ecryptfs: Recovering Private Files After .ecryptfs File Deleted

GrovesP · 12-06-2021, 08:53 PM

Leveraging Linux Mint 20.2 (Ubuntu/5.4.0-86 x86_64) with an older copy of an encrypted drive available via USB. Managed to get the encrypted drive mounted and the volume decrypted. However, when attempting to remount the 'private,' home directory, both the '.ecryptfs' and '.Private' files were deleted. All the passphrases are available.

Now, when attempting to mount the private home directory. The two deleted files are causing an error: "Encrypted file is not setup correctly." Obviously, I wasn't able to recover the files. (TestDisk) None of the other encrypted archives were touched, but still the error without the index. Hoping that '.Private,' isn't required for reconstruction.

Is there a way to rebuild the index (assumption about .ecryptfs) with only the archives, themselves? Any way to recover the private directory or should I just wipe the drive?

syg00 · 12-07-2021, 01:31 AM

Quote:

Originally Posted by GrovesP

... both the '.ecryptfs' and '.Private' files were deleted.

Erk. My understanding is that the .Private directory (not a file) is where the encrypted data exist. The .ecryptfs has some nice-to-have files (like the wrapped key), but you can live without them. But if the data are gone you are toast.
As I have never used it, I'm happy to be proved wrong.

Quote:

None of the other encrypted archives were touched

What does this mean - show us a list.

GrovesP · 12-08-2021, 09:32 AM

Appreciate the response.

Quote:

Erk. My understanding is that the .Private directory (not a file) is where the encrypted data exist. The .ecryptfs has some nice-to-have files (like the wrapped key), but you can live without them. But if the data are gone you are toast.

As I have never used it, I'm happy to be proved wrong.

Yeah, that's my understanding as well. But, I was hoping that while the '.Private,' directory has the encrypted containers, the '.ecryptfs,' directory has an index in that file that won't let me mount them. Sorry for the misunderstanding in my original post -- I'll use just the filename (.ecryptfs) and add a slash when I'm describing the directory since they're identically named. (.ecryptfs/)

Quote:

What does this mean - show us a list.

The two directories (.ecryptfs/ and .Private/) are both intact with the exception of the FILES of the same name within those directories. So, the following files were deleted:

.ecryptfs/.ecryptfs
.Private/.Private

Attachment has file listing for both directories. The symbolic links appear broken, but that is most likely because it's mounted under 'media,' and not its usual location.

Thanks, again.

syg00 · 12-09-2021, 10:44 PM

Yeah, I though you might have encrypted filenames as well as the data itself. You'll need to add the filename encryption key to your keyring. Have a read of this, seems to cover it for Mint.

GrovesP · 12-10-2021, 11:22 AM

SOLVED!

Thanks for the help - the missing step was the keyring, and I think my confusion was based on using a (newly created) user with the same login as the original owner. Either way, adding the Mount Passphrase to the keyring and using the appropriate identifier when mounting the share did the trick. That said, I still have no idea what those two files were that we deleted... were they important at all?

Have a great weekend.