[clug] Ubuntu Lynx (10.04) and ecryptfs

Andrew Janke a.janke at gmail.com
Mon May 3 18:49:52 MDT 2010 

>> 2. given #1 how does recovery work?

> It's not a one liner. See
> https://help.ubuntu.com/community/EncryptedPrivateDirectory#Recovering
> Your Data Manually

Aye, I have gone through this but it seems to be outdated or at least
missing information for the scheme used in Lynx.

First I do this:

   $ ecryptfs-unwrap-passphrase
/home/.ecryptfs/<username>/.ecryptfs/wrapped-passphrase
<login-password>
   <result>

Which gives me an autogenerated (I suspect?) key that was made on
install. I understand that if I loose this I am stuffed and cannot get
my data back.  So then I attempt to mount my private dir somewhere
else (on the same machine) as a test:

  # mount -t ecryptfs /home/.ecryptfs/<username>/.Private /mnt/foo

And am then confronted with a series of questions to which I do not
know the answer so take guesses (defaults):

elect cipher:
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]:
Select key bytes:
 1) 16
 2) 32
 3) 24
Selection [16]:
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
...

After a number of guesses I am still at a loss. Is there anyway to
tell which options are used by Lynx in some config file somewhuther?

> If you go down this road, you should see if you can take your hard
> drive to another computer and mount your encrypted home directory
> there. A default Ubuntu 9.04 install, for example, is missing a few
> packages for mounting ecrypt volumes (and it wasn't entirely obvious
> to me which package was missing).
>
> Can you (quickly) mount it from a Centos box? An older Ubuntu install?

Exactly.  As of right now, no I can't and this makes me a "tad" concerned.

> And don't forget to save the "mount passphrase" somewhere safe but
> quickly accessible.

And this part worries me as well. A USB stick? send an email to myself
in gmail? What happens when I find this drive 10 years down the track?
 I am about to just dump it all and go back to a non-encrypted /home
and single password encrypted backup volumes.

Not being able to get to my data is a far greater risk to me than
someone else getting it. (so far)  It was for this reason that I
converted all my old word docs from years back to text. :)


--
Andrew Janke
(a.janke at gmail.com || http://a.janke.googlepages.com/)
Canberra->Australia    +61 (402) 700 883

More information about the linux mailing list