10
4
I use eCryptFS to encrypt the home directory of my laptop. My backup script copies the encrypted files to a server (together with everything else in (home/.ecryptfs).
How can I mount the encrypted files of the backup? I'd like to verify that I can do that, and that everything is in place.
My naive try with
mount -t ecryptfs /backup/home/.ecryptfs/boldewyn /mnt/test
didn't work, eCryptFS wanted to create a new partition.
Boldewyn
Posted 2010-12-31T16:55:02.717
Reputation: 3 835
15
Assuming you use the Ubuntu standard encryption scheme, with no extra tweaks.
The $HOME/.ecryptfs "folder" is actually just a link.
The true place where your files stay is /home/.ecryptfs/$USER
There are two folders there, .Private (with your files encrypted) and .ecryptfs, with files like auto-mount, auto-umount, Private.mnt, Private.sig, wrapped-passphrase.
Hopefully the target files are copied to your host backup.
If there is no backup of your wraped-passphrased in this server, you're lost. If there is a backup, then your encryption scheme has been weakened by storing your wrapped passphrase over the web, unless you control the host where you make the backup.
I found this script for mounting:
ROOT=/home/.ecryptfs/$USER TARGET=/mnt/$USER # ROOT should be the parent of the .ecryptfs and .Private folders sudo mkdir -p $TARGET cd $ROOT echo Type your password: PASS=$(ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase | sed s/Passphrase:\ //) SIG1=$(head -n1 .ecryptfs/Private.sig) SIG2=$(tail -n1 .ecryptfs/Private.sig) echo Passphrase: echo $PASS echo Signatures: echo $SIG1 echo $SIG2 echo Should be empty: sudo keyctl clear @u sudo keyctl list @u echo Do not type anything: echo $PASS | sudo ecryptfs-add-passphrase --fnek echo Sould have signatures: sudo keyctl list @u echo Mounting $ROOT on $TARGET... sudo mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,ecryptfs_sig=$SIG1,ecryptfs_fnek_sig=$SIG2,passwd=$(echo $PASS) .Private $TARGET ls $TARGET unset -v PASS
user39559
Posted 2010-12-31T16:55:02.717
Reputation: 1 783
3Link to original script (full thread). – kenorb – 2014-10-08T18:18:03.743
Thank you! I'm surprised there isn't a standard command to do this sort of thing. If you're usingEncryptedPrivateDirectory to encrypt just your $HOME/Private mount point, then just use ROOT=$HOME in the script. I changed the script to ROOT=${ROOT:-/home/.ecryptfs/$USER} so I can just pass that value via the environment.
Ahh - I see that @kenorb's comment links to a bug report with details on why the normal approach of having mount itself ask for the passphrase via sudo mount -t ecryptfs .Private /mnt/private doesn't work in Ubuntu. Hmm - 6-year-old bug.... – nealmcb – 2015-05-18T17:11:05.973
Ah, the passphrase unwrapping was the trick! Thank you! – Boldewyn – 2011-01-15T08:49:52.683
1Good that it works. Anyway, keeping your wrapped passphrase on the server will weaken, and sometimes destroy, your encryption security. – user39559 – 2011-01-15T14:56:16.300
Related: How do I recover my data from an encrypted home directory?.
– kenorb – 2014-10-08T17:55:05.727