” it all worked wonderfully.

  25. antti says:

    I’m glad you guys could figure it out and Gotit can finally access the files! :)

  26. miniBill says:

    I LOVE YOU

  27. Recken says:

    Thanks, I stupidly also lost my passphrase and needed this page to help me out https://help.ubuntu.com/community/EncryptedPrivateDirectory

  28. Kenny says:

    Man. This blog post is worth gold! You saved my fucking ass. Thanks so much! Really! Thanks!

  29. Kail says:

    @Cliff: I got the same error as Gyrlano,and I double-checked the mount syntax is the same… But I’m not sure what you’re getting at in what you posted. D:

    I get the directory part, but mine occurred while I had created a directory to /media/mountsyntax/home/username [inserting, of course, the mount syntax and my username in the respective places] and still no access.

    The only difference, however, was:

    Attempting to mount with the following options:
    ecryptfs_unlink_sigs
    ecryptfs_fnek_sig=yyyyyyyyyyyyyyyy
    ecryptfs_key_bytes=16
    ecryptfs_cipher=aes
    ecryptfs_sig=xxxxxxxxxxxxxxxx

    Again, with the values for my FNEK key matching up just fine. It appears to be working through the same way as the tutorial above, but I’m getting an error.

    Any ideas?

  30. Mark says:

    aww man – I just spent an age trying to make this work, and finally succeeded after following steps 3 to 5 from Adam, then the rest of antti’s guide.

    But when I tried to copy over the files to my backup disk – ba bow – input output errors.

    I’m guessing all this work has been for nothing… All because Gparted 0.5.2-9 was a lemon!

    Thanks for the very useful guide. Think I’ll say no to encryption from now on.

  31. Cefnq says:

    There is a serious error in your instructions, or perhaps a recent change in the Ubuntu ecryptfs conventions have created such an error.

    The error can be seen by fully inspecting the /media/Backup/home/user/.Private file…

    lrwxrwxrwx 1 root root 29 2010-08-08 14:34 /media/Backup/home/user/.Private -> /home/.ecryptfs/user/.Private

    This is normally a symlink to the folder above, but since it’s referenced absolutely, it now points to the desktop’s primary home directory!

    Following the conventional steps this meant I just mounted the home directory of my live desktop and not the backup at all.

    This could have been pretty messy depending on the operations I was doing on the backup – e.g. deleting something!!

    If you want to be sure of mounting the actual backup filesystem, you should be using these paths…

    ecryptfs-unwrap-passphrase /media/Backup/home/.ecryptfs/user/.ecryptfs/wrapped-passphrase

    …to recover the wrapped passphrase using your login password if you don’t have it and to mount the filesystem like so (remembering the filenames are encrypted and providing the key as per your instructions)…

    sudo mount -t ecryptfs /media/Backup/home/.ecryptfs/user/.Private/ /mnt/OldHome/

    Took me a good while to realise my error, as of course the original and recovered filesystems are very similar.

    However, I wanted to find a specific .config file from my previous installation, and it became clear after a while that it wasn’t there.

    I don’t recollect if I used rsync or cp to copy my home filesystem to the backup drive. I think it was cp. In any case, I think many people will run into this problem unless you change your instructions or make a note to check for symlinks.

  32. Cefn says:

    Of course, I can’t type my own name, but the instructions are accurate I think.

  33. antti says:

    Cefn, thank you for pointing this out.

    I added reference to your comment on the beginning of the posting. It seems that help.ubuntu.com manual has the correct paths, so I also recommend everyone to turn there for advice in the future.

  34. alex says:

    antti and Cefnq, a huge thanks to both of you guys!
    I finally could recover my data after my system crashed!!

    thanks to Cefnq, I could recover the passphrase I couldn’t even remember writing down :)

  35. Donna says:

    I followed the instructions without error but the result was encrypted filesnames. I thought I followed everything exactly, even after a reboot. Do you have other ideas for decrypting the filenames?

