54

I've done something a bit, well, strange. I installed Ubuntu 12.04 directly onto a USB thumb stick, encrypting the /home directory as given the option during the install. The filesystem is btrfs, I believe.

I've now stuck this into my computer running Ubuntu, and I'd like to copy a file onto the USB stick. How can I go about mounting the encrypted home directory so I can copy files to it?

BuZZ-dEE
  • 14,223
Naftuli Kay
  • 4,226

4 Answers4

71

You can use ecryptfs-recover-private.

ecryptfs-recover-private /media/<UUID>/home/.ecryptfs/<USERNAME>/.Private

It will promt for the mount password, unlock the wrapped-passphrase and mount the directory in read only mode under /tmp/ with just single command. Use the flag --rw to mount the encrypted filesystem as read and write.

Note that as mentioned in the comments, you may need to run and exit ecryptfs-manager first for this to work.

You can check the man page for more information.

Ketil Malde
  • 248
  • 2
  • 9
Seppo Erviälä
  • 5,645
  • 8
    Not sure why this is not accepted answer. It's A LOT faster. – Kai Feb 25 '17 at 07:56
  • 2
    @Kai Because this answer came three years later... – mook765 Apr 23 '17 at 11:42
  • 2
    Although this questions is tagged 12.04, it works for 17.04. – Seanny123 Sep 04 '17 at 17:58
  • 4
    However, when I run the command it insists that I run it as root – Seanny123 Sep 04 '17 at 18:27
  • how do i make it permanent? so after each login it automatically mounts the encrypted disk, considering both: 1. the login pass is the same as the pass used for the disk 2. the passes are different ? – ulkas Nov 17 '18 at 11:31
  • 6
    the flag is --rw with double dash. in case you get a mount(2) error, run the sudo ecryptfs-manager first and immediately exit (4). then repeat the above mount comand – ulkas Nov 17 '18 at 19:38
  • My experience was that the solution is to attempt the instructions in both answers -- this one didn't seem to work by itself. Maybe it is necessary to do the sudo ecryptfs-add-passphrase --fnek step from the other top answer. Only then did this work for me. – Brent Bradburn Nov 22 '18 at 02:17
  • 3
    Ha Ha. Never mind my previous suggestion. Better to do what ulkas said: run sudo ecryptfs-managerand select 4. Exit without doing anything else. This has the surprising side-effect of making things work. – Brent Bradburn Jan 16 '19 at 02:48
  • 1
    The sudo ecryptfs-manager saved my life! Kudos to @ulkas - this comment should be in the answer! – Angelos Pikoulas Feb 03 '19 at 01:41
  • For me, the secret to this working is that I MUST specify the /home/.ecryptfs/<USERNAME>/.Private directory manually. ie: use sudo ecryptfs-recover-private /home/.ecryptfs/<USERNAME>/.Private instead of just sudo ecryptfs-recover-private. If I just do the latter (which should also work, but doesn't), I get the following "Permission denied" error: find: ‘/run/user/1001/gvfs’: Permission denied. This seems to be a bug in the ecryptfs-recover-private bash script which uses the find command internally, and I don't understand why using sudo doesn't fix it. – Gabriel Staples Jul 11 '19 at 06:17
48

NB: This answer is correct, but another - newer and faster - way exists requiring only a single step with ecryptfs-recover-private. Make sure to check all answers below.

To get access to the data on your stick and to copy files onto it you need to mount the eCryptfs. This involves several steps:

First you should insert your stick. If Ubuntu doesn't mount it automatically (It usually does.), you should mount it.

Now you should find a directory called .Private. If you did a default installation, this directory should sit in /media/DISK/home/.ecryptfs/USERNAME/.Private. In this example DISK is the directory where your stick is mounted and USERNAME is the name of the user you entered at installation. If you can't find it yourself open a terminal and enter

sudo find /media -type d -name .Private

I assume in the following steps that the directory is in /media/DISK/home/.ecryptfs/USERNAME/.Private.

You need the mount password. This is different from your login pasword. Enter the following command into a terminal:

ecryptfs-unwrap-passphrase /media/DISK/home/.ecryptfs/USERNAME/.ecryptfs/wrapped-passphrase

You have to enter the login password from the installation of your USB-Ubuntu (not your usual password). The command outputs a passphrase. Write this down or copy it into a file.

The password enables you to unlock the directory. You need to do it in two steps:

> sudo ecryptfs-add-passphrase --fnek
