[clug] Ubuntu Lynx (10.04) and ecryptfs

Andrew Janke a.janke at gmail.com
Mon May 3 19:16:12 MDT 2010 

> Aye, I have gone through this but it seems to be outdated or at least
> missing information for the scheme used in Lynx.
>
> First I do this:

>   $ ecryptfs-unwrap-passphrase
> /home/.ecryptfs/<username>/.ecryptfs/wrapped-passphrase
> <login-password>
>   <result>

OK, after some more digging (and a pointer from the page you sent I
finally found the correct answer -- the page is missing some steps for
FNEK).

I found the missing bit here:

   http://www.kaijanmaki.net/2009/10/26/recovering-files-from-ecryptfs-encrypted-home/

So HOWTO (for Karmic/Lynx newbies who have decided to give this a try):

Install things you will need on the recovery system.

   # apt-get install ecryptfs-utils

Get you passphrase in case you forgot it (note this must be done
BEFORE things go haywire):

   # ecryptfs-unwrap-passphrase
/home/.ecryptfs/<username>/.ecryptfs/wrapped-passphrase
   Passphrase: <your login password>
   XXXXXXXXXXXXXXXXXXXXX

Get the FNEK filename encryption passphrase

   # ecryptfs-add-passphrase --fnek
   Passphrase: <XXXXXXXXXXXXXXXXXXXXX>
   Inserted auth tok with sig [YYYYYYYYYYYY] into the user session keyring
   Inserted auth tok with sig [ZZZZZZZZZZZZZZ] into the user session keyring

Now mount the sucker (note that defaults are used for the first three
questions):

   mkdir /mnt/test
   mount -t ecryptfs /home/.ecryptfs/<username>/.Private /mnt/test
   Passphrase: <XXXXXXXXXXXXXXXXXXXXX>

   Select cipher:
    1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
    3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
    4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
    6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
   Selection [aes]:
   Select key bytes:
    1) 16
    2) 32
    3) 24
   Selection [16]:
   Enable plaintext passthrough (y/n) [n]:
   Enable filename encryption (y/n) [n]: y
   Filename Encryption Key (FNEK) Signature [YYYYYYYYYYYYY]: <ZZZZZZZZZZZZZZZ>
   Attempting to mount with the following options:
     ecryptfs_unlink_sigs
     ecryptfs_fnek_sig=ZZZZZZZZZZZZZZ
     ecryptfs_key_bytes=16
     ecryptfs_cipher=aes
     ecryptfs_sig=YYYYYYYYYYYY
   WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
   it looks like you have never mounted with this key
   before. This could mean that you have typed your
   passphrase wrong.

   Would you like to proceed with the mount (yes/no)? : yes
   Would you like to append sig [YYYYYYYYYYYY] to
   [/root/.ecryptfs/sig-cache.txt]
   in order to avoid this warning in the future (yes/no)? : no
   Not adding sig to user sig cache file; continuing with mount.
   Mounted eCryptfs

Then admire your handiwork:

   # ls /tmp/test
   <your stuff>

Fun. (not).


--
Andrew Janke
(a.janke at gmail.com || http://a.janke.googlepages.com/)
Canberra->Australia    +61 (402) 700 883

More information about the linux mailing list