eCryptfs usually needs a wrapped-passphrase
file that stores the actual encryption key ("mount passphrase"), or you need the mount passphrase itself.
If you have one of those, you can try ecryptfs-recover-private
to "find and mount any encrypted private directories". Since filenames were encrypted I don't think they could be recovered, their names were encrypted in the filenames, and photorec
doesn't usually recover filenames (making just finding the wrapped-passphrase
file difficult too) - I'm assuming testdisk
didn't have any luck?
ecryptfs-recover-private
needs the files in specific directories:
- encrypted files in
.Private
wrapped-passphrase
in $d/../.ecryptfs/wrapped-passphrase
(where $d is .Private
, or a named directory)
Unless you tell it which directory to decrypt (doesn't have to be specifically named .Private
). My other answer here has more info on eCryptfs, including the general layout.
ecryptfs-recover-private
is just a shell script, so if you have difficulties you could try stepping through it manually if you wanted. In a terminal to quickly see it just use
less `which ecryptfs-recover-private`
I don't think eCryptfs requires every original file for successful decryption (otherwise deleting a single file would become a problem), but some of the recovered files might be truncated or have some bad data too, so it's definitely not guaranteed to work.
And if there were multiple users' encrypted files, they would have different mount passphrases too, but photorec
probably recovered all the files in one big group. That means trying to decrypt all the files with each different mount passphrase, one at a time, and seeing if anything works. Backups are definitely preferred!
Is it possible to decrypt those files? Most likely not but I'm not an expert so you should wait for answers or other comments. – None – 2018-05-08T20:08:09.240