Accessing encrypted home from LiveCD

Asked by Kamil Páral

I tried to create a user with encrypted home in Ubuntu 10.04 and access it from Ubuntu 10.04 LiveCD. I used this blogpost:
http://blog.dustinkirkland.com/2009/03/mounting-your-encrypted-home-from.html

It doesn't work and I don't know what's wrong.

# mount /dev/sda6 /mnt
# cd /mnt
# mount -o bind /proc proc/
# mount -o bind /dev dev/
# mount -o bind /dev/shm dev/shm/
# mount -o bind /sys/ sys/
# chroot .
# ls /home/kralik
Access-Your-Private-Data.desktop README.txt
# su - kralik
keyctl_search: Required key not available
Perhaps try the interactive 'ecryptfs-mount-private'
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [d60848b0c8360d3e] into the user session keyring
mount: Operation not permitted
$ ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [d60848b0c8360d3e] into the user session keyring
Inserted auth tok with sig [cba1635359520945] into the user session keyring
$ ecryptfs-mount-private
Enter your login passphrase:
Inserted auth tok with sig [cba1635359520945] into the user session keyring
mount: Operation not permitted

Any idea? Thanks.

Question information

Language:
English Edit question
Status:
Solved
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Solved by:
Kamil Páral
Solved:
Last query:
Last reply:
Revision history for this message
Elliot Hassan (ehassan25) said :
#1

Here is what worked for me:
$ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [d60848b0c8360d3e] into the user session keyring
Inserted auth tok with sig [cba1635359520945] into the user session keyring

$ sudo mount -t ecryptfs /media/6dd6840c-ba86-492c-9c42-bbfb86337250/kakashi/.Private /mnt <--
 ( that is where my .Private folder with 60gb of data was located )
$ Passphrase: <-- enter your mount passphrase
Selection: aes (use the aes cipher)
Selection: 16 (use a 16 byte key)
Enable plaintext passthrough: n
Enable filename encryption: y
Filename Encryption Key (FNEK) Signature: <-- that would be the second key ( in your case: cba1635359520945 )

it should then mount your files to /mnt
I then accessed mine by using this command but you can change where the files go

$ mkdir /home/kakashi/old_home
$ rsync -va /mnt/ /home/kakashi/old_home

and voila!

Revision history for this message
Kamil Páral (kamil.paral) said :
#2

Elliot, you saved my day, thanks for helping me. It works, as opposed to the blog guide. A few remarks:

1. I had to mount /media/<disk>/.ecryptfs/<user>/.Private, instead of /media/<disk>/<user>/.Private proposed by you (that's just broken symlink).
2. It is critical to remember that for FNEK Signature you have to enter the second listed key in the output of "ecryptfs-add-passphrase --fnek".
3. Beware that you can mount it only once. If you unmount it and try to mount it again, you get "Error mounting eCryptfs: [-2] No such file or directory" error. System reboot fixes it. Something is rotten in there.

(Also, I would like to sigh out that such critical feature as filesystem encryption would deserve a proper documentation how to recover it in the event of system crash. No working guide on Ubuntu wiki, that's really bad for users. Sigh.)

Anyway, I now know how to access my encrypted data. Hurray!

Revision history for this message
COKEDUDE (cokedude) said :
#3

I will try this :). I hope it works.

Revision history for this message
Zeloras (zeloras) said :
#4

Good day.
Please tell me how to decipher the home (in the installation process chose encryption) given that I can not use ecryptfs-mount-private unnecessarily due to the fact that I accidentally ordered sudo-R 777, sudo and mount do not work.

reading and doing everything that is written in the article: https: / / help.ubuntu.com / community / EncryptedPrivateDirectory
I went the long way, but in the end of the road waiting for me .. it put as after I have completed all the actions I have no home stands, was a normal folder private)) and all its contents)

Disk /dev/sda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0007f552

   Device Boot Start End Blocks Id System
/dev/sda1 * 1 6993 56165376 83 Linux
/dev/sda2 6993 7296 2437121 5 Extended
/dev/sda5 6993 7296 2437120 82 Linux swap / Solaris
ubuntu@ubuntu:~$ sudo mount -o remount,ro /dev/sda1
mount: can't find /dev/sda1 in /etc/fstab or /etc/mtab
ubuntu@ubuntu:~$ nano /etc/fstab
ubuntu@ubuntu:~$ nano /etc/mtab
Use "fg" to return to nano.