    Here’s my log, verbatim:
    —————————————————————————-
    user@donna:~$ id
    uid=1000(user) gid=1000(user) groups=4(adm),20(dialout),24(cdrom),46(plugdev),
    105(lpadmin),119(admin),122(sambashare),1000(user)
    —————————————————————————-
    user@donna:~$ ecryptfs-unwrap-passphrase /home/.ecryptfs/user/.ecryptfs/wrapped-passphrase foobar
    Passphrase: bfb3fc19842eade0b79ca4e7249ebe71
    —————————————————————————-
    user@donna:~$ ecryptfs-add-passphrase –fnek
    Passphrase: bfb3fc19842eade0b79ca4e7249ebe71
    Inserted auth tok with sig [5eaa38e46b503148] into the user session keyring
    Inserted auth tok with sig [2a1860e7cb545c30] into the user session keyring
    —————————————————————————-
    user@donna:~/.Private$ ls -l !$
    ls -l /home/user/.Private
    lrwxrwxrwx 1 user user 29 2010-08-12 04:26 /home/user/.Private -> /home/.ecryptfs/user/.Private
    —————————————————————————-
    user@donna:~/.Private$ ls /home/user/.Private
    ECRYPTFS_FNEK_ENCRYPTED.FWYC9xy5ahwy5URtWNEPHr7Vsl755ytfkYE4PyQxmou5O.F67Pdb0f0TXE–
    ECRYPTFS_FNEK_ENCRYPTED.FWYe441bmpFQA-Q3ntUtDr5D4XKQJx0obEtP04id5r5UWUe4v4I1zn2paE–
    ECRYPTFS_FNEK_ENCRYPTED.FWYe441bmpFQA-Q3ntUtDr5D4XKQJx0obEtP.2DnqyPIMAQW9MBV5BG9nE–
    etc.
    —————————————————————————-
    mkdir /tmp/myfiles
    user@donna:~$ sudo mount -t ecryptfs /home/.ecryptfs/user/.Private /tmp/myfiles
    Passphrase: bfb3fc19842eade0b79ca4e7249ebe71
    Select cipher:
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
    Selection [aes]: 1
    Select key bytes:
    1) 16
    2) 32
    3) 24
    Selection [16]: 1
    Enable plaintext passthrough (y/n) [n]: n
    Enable filename encryption (y/n) [n]: y
    Filename Encryption Key (FNEK) Signature [5eaa38e46b503148]: 2a1860e7cb545c30
    Attempting to mount with the following options:
    ecryptfs_unlink_sigs
    ecryptfs_fnek_sig=2a1860e7cb545c30
    ecryptfs_key_bytes=16
    ecryptfs_cipher=aes
    ecryptfs_sig=5eaa38e46b503148
    WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
    it looks like you have never mounted with this key
    before. This could mean that you have typed your
    passphrase wrong.

    Would you like to proceed with the mount (yes/no)? : yes
    Would you like to append sig [5eaa38e46b503148] to
    [/root/.ecryptfs/sig-cache.txt]
    in order to avoid this warning in the future (yes/no)? : yes
    Successfully appended new sig to user sig cache file
    Mounted eCryptfs
    user@donna:~$
    —————————————————————————-
    user@donna:~$ ls /tmp/myfiles
    ECRYPTFS_FNEK_ENCRYPTED.FWYC9xy5ahwy5URtWNEPHr7Vsl755ytfkYE4PyQxmou5O.F67Pdb0f0TXE–
    ECRYPTFS_FNEK_ENCRYPTED.FWYe441bmpFQA-Q3ntUtDr5D4XKQJx0obEtP04id5r5UWUe4v4I1zn2paE–
    ECRYPTFS_FNEK_ENCRYPTED.FWYe441bmpFQA-Q3ntUtDr5D4XKQJx0obEtP.2DnqyPIMAQW9MBV5BG9nE–
    etc.
    —————————————————————————-
    user@donna:~$ ls -l /tmp/myfiles

    total 2660
    -rwxrwxrwx 1 999 999 1686 2010-10-02 12:17 ECRYPTFS_FNEK_ENCRYPTED.FWYC9xy5ahwy5URtWNEPHr7Vsl755ytfkYE4PyQxmou5O.F67Pdb0f0TXE–
    drwxrwxrwx 2 user user 4096 2010-09-02 23:27 ECRYPTFS_FNEK_ENCRYPTED.FWYe441bmpFQA-Q3ntUtDr5D4XKQJx0obEtP04id5r5UWUe4v4I1zn2paE–
    lrwxrwxrwx 1 user user 104 2010-08-12 04:26 ECRYPTFS_FNEK_ENCRYPTED.FWYe441bmpFQA-Q3ntUtDr5D4XKQJx0obEtP.2DnqyPIMAQW9MBV5BG9nE– ->
    —————————————————————————-

    What are the suggestions for decrypting the file names?

  36. antti says:

    Hmm, nothing specific comes to my mind, but you could check “dmesg” command output if there’s some errors or such.

  37. setinggil says:

    Antti, thank you very very much.
    Finally I can recover my data from my old HD (w/ OS : ubuntu 9.10) using the other nb w/ OS ubuntu 10.04.

    Nuhun

  38. Edoniti says:

    Thanks you sooooo much :D

  39. C. Sanchez says:

    Ty a lot. Instructions has been vague all around, but this actually worked like a charm — finally! :)

  40. beaconmeat says:

    Ok, it worked thanks a million. BUT how do we know what the correct answers are to the first questions? ’til now we have just punched enter accepting the defaults. How can we see if aes or twofish was used?

  41. Edson D. Amaral says:

    Thank you very much! Yesterday I missed my data encrypted in my /home folder, after I changed my password. I look for a solution in the Net, but it doesn’t work fine. Now with your solution, I finally recover my data.

  42. iagoba says:

    to the common error:

    Error mounting eCryptfs: [-2] No such file or directory

    find the well encrypted dyrectory.

    one of this, or another:

    /media/fasdga-sgfgas-gass/.ecryptfs (generic)
    /media/fasdga-sgfgas-gass/.ecryptfs/user/.ecryptfs ()
    /media/fasdga-sgfgas-gass/.ecryptfs/user/.Private (that’s!)
    /media/asfgklasfkg-sg8g18g-s/user/.Private ()
    /media/asfgklasfkg-sg8g18g-s/user/ ()

    Thank every body!!

    I solved

  43. aleks says:

    thanks(:
    im stuck at,
    “Then create a symbolic link to your backup of your old .Private” can you elaborate please..

  44. grossgeister says:

    This worked perfectly for me!

    Thanks a lot!

  45. Ralph says:

    This worked spot on! Many thanks. At last I can reclaim all my mails and files.

  46. MechanisM says:

    Not worked for me.
    I have old encrypted home directory in additional hdd 1TB.
    Now my new system in new hdd and I tried to recover 300GB+ files of old encrypted directory and no luck.
    Maybe someone can do this for $?
    or gimme good advice if I can recover old home directory if I know passphrase and all files but home directory removed. so no system files in backup. only home directory.

  47. I’ve contacted MechanisM privately via email to figure this out.

  48. martik says:

    Recovery my Private directory. This is different way than official documentation. I used it many times.
    1. Make backup your old directories .Private and .ecryptfs to different disk for all cases.
    2. Create new account (new) with old password, login to new account and encrypt this new account: ecryptfs-setup-private
    3. Enter your login password,Logout, and Log back in to establish the mount
    4. Rewrite new files in .ecryptfs directory (Private.sig, wrapped-passphrase) old files from backup (don’t forget to change new ownership). You can do it as a root: gksu nautilus
    5. Logout, and Log back in to establish the mount
    6. Copy all files from your old backup directory .Private to new account directory .Private (don’t forget to change new ownership if you copy with root privileges, but you don’t have to copy as root privileges, check your ownership).
    7. Look to new directory Private (without .)
    8. You should see your decrypt files.
    Write your own experience.

  49. martik, thank you for the information!

  50. Timo Jyrinki says:

    Antti you bastard! I mean, great information, indeed missing :) Before this special information all file permissions were wrong (although filenames of the home root were visible). When mounting ecryptfs suggested some (wrong) signature for the filename decryption, but indeed this “yyyyyyyy” key made magic happen.

    I’m migrating to a new work laptop using an external 2.5″ HDD case for the old hard drive. Here’s a mental note for myself or anyone that the current wiki.ubuntu.com inforation is a confusing mess and should be fixed. Both this information is missing and it’s also filled with legacy information that should be marked accordingly. But now I’ll just concentrate on moving my files for a bit.

Leave a Reply