14

I use eCryptFS to encrypt the home directory of my laptop. My backup script copies the encrypted files to a server (together with everything else in (home/.ecryptfs).

How can I mount the encrypted files of the backup? I'd like to verify that I can do that, and that everything is in place.

My naive try with

mount -t ecryptfs /backup/home/.ecryptfs/boldewyn /mnt/test

didn't work, eCryptFS wanted to create a new partition.

Boldewyn
  • 4,328
  • 5
  • 38
  • 52
  • Related: [How do I recover my data from an encrypted home directory?](http://askubuntu.com/questions/38336/how-do-i-recover-my-data-from-an-encrypted-home-directory). – kenorb Oct 08 '14 at 17:55

1 Answers1

21

Assuming you use the Ubuntu standard encryption scheme, with no extra tweaks.

The $HOME/.ecryptfs "folder" is actually just a link.

The true place where your files stay is /home/.ecryptfs/$USER

There are two folders there, .Private (with your files encrypted) and .ecryptfs, with files like auto-mount, auto-umount, Private.mnt, Private.sig, wrapped-passphrase.

Hopefully the target files are copied to your host backup.

If there is no backup of your wraped-passphrased in this server, you're lost. If there is a backup, then your encryption scheme has been weakened by storing your wrapped passphrase over the web, unless you control the host where you make the backup.

I found this script for mounting:

ROOT=/home/.ecryptfs/$USER
TARGET=/mnt/$USER

# ROOT should be the parent of the .ecryptfs and .Private folders

sudo mkdir -p $TARGET
cd $ROOT

echo Type your password:
PASS=$(ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase | sed s/Passphrase:\ //)
SIG1=$(head -n1 .ecryptfs/Private.sig)
SIG2=$(tail -n1 .ecryptfs/Private.sig)

echo Passphrase:
echo $PASS
echo Signatures:
echo $SIG1
echo $SIG2

echo Should be empty:
sudo keyctl clear @u
sudo keyctl list @u

echo Do not type anything:
echo $PASS | sudo ecryptfs-add-passphrase --fnek

echo Sould have signatures:
sudo keyctl list @u

echo Mounting $ROOT on $TARGET...
sudo mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,ecryptfs_sig=$SIG1,ecryptfs_fnek_sig=$SIG2,passwd=$(echo $PASS) .Private $TARGET

ls $TARGET

unset -v PASS
user39559
  • 1,957
  • 15
  • 15
  • Ah, the passphrase unwrapping was the trick! Thank you! – Boldewyn Jan 15 '11 at 08:49
  • 1
    Good that it works. Anyway, keeping your wrapped passphrase on the server will weaken, and sometimes destroy, your encryption security. – user39559 Jan 15 '11 at 14:56
  • 3
    [Link](https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/455709/comments/11) to original script ([full thread](https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/455709)). – kenorb Oct 08 '14 at 18:18
  • Thank you! I'm surprised there isn't a standard command to do this sort of thing. If you're using[EncryptedPrivateDirectory](https://help.ubuntu.com/community/EncryptedPrivateDirectory) to encrypt just your `$HOME/Private` mount point, then just use `ROOT=$HOME` in the script. I changed the script to `ROOT=${ROOT:-/home/.ecryptfs/$USER}` so I can just pass that value via the environment. – nealmcb May 18 '15 at 16:59
  • Ahh - I see that @kenorb's comment links to a bug report with details on why the normal approach of having mount itself ask for the passphrase via `sudo mount -t ecryptfs .Private /mnt/private` doesn't work in Ubuntu. Hmm - 6-year-old bug.... – nealmcb May 18 '15 at 17:11