Solved: How do I access the encrypted home dir

[mister_v]

Hi,

I have to recover data from a hard disk (ext4 Kubuntu)
But the /home/user dir has been encrypted.

I have the user name and password,
I just don't know how to mount the encrypted part.

[Chris]

There are a few step you need to take.

First get the mount password phrase

Code: Select all

ecryptfs-unwrap-passphrase /home/.ecryptfs/ubuntu_user/.ecryptfs/wrapped-passphrase

The password you need to give for this is the login password.
The string you get now is the encryption key (KEY1)

We need to get a special signature that will be used later for decrypting filenames (standard in Ubuntu >= 9.04)

Code: Select all

sudo ecryptfs-add-passphrase --fnek

(note: first you will need to enter your sudo password and then the mount passphrase (KEY1))
Pay attention to the second "Inserted auth tok with sig" line and note down the value in square brackets (eg. 66a9f57af69a86ba) (KEY2) as we will need this signature later.

The actual decryption

Code: Select all

sudo mount -t ecryptfs /media/disk-3/home/.ecryptfs/ubuntu_user/.Private/ /mnt/encrypteddrive

• You will be asked a series of questions
• Enter the mount phrase when asked for the passphrase (KEY1)
• Select aes as the encryption cipher
• Select 16 bytes as the key length
• Enter n for enabling of plaintext passthrough
• Enter y for filename encryption (if you obtained the special signature in the earlier step)
• Enter the special signature from earlier when you are prompted for the Filename Encryption Key (FNEK) Signature (KEY2)

Now you should be able to access the unencrypted files in /mnt/encrypteddrive.

note:
The first time you mount an unencrypted file system,
you get the following message:

Code: Select all

WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

You can safely ignore this.

[mister_v]

Thanks this helped.