recovering file contents *and filenames* only with lower files and mount passphrase?

Asked by laramichaels1978 on 2010-01-12


First off, my sincere thanks to the developers for providing us with such an easy-to-use encryption system. This is terrific and important work. : )

Following the instructions on the wiki and Dustin's blog setup was a breeze. (I am running an uptodate Ubuntu 9.10.) I was testing if the instructions in the wiki ( would allow me to recover my data in the scenario where I have available only:

- a copy of .Private (from an external HD backup)
- my *mount* passphrase (which I obtained by running ecryptfs-unwrap-passphrase and then stored somewhere safe)

Am I correct in thinking this is enough to recover my data (*including the filenames*)? (I envision this scenario happening if, following Dustin's suggestion in his blog to store the wrapped passphrase file in an external media, I lose the USB stick in which the wrapped passphrase is stored.)

As the following shows, following the instructions in the wiki correctly decrypts my files but leaves the filenames encrypted *even* if I answer Y to the question 'enable filename encryption?'.

l@l:~$ sudo mount -t ecryptfs /home/l/.Private /home/l/Private
Select cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: 1
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y <<==== I thought this would solve this issue, but alas...
Filename Encryption Key (FNEK) Signature [447e4c9830c32cb4]:
Attempting to mount with the following options:
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [447e4c9830c32cb4] to
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs
$ ls Private/
$ echo Private/ECRYPTFS_FNEK_ENCRYPTED.FWaxrTMd-3HC6kQqVh-LuqvcEoha8IwFu4.jit654y89df3lG3bom25Xk--

What am I doing wrong? Do I need to store in a safe place additional information to recover both file contents *as well as the filenames* in case of loss of the wrapped passphrase file?

Many thanks for any advice : )


Question information

English Edit question
eCryptfs Edit question
No assignee Edit question
Solved by:
Last query:
Last reply:

I have figured out the solution. If you want to decrypt your files (including filenames) in a situation where you have

1- your *mount* passphrase; and
2- the directory containing the encrypted files (by default ~/.Private)

what you need to do is:

$ sudo ecryptfs-add-passphrase --fnek
[type *mount* passphrase]

You should get a message saying
Inserted auth tok with sig [0809f8d09s8f90s49] into the user session keyring
Inserted auth tok with sig [fdsklj349cll3s9jfd903] into the user session keyring

Now you will use these two authorization tokens in the command:

$ sudo mount -t ecryptfs ~/.Private ~/Private -o ecryptfs_sig=first_of_the_auth_tokens,ecryptfs_fnek_sig=second_of_the_auth_tokens

Insert again your mount passphrase and you should have your encrypted files accessible (with the correct filenames) in ~/Private.

Hope this helps


Thanks immensely for this, I saw something similar on a site, but was still unclear what I needed to do. Cheers.

COKEDUDE (cokedude) said : #3

I hope this helps.