For a while now the Ubuntu installer has offered an option to encrypt your home directory, and decrypt it at login. Security-wise, this is a nice tool, especially for laptops and other portable computers that have a higher risk of theft, or simply for computers with a higher risk of unauthorized access. However, what if your system suffers catastrophic failure and you find yourself unable to boot Ubuntu or log into your account? Depending on what you have on the computer, it might be critical that you recover your files before you wipe your hard drive and reinstall your operating system.
Of course, if your home directory is encrypted, you can't just grab whatever you want from your hard drive. There is a process for decrypting a secure home directory, but discovering it involved a bit of Googling and around an hour of consulting someone in IRC. So I wanted to write this in case someone else had this problem for real.
Anyway. Obviously, you need an Ubuntu live CD, or a USB drive from which you can boot Ubuntu. You also need the decryption passphrase for your encrypted home folder. Hopefully you wrote it down when Ubuntu asked you to generate it the first time you logged into your new system. If you don't have it, though, there's a way to recover it (included in this post at the bottom).
Steps:
1. Boot your computer from your live CD or USB drive.
2. Mount the hard drive or partition on which the encrypted home folder is stored. You can do this by browsing the Places menu; it will likely just be something like "100 GB Filesystem".
3. Open a terminal window (Applications > Accessories > Terminal).
4. Run the following:
When it asks you for your passphrase, enter the decryption passphrase for your home directory. You will get two lines that resemble this:Code:sudo ecryptfs-add-passphrase --fnek
Copy the second string of characters in the brackets (yours will of course be different from the example I've provided) and make a note of it. You'll need it to decrypt the names of your files. (Note: In a terminal window, Ctrl+Shift+C is copy and Ctrl+Shift+V is paste.)Code:Inserted auth tok with sig [9986ad986f986af7] into the user session keyring Inserted auth tok with sig [76a9f69af69a86fa] into the user session keyring
5. Create a folder on your desktop to use as a mount point:
6. Now it's time to mount and decrypt your home folder. The steps for this are provided below. For sake of reference, by the time you're finished, the terminal window should look a lot like this:Code:mkdir Desktop/Mount
First, you enter the command to decrypt and mount the folder, hence the 'sudo mount -t...' command. The italicized string of characters is different for everyone; just hit Tab after typing '/media/' and it will probably autocomplete. Replace the bolded username value with the name of your home folder (for example, /home/astnya/ for me). The last part of the command tells it to mount the decrypted folder to the directory you created on the desktop.Code:ubuntu@ubuntu:~$ sudo mount -t ecryptfs /media/04b67fb1-aafd-4082-aebc-493c509bdbe1/home/.ecryptfs/username/.Private Desktop/Mount Passphrase: Select cipher: 1) aes: 2) blowfish: 3) des3_ede: 4) twofish: 5) cast6: 6) cast5: Selection [aes]: Select key byes: 1) 16 2) 32 3) 24 Selection [16]: Enable plaintext passthrough (y/n) [n]: Enable filename encryption (y/n) [n]: y Filename Encryption Key (FNEK) Signature [9986ad986f986af7]: 76a9f69af69a86fa Attempting to mount with the following options: ecryptfs_unlink_sigs ecryptfs_fnek_sig=76a9f69af69a86fa ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=9986ad986f986af7 Mounted eCryptfs ubuntu@ubuntu:~$
Enter your decryption passphrase when prompted to do so, then simply hit Enter in the 'Select cipher' section to choose the default, aes. Do the same for 'key bytes' to choose 16, and the same for 'Enable plaintext passthrough' to choose not to enable it. However, you do want to enable filesystem encryption, so when asked, hit y. On the next line, enter the shorter character string you made a note of earlier; this is used to decrypt the names of your files and folders, which are encrypted separately from the files and folders themselves.
After that, the process should successfully complete, and you'll be able to rescue your files through the Mount folder on your desktop. But there's one more step to be done. Since you mounted the folder with superuser permissions, you must have those permissions to view its contents:
This will bring up a file browser window. In that window, navigate to the folder (press Ctrl+L and type in '/home/ubuntu/Desktop/Mount'). You should now be able to view your home folder, and to modify or copy its contents as necessary, as long as you keep that window open.Code:sudo nautilus
If you find that you need your decryption passphrase, you can run this to generate it:
Again, the italicized characters and username will differ for you. Enter your login password for your account on the computer into the prompt, and it will give you the decryption passphrase for your home folder.Code:ecryptfs-unwrap-passphrase /media/04b67fb1-aafd-4082-aebc-493c509bdbe1/home/.ecryptfs/username/.ecryptfs/wrapped-passphrase
Credit goes to Aemaeth in #ubuntu and the authors of this page for the help in figuring this out. Hopefully this guide was written in enough of a noob-friendly fashion that it's not confusing for people new to Ubuntu or Linux. =)
Bookmarks