LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 09-20-2019, 07:37 AM   #16
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,320

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635

the manual suggest that you just need "the proper key"
 
1 members found this post helpful.
Old 09-20-2019, 08:59 AM   #17
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,784

Original Poster
Rep: Reputation: 49
Finally some progress. Now have a bunch of *.eCryptfs files on a thumb drive. Going to boot the system now to get the passphrase via ecryptfs-unwrap-passphrase, still trying to figure out how to use that against all these individual files to hopefully turn them into their decrypted versions.
 
Old 09-20-2019, 10:10 AM   #18
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,784

Original Poster
Rep: Reputation: 49
Still fighting. I couldn't get it, found this site and am trying post #5 https://forum.cgsecurity.org/phpBB3/...pic.php?t=7535
supplying it the passphrase from running a ecryptfs-unwrap-passphrase on the actual system, but then i get warnings like

WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

even though i've copied/pasted the key to make sure i didn't typo it, then i get this

mount: /home/username/Desktop/decrypted: wrong fs type, bad option, bad superblock on /home/username/Desktop/crypted, missing codepage or helper program, or other error.
Error mounting eCryptfs: [-1] Operation not permitted
 
Old 09-20-2019, 10:44 AM   #19
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,320

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
how many files did you get?
how many were you hoping for?


I would,

Code:
cp -a /home/user /mnt/usb/copyofuser
Code:
#!/bin/bash
tempDir="/mnt/usb/temp"
recoveredDir="/path/to/recovered"

while read file
do
   ext="$( fidentify "${file}" )"
   ext=".${ext##* }"
   dst="${file/${recoveryDir}/${tempDir}}"
   dst="${dst%.*}${ext}"
   echo cp -av \"${file}\" \"${dst}\"
done < <(find "${recoveredDir}" -type f)  
echo "# no files were harmed"
echo "# if it looks good, pipe to sh"
then I would copy anything in /mnt/usb/temp
that looks like is is encrypted to
/mnt/usb/copyofuser/.Private/

then launch the .desktop file
( or see what command it is executing and run that from shell )
 
1 members found this post helpful.
Old 09-20-2019, 10:51 AM   #20
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,784

Original Poster
Rep: Reputation: 49
Almost 10,000 haha. But i have a rough idea of the size of the one they're looking for to help narrow it down a bit.

OK, will give this a shot a bit later. I didn't think I could use fidentify yet on them until after I decrypted them somehow. but they all are at this point just randomcharacters.eCryptfs files still, which I failed to mention.
 
Old 09-20-2019, 10:57 AM   #21
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,320

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
Quote:
Originally Posted by rjo98 View Post
Almost 10,000 haha. But i have a rough idea of the size of the one they're looking for to help narrow it down a bit.

OK, will give this a shot a bit later. I didn't think I could use fidentify yet on them until after I decrypted them somehow. but they all are at this point just randomcharacters.eCryptfs files still, which I failed to mention.
the fidentify should id them as encrypted, and I'd hope the correct ext

if you know the size, you could craft the find to narrow it down for you
 
Old 09-20-2019, 11:23 AM   #22
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,784

Original Poster
Rep: Reputation: 49
they do have an extension now, kinda, they all end in .eCryptfs.

But aren't they all still technically encrypted so fidentify won't find anything? I know, need to try it instead of ask, just asking until i can try.
 
Old 09-20-2019, 11:42 AM   #23
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,320

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
fidentify is only looking at the metadata of the file, which is not encrypted

The main body of the file is encrypted

do the files which were not deleted end .eCryptfs or .ecr.

I don't think it matters, extensions are only for use humans and helper scripts like bash-completion

The real reason I did it was to narrow the field, so you don't go trying to decrypt unencrypted jpegs or spreadsheets or whatever
 
Old 09-20-2019, 11:45 AM   #24
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,784

Original Poster
Rep: Reputation: 49
oh, didn't realize that, thanks.

I ran photorec to only recover eCryptfs stuff, so that's all i have, a whole lot of random.Ecryptfs files.

Should be able to try your .sh in a little while hopefully
 
Old 09-20-2019, 11:52 AM   #25
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,320

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
if you know the rough size
Code:
done < <(find "${recoveredDir}" -size +100M -size -200M -type f)
greater than 100M and less than 200M

ah so you haven't ran that script yet

it may not change the file extension then, it will just copy
 
Old 09-20-2019, 11:56 AM   #26
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,784

Original Poster
Rep: Reputation: 49
yeah, looks like it just wanted to copy. manually ran fidentify on some and it just spit back out eCryptfs anyway.

so I think i'm back to just figured out how to decrypt the ones in the size range at this point, right?
 
Old 09-20-2019, 12:52 PM   #27
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 2,320

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
yeah, I would stick them in /mnt/usb/copyofuser/.Private/


thinking about it
you could create a new partition somewhere

and copy the users home dir to that
copy the recovered files of interest to the /path/to/newhomepart/user/.Private/

unmount /home
and mount the new home in its place and login as user
if the files decrypt, copy them someplace, logout, unmount /home

confirm the files are still decrypted
the remount original home
and pretend nothing happened

the important thing is to avoid writes to the original home partition.
each write risks overwriting a deleted file.


if a new partition is a problem, you might get away with a bind mount

Code:
sudo mount --rbind /mnt/usb/copyofuser /home/user
see man mount
search for rbind
 
Old 09-20-2019, 01:15 PM   #28
rjo98
Senior Member
 
Registered: Jun 2009
Location: US
Distribution: RHEL, CentOS
Posts: 1,784

Original Poster
Rep: Reputation: 49
Boy would I love to pretend this never happened haha

I'll try to see where I can get with this. I'll leave it open in case anyone else wants to chime back in too. I'm not overly hopeful here, but at least I learned quite a bit!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Store ecryptfs files inside home folder when enabling full home folder encryption in Linux Murz Linux - Security 4 10-27-2018 03:57 AM
What's the best way to make an encrypted folder without encrypting a whole partition? abefroman Linux - Security 6 08-15-2017 11:38 AM
Problems with encrypted home folder after Ubuntu doesn't boot anymore leonlang Ubuntu 1 01-08-2017 08:35 AM
Make a normally read write folder read only with LTSP? jmgibson1981 Linux - Newbie 2 08-09-2016 04:25 AM
Home folder icon does not open home folder CiscoGeek Linux - Newbie 3 12-18-2006 07:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 03:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration