ecryptfs-recover-private mounts in /tmp but does not decrypt

Status changed to 'Confirmed' because the bug affects multiple users.

After the prompt:
Enter your MOUNT passphrase:
I can type anything I want, and I will always get
"INFO: Success! Private data mounted read-only...."

So it is correct that the data be not decrypted. What is incorrect is the message "Success!"
It should be an error "incorrect passphrase" instead.

Committed revision 823.

I changed my user name at some point, without knowing that an encryption process might include the username. There was no notice. I followed all the de-crypt steps and was able to get "Success!" and a private folder with all the files, but still encrypted. I was able to copy them to an external drive.
Is the username utilized in the ecrypt process? If so, please post a notice. (There was a reason I changed the username. I was not able to log on--I kept getting the login screen back. Two years later it just started happening with my laptop as well, so I just filed a bug on that problem.)

This bug was fixed in the package ecryptfs-utils - 104-0ubuntu1

---------------
ecryptfs-utils (104-0ubuntu1) trusty; urgency=low

  [ Colin King ]
  * src/libecryptfs/ecryptfs-stat.c, tests/kernel/extend-file-
    random/test.c, tests/kernel/inode-race-stat/test.c,
    tests/kernel/trunc-file/test.c:
    - Fixed some 32 bit build warnings
  * src/libecryptfs/decision_graph.c, src/libecryptfs/key_management.c,
    src/libecryptfs/main.c, src/libecryptfs/module_mgr.c, src/utils/io.c,
    src/utils/mount.ecryptfs_private.c, tests/kernel/inotify/test.c,
    tests/kernel/trunc-file/test.c, tests/userspace/wrap-unwrap/test.c:
    - Fixed a pile of minor bugs (memory leaks, unclosed file descriptors,
      etc.) mostly in error paths
  * src/key_mod/ecryptfs_key_mod_passphrase.c, src/libecryptfs/main.c,
    src/pam_ecryptfs/pam_ecryptfs.c:
    - more Coverity fixes, memory leak, error checking, etc.

  [ Nobuto MURATA ]
  * fix an empty update-notifier window (LP: #1107650)
    - changes made in Rev.758 was incomplete

  [ Tyler Hicks ]
  * doc/manpage/ecryptfs.7:
    - adjust man page text to avoid confusion about whether the interactive
      mount helper takes a capital 'N' for the answer to y/n questions
      (LP: #1130460)
  * src/utils/ecryptfs_rewrap_passphrase.c:
    - Handle errors when interactively reading the new wrapping passphrase
      and the confirmation from stdin. Fixes a segfault (invalid memory read)
      in ecryptfs-rewrap-passphrase if there was an error while reading either
      of these passphrases.
  * configure.ac:
    - Set AM_CPPFLAGS to always include config.h as the first include file.
      Some .c files correctly included config.h before anything else. The
      majority of .c files got this wrong by including it after other header
      files, including it multiple times, or not including it at all.
      Including it in the AM_CPPFLAGS should solve these problems and keep
      future mistakes from happening in new source files.
    - Enable large file support (LFS) through the use of the AC_SYS_LARGEFILE
      autoconf macro. ecryptfs-utils has been well tested with LFS enabled
      because ecryptfs-utils is being built with
      '-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' in Debian-based distros.
      This is mainly needed for some of the in-tree regression tests but
      ecryptfs-utils, in general, should be built with LFS enabled.
  * debian/rules:
    - Don't append '-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' to the CFLAGS
      now that the upstream build enables LFS
  * tests/userspace/lfs.sh, tests/userspace/lfs/test.c:
    - Add a test to verify that LFS is enabled. This test is run under the
      make check target.
  * tests/kernel/enospc/test.c:
    - Fix test failures on 32 bit architectures due to large file sizes
      overflowing data types

  [ Dustin Kirkland ]
  * src/utils/ecryptfs-setup-swap: LP: #1172014
    - write crypttab entry using UUID
  * src/utils/ecryptfs-recover-private: LP: #1028532
    - error out, if we fail to mount the private data correctly

  [ Colin King and Dustin Kirkland ]
  * configure.ac, src/daemon/main.c, src/libecryptfs/cmd_ln_parser.c,
    src/libecryptfs/...

I have exactly the same problem as described in original bug report, and I am using 14.04 with ecryptfs-utils - 104-0ubuntu1.

Setup information: my home folder is fully encrypted.

I am attemping to mount from a btrfs read-only snapshot. My home folder is mounted (using normal OS, not a live CD; I just want to retrieve an old version of a file).

I run command from /path/to/home/snapshot/.ecryptfs/me, since symlinks in /path/to/home/me are targeted at "/home/.ecryptfs/me".

I know the valid passphrase, given by ecryptfs-unwrap-passphrase.

I can type anything when asked by ecrypt-recover-private, it will pretend it is a success, the mount is listed by "mount" command, but the mounted folder has nothing decrypted, it's like it is a simple link to original ecrypt folder.

I'm having the same issues too. Tried to get the passphrase like this:

 $ sudo ecryptfs-unwrap-passphrase /media/USERNAME/763e56fe-cce3-4fe6-ab5d-50426cbd408e/home/USERNAME/.ecryptfs/wrapped-passphrase

and then trying to unlock like:
$ cd /media/USERNAME/763e53fe-cce3-4fe6-ab5d-50426cbd408e/home/nutella
$ sudo ecryptfs-recover-private .
INFO: Found [.].
Try to recover this directory? [Y/n]: Y
INFO: Could not find your wrapped passphrase file.
INFO: To recover this directory, you MUST have your original MOUNT passphrase.
INFO: When you first setup your encrypted private directory, you were told to record
INFO: your MOUNT passphrase.
INFO: It should be 32 characters long, consisting of [0-9] and [a-f].

Enter your MOUNT passphrase:
INFO: Success! Private data mounted at [/tmp/ecryptfs.V6lfkUV1].

And then I only see the same files as if it would not have been decrypted.

I surely affects me...

This affects me, too.

Could you guys give more information on how you do to ecryptfs-recover-private command, not just say "affects me" and stuff? BTW, I tested on Ubuntu Precise and Trusty very well.

My apologize. It works successfully when I enter the wrong mount passphrase.
However, it doesn't need to be fixed really. When we mount eCryptfs, we also could enter different passphrases and decrypted certain files. It's the design of eCryptfs, I think.

One thing we're supposed to do is to display the warning/information like "Mount successfully. But maybe the mount passphrase is not the key to decrypt your private data".

What do you say about this? Any information are welcome!

Jason

I read the patch written by Dustin recently. It just test whether the mount command works successfully or not, not give the warning "It may not decrypt your private data". I'm going to reassign this to me.

I reopened a bug report at bug 1694272.