-   Linux - Security (
-   -   photorec + .ecryptfs to restore files (

jamendo10 08-06-2012 12:59 AM

photorec + .ecryptfs to restore files
I got myself in a bit of situation. In a poorly meditated event, I was trying to make some room on my ssd and I was using disk usage analyzer to interpret my volume. I saw that .ecryptfs folder was taking up "double" the space so I went ahead and deleted it. Later found out that disk usage analyzer is not a completely true indication of volume in regards to .ecryptfs. Turns out that everything in .ecryptfs is your actual stored data wrapped with encryption data to protect your data while your not logged in into your cpu. Ecryptfs continually decrypts the data while you read/write to files.

That being said, I learned all this after the fact that I permanently deleted my files. Devastated. lol. So I promise from here to invest in back-up technology.

I ended up using photorec to recover 20 gigs of my ssd. Within the 20 gigs I have f*.eCryptfs files that I would like to decrypt. I have my passphrase.

I was wondering if this has been done before? if so how?

unSpawn 08-06-2012 12:33 PM

Maybe with ecryptfs-recover-private?

jamendo10 08-07-2012 02:25 AM

I went ahead and tried ecryptfs-recover-private. I was able to successfully mount the directory with my *.eCryptfs files however they were not decrypted but simply just duplicated onto the /tmp/ecryptfs.#######/ directory. ecryptfs-recover-private does require that all folders and symlinks be organize/setup as ecryptfs-setup-private would. I may have a folder/file configuration that does not allow ecryptfs-recover-private to decrypt. I need to read more about how ecryptfs-recover-private works. If I do not come up with anything else I will attempt to run ecryptfs-setup-private, add the *.ecryptfs files i recovered with photorec and then ecryptfs-recover-private.

Not sure how else to go about it. I am a bit afraid that I will lose necessary configuration if a go about using ecryptfs-setup-private because it may require overwriting the current seemingly half broken setup.

Also, looking at the second website:

See below @ <<<<<<<<<<

ubuntu@ubuntu:~$ sudo mount /dev/sda1 /mnt

ubuntu@ubuntu:~$ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/mnt/home/.ecryptfs/cryptotheslow/.Private].
Try to recover this directory? [Y/n]: Y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] Y
INFO: Enter your LOGIN passphrase...
Inserted auth tok with sig [fa0516369a9d60dd] into the user session keyring <<<<<< this line of never appears for me
INFO: Success!  Private data mounted read-only at [/tmp/ecryptfs.yxyLYWVG].

ubuntu@ubuntu:~$ gksu nautilus /tmp/ecryptfs.yxyLYWVG

jamendo10 08-07-2012 06:45 AM

So i have found a solution to this problem! Hope this helps others!

Invest in backups. Enough said.

unSpawn 08-07-2012 07:24 AM

Thanks for posting your solution.


Originally Posted by jamendo10 (Post 4747967)
Invest in backups. Enough said.

Still a shame people need to find out the hard way though...

All times are GMT -5. The time now is 10:28 AM.