Mounting encrypted home directory

1. Mount Encrypted Ubuntu Home/Guide
2. Jump to:navigation
3. Jump to:search
4.  
5. Ubuntu allows users to encrypt their home directories upon installation. In case of hardware failure it is easy to decrypt and access these files with Gentoo so they can be recovered. The encrypted home directory and either the login password, or the decryption passphrase are all that is required.
6. Contents
7.  
8. 1 Installation
9. 1.1 Kernel
10. 2 Locating the files
11. 3 Decryption passphrase
12. 4 Filename encryption
13. 5 Decrypt and mount
14. 6 Troubleshooting
15. 6.1 Mount failures
16.  
17. Installation
18. Kernel
19.  
20. The files and filenames are individually encrypted and decrypted on the fly using eCryptfs. eCryptfs needs to be enabled in the kernel:
21. Note
22. The short procedure listed here is the simplest possible example. It may not be appropriate for your system. For more information on Kernel configuration check out the Kernel/Configuration Guide.
23. root #cd /usr/src/linux
24. root #make menuconfig
25. KERNEL
26.  
27. File systems --->
28. [*] Miscellaneous filesystems --->
29. <M> eCrypt filesystem layer support
30. Security options --->
31. [*] Enable access key retention support
32.  
33. root #make && make modules_install
34. root #mount /boot
35. root #make install
36.  
37. Reboot!
38.  
39. Install the ecrypt file system utilities:
40. root #emerge --ask sys-fs/ecryptfs-utils
41. Locating the files
42.  
43. Locate the Ubuntu encrypted home directory for decryption. If the home directory is on an external hard drive Gentoo may have automagically mounted it at:
44.  
45. /run/media/{username}/{UUID}
46.  
47. As an example we will use:
48.  
49. /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/
50.  
51. The decryption target would then be the users home directory:
52.  
53. /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/user
54.  
55. That folder is, however, empty; except for some symbolic links. Ubuntu puts the encrypted home directory files in a different directory; which is then decrypted and mounted on the fly to the users home directory by ecryptfs. All of the encrypted files for our example are located here:
56.  
57. /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/.ecryptfs/user/.Private
58. Decryption passphrase
59.  
60. The passphrase is a 16-byte hexadecimal number that Ubuntu asks the user to record after installation is complete. The example passphrase is: 7069ca27397aa8ac9163fe7a703257f7
61.  
62. If the decryption passphrase is known move on to the next step.
63.  
64. If the decryption passphrase is unknown it can be discovered by using the logon password to decrypt the wrapped-passphrase file:
65.  
66. /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/.ecryptfs/user/.ecryptfs/wrapped-passphrase
67.  
68. Unwrap the passphrase:
69. user $ecryptfs-unwrap-passphrase /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/.ecryptfs/user/.ecryptfs/wrapped-passphrase
70.  
71. Passphrase:
72. 7069ca27397aa8ac9163fe7a703257f7
73.  
74. Filename encryption
75.  
76. The filename encryption key is needed before the files can be accessed. Also the decryption passphrase needs to be added to the user session keyring. Accomplish both of these things with the following command:
77. root #ecryptfs-add-passphrase --fnek
78.  
79. Passphrase:
80. Inserted auth tok with sig [fe4b983ff729814b] into the user session keyring
81. Inserted auth tok with sig [cd7b5893b93c0920] into the user session keyring
82.  
83. The filename encryption key is output as a hexadecimal number in the second set of brackets. The example filename encryption key is cd7b5893b93c0920
84. Decrypt and mount
85.  
86. Give the mount command with three options: type ecryptfs, the location of the encrypted files, and the location to mount the decrypted files at. The example command is:
87. root #mount -t ecryptfs /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/.ecryptfs/user/.Private /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/user
88.  
89. At the interactive prompt make the following eight entries/choices:
90.  
91. Passphrase
92. Cipher: AES
93. Key bytes: 16
94. plaintext passthrough: n
95. Filename encryption: y
96. Filename Encryption Key
97. Proceed?: yes
98. Append sig?: no
99.  
100. Passphrase:
101. Select cipher:
102. 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
103. 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56
104. 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
105. 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
106. 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
107. 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
108. Selection [aes]: aes
109. Select key bytes:
110. 1) 16
111. 2) 32
112. 3) 24
113. Selection [16]: 16
114. Enable plaintext passthrough (y/n) [n]: n
115. Enable filename encryption (y/n) [n]: y
116. Filename Encryption Key (FNEK) Signature [fe4b983ff729814b]: cd7b5893b93c0920
117. Attempting to mount with the following options:
118. ecryptfs_unlink_sigs
119. ecryptfs_fnek_sig=cd7b5893b93c0920
120. ecryptfs_key_bytes=16
121. ecryptfs_cipher=aes
122. ecryptfs_sig=fe4b983ff729814b
123. WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
124. it looks like you have never mounted with this key
125. before. This could mean that you have typed your
126. passphrase wrong.
127.  
128. Would you like to proceed with the mount (yes/no)? : yes
129. Would you like to append sig [fe4b983ff729814b] to
130. [/root/.ecryptfs/sig-cache.txt]
131. in order to avoid this warning in the future (yes/no)? : no
132. Not adding sig to user sig cache file; continuing with mount.
133.  
134. The decrypted files are now available for recovery or backup. In the example they are at:
135.  
136. /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/user
137. Warning
138. eCryptfs decrypts and encrypts files and filenames on the fly.
139.  
140. The files are not permanently decrypted at this point.
141. They are simply available for copying or modification.
142. Troubleshooting
143. Mount failures
144.  
145. mount: mount(2) failed: No such file or directory
146. Error mounting eCryptfs: [-1] Operation not permitted
147. Check your system logs; visit <http://ecryptfs.org/support.html>
148.  
149. This usually means the key was not added to the user session keyring. Try running dmesg for a more detailed error message:
150.  
151. [17955.991447] Could not find key with description: [91f6e7ae96b0047e]
152. [17955.991449] process_request_key_err: No key
153. [17955.991451] Could not find valid key in user session keyring for sig specified in mount option: [91f6e7ae96b0047e]
154. [17955.991452] One or more global auth toks could not properly register; rc = [-2]
155. [17955.991453] Error parsing options; rc = [-2]
156.  
157. To fix make sure that ecryptfs-add-passphrase --fnek is run by the same user that is mounting the filesystem.
158.  
159. Also check syslog for more errors:
160.  
161. Jul 10 22:54:37 gentoo mount.ecryptfs[4402]: could not resolve full path for source /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/user/.Private [-2]
162.  
163. Using a symbolic link as the source for the mount will result in the above error. Make sure to use /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/.ecryptfs/user/.Private when mounting.