Solved: Recover deleted files from encrypted home

Post Reply
mister_v
Posts: 139
Joined: Sat Jun 20, 2009 5:42 pm

Solved: Recover deleted files from encrypted home

Post by mister_v »

Hi,

I have deleted a file in my home dir on my Ubuntu PC.
I tried foremost to find the file,
but no result.

I think it is because Ubuntu automatically encrypts my home-dir.

Can anyone help me?
Last edited by mister_v on Mon Nov 26, 2012 7:37 pm, edited 1 time in total.
Chris
Site Admin
Posts: 129
Joined: Mon Jul 21, 2008 9:45 am
Location: Leuven, Belgium
Contact:

Re: Recover deleted files from encrypted home

Post by Chris »

If your files have been encrypted,
they are now encrypted stored in /home/.ecryptfs/$USER/.Private/

So make sure you are looking in the correct dir.

Shut down your computer;
you can pull the plug, because shutting down will write files to your hard drive,
and might overwrite your deleted files.

Use a live cd/usb and use extundelete to restore the files to an external drive.
The command with restore all will try to recover every deleted file:

Code: Select all

extundelete --restore-all /dev/sda1
/dev/sda1 should be the partition where the home-dir is located.

You can use dd to make an image of the /dev/sda1 partition,
and to the recovering later. (dd will copy every bit, so even the deleted files, if they haven't been overwritten)

I think every file is encrypted separately, and have long strange names, like:
ECRYPTFS_FNEK_ENCRYPTED.longseriesofcharacters--

Remember to login with same user,
otherwise the key won't be correct and you will not be able to decrypt them.
Copy them back to /home/.ecryptfs/$USER/.Private/
should make them accessible again.
mister_v
Posts: 139
Joined: Sat Jun 20, 2009 5:42 pm

Re: Recover deleted files from encrypted home

Post by mister_v »

Thanks,

I copied them back, and it works.
Even the directory names have a encrypted/hashed name.
Post Reply