Recover encrypted ecryptfs home folder from encrypted dm-crypt luks disk volume

Whew… saved by the skin of teeth.

The grub2 bootloader of my computer got corrupt. I was not able to boot into the computer and all was lost. For security reasons, I set up LVM with full disk encryption. Thereafter, each user’s home folder was further encrypted with ecryptfs (the default you get when you set up Ubuntu).

Now that the computer could not boot, do whatever methods, including boot-repair, there was no choice but to attempt to salvage the data and decrypt it.

To salvage data, I booted with the Ubuntu 16.04 LTS Live CD and was very well into the desktop environment of the Live CD.

On the desktop, I could see 3 partitions. One for boot, one for EFI and one with the encrypted LVM partition, which contained all the data.

Started up the file manager, and found that clicking on the encrypted LVM partition asked for the password and thereafter, successfully loaded the contents onto the File Manager.

From within File Manager, copied out the entire /home folder contents to a USB drive connected to the computer.

Once all files were copied to the USB drive, shutdown the computer. Next big step was to retrieve the encrypted files from the .ecryptfs folder in the home directory of the user.

Luckily, the home folder was now mounted under /media/user and the contents of the home folder easily accessible now.

However, one glitch, had to make sure that all commands henceforth were as a root user.

Started up a terminal window and gave below commands:
$ sudo -i <enter>
$ cd /media/user/Image/home/.ecryptfs/user/.ecryptfs <enter>
$ ecryptfs-unwrap-passphrase ./wrapped-passphrase <enter>

Now try all the passwords you have ever set on the system. If you enter the very first password for your login that you set up when creating the encrypted home folder, it will decrypt the data.

If above works, you are done. You can exit from root, and enter the command below:
$ sudo ecryptfs-recover-private /media/user/Images/home/.ecryptfs/user/.Private <enter>

Enter the login password that was able to unwrap the passphrase.

Now the folder will be decrypted and mounted under /tmp/xxxxx which will be listed below the above command.

$ sudo -i <enter>

Start up the file manager after changing over to root user and copy the decrypted files to another location.

$ exit <enter>
$ exit <enter>

Note that the files have been retrieved, only that the next time they need to be accessed or copied, root only can do so. The owner and user can be modified later to allow other users to mount and use the decrypted files.

Learn more about ecryptfs-recover-private.

Leave a Reply




Blue Captcha Image


August 2017
« Jul