[1]+ Stopped nano /etc/mtab
ubuntu@ubuntu:~$ sudo nano /etc/fstab
ubuntu@ubuntu:~$ sudo fdisk -l

Disk /dev/sda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0007f552

   Device Boot Start End Blocks Id System
/dev/sda1 * 1 6993 56165376 83 Linux
/dev/sda2 6993 7296 2437121 5 Extended
/dev/sda5 6993 7296 2437120 82 Linux swap / Solaris
ubuntu@ubuntu:~$ sudo mount -o remount,ro /dev/sda1
mount: mount point ext4 does not exist
ubuntu@ubuntu:~$ sudo nano /etc/fstab
ubuntu@ubuntu:~$ sudo mount -o remount,ro /dev/sd
mount: can't find /dev/sd in /etc/fstab or /etc/mtab
ubuntu@ubuntu:~$ sudo mount -o remount,ro /dev/sda1
mount: mount point does not exist
ubuntu@ubuntu:~$ sudo nano /etc/fstab
ubuntu@ubuntu:~$ sudo find / -type d -iname '.Private' 2>/dev/null
/media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/home/.ecryptfs/joker/.Private
ubuntu@ubuntu:~$ /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/joker/.Private
bash: /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/joker/.Private: No such file or directory
ubuntu@ubuntu:~$ /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/.ecryptfs/joker/.Private
bash: /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/.ecryptfs/joker/.Private: No such file or directory
ubuntu@ubuntu:~$ /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/home/.ecryptfs/joker/.Private
bash: /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/home/.ecryptfs/joker/.Private: is a directory
ubuntu@ubuntu:~$ /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/joker/.Private
bash: /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/joker/.Private: No such file or directory
ubuntu@ubuntu:~$ sudo ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [4881183819a94219] into the user session keyring
Inserted auth tok with sig [8cecc97bca8743a4] into the user session keyring
ubuntu@ubuntu:~$ sudo mount -t ecryptfs sdtm ldm
Passphrase:
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: ^Z
[2]+ Stopped sudo mount -t ecryptfs sdtm ldm
ubuntu@ubuntu:~$ sudo mount -t ecryptfs /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/.ecryptfs/joker/.Private /home/joker
Passphrase:
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 1
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]: 1
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [4881183819a94219]:
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=4881183819a94219
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=4881183819a94219
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [4881183819a94219] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : yes
Successfully appended new sig to user sig cache file
Error mounting eCryptfs: [-2] No such file or directory
Check your system logs; visit <http://launchpad.net/ecryptfs>
ubuntu@ubuntu:~$ sudo mount -t ecryptfs /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/home/.ecryptfs/joker/.Private /home/joker
Passphrase:
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 1
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]: 1
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [4881183819a94219]:
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=4881183819a94219
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=4881183819a94219
Error mounting eCryptfs: [-2] No such file or directory
Check your system logs; visit <http://launchpad.net/ecryptfs>
ubuntu@ubuntu:~$ sudo mount -t ecryptfs /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/home/.ecryptfs/joker/.Private /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/home/asd
Passphrase:
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 1
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]: 1
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [4881183819a94219]:
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=4881183819a94219
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=4881183819a94219
Mounted eCryptfs
ubuntu@ubuntu:~$ sudo mount -t ecryptfs /media/bc6f3dc0-b6f8-4d00-a77c-21cc67816660/home/.ecryptfs/joker/.Private /home/ubuntu
Passphrase:
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 1
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]: 1
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [4881183819a94219]:
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=4881183819a94219
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=4881183819a94219
Mounted eCryptfs

short way not a option

Revision history for this message
Zeloras (zeloras) said :
#5

Could you in the section titled "mount from under the live CD" to the top of passfrase add that this is NOT the password, and that would get the passphrase should run ecryptfs-unwrap-passphrase / media / disk / home / .ecryptfs / user /. ecryptfs / wrapped-passphrase enter the password, and then that output will passphrase, which personally I would understand it killed a lot of time: (

Revision history for this message
Dustin Kirkland  (kirkland) said :
#6

Okay, so I think this should be solved with the release of Ubuntu 11.04 in April 2011, which includes a new utility called 'ecryptfs-recover-private', which very cleverly detects the encrypted setup, prompts the user for the necessary information, and mounts the directory readonly.

Hopefully this will solve most of these sorts of questions.

The manpage documentation is available at:
 * http://manpages.ubuntu.com/ecryptfs-recover-private

Revision history for this message
Dean Fox (fox-dean) said :
#7

Just discovered ecryptfs-recover-private and it works great even using my 'old' signature. So I guess my question still stands. How do I clean this up so I can login again from the main GUI screen without having to boot to a recovery console and typing these commands?

Thanks for any links!