ecryptfs: Recovering Private Files After .ecryptfs File Deleted
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ecryptfs: Recovering Private Files After .ecryptfs File Deleted
Leveraging Linux Mint 20.2 (Ubuntu/5.4.0-86 x86_64) with an older copy of an encrypted drive available via USB. Managed to get the encrypted drive mounted and the volume decrypted. However, when attempting to remount the 'private,' home directory, both the '.ecryptfs' and '.Private' files were deleted. All the passphrases are available.
Now, when attempting to mount the private home directory. The two deleted files are causing an error: "Encrypted file is not setup correctly." Obviously, I wasn't able to recover the files. (TestDisk) None of the other encrypted archives were touched, but still the error without the index. Hoping that '.Private,' isn't required for reconstruction.
Is there a way to rebuild the index (assumption about .ecryptfs) with only the archives, themselves? Any way to recover the private directory or should I just wipe the drive?
... both the '.ecryptfs' and '.Private' files were deleted.
Erk. My understanding is that the .Private directory (not a file) is where the encrypted data exist. The .ecryptfs has some nice-to-have files (like the wrapped key), but you can live without them. But if the data are gone you are toast.
As I have never used it, I'm happy to be proved wrong.
Erk. My understanding is that the .Private directory (not a file) is where the encrypted data exist. The .ecryptfs has some nice-to-have files (like the wrapped key), but you can live without them. But if the data are gone you are toast.
As I have never used it, I'm happy to be proved wrong.
Yeah, that's my understanding as well. But, I was hoping that while the '.Private,' directory has the encrypted containers, the '.ecryptfs,' directory has an index in that file that won't let me mount them. Sorry for the misunderstanding in my original post -- I'll use just the filename (.ecryptfs) and add a slash when I'm describing the directory since they're identically named. (.ecryptfs/)
Quote:
What does this mean - show us a list.
The two directories (.ecryptfs/ and .Private/) are both intact with the exception of the FILES of the same name within those directories. So, the following files were deleted:
.ecryptfs/.ecryptfs
.Private/.Private
Attachment has file listing for both directories. The symbolic links appear broken, but that is most likely because it's mounted under 'media,' and not its usual location.
Yeah, I though you might have encrypted filenames as well as the data itself. You'll need to add the filename encryption key to your keyring. Have a read of this, seems to cover it for Mint.
Thanks for the help - the missing step was the keyring, and I think my confusion was based on using a (newly created) user with the same login as the original owner. Either way, adding the Mount Passphrase to the keyring and using the appropriate identifier when mounting the share did the trick. That said, I still have no idea what those two files were that we deleted... were they important at all?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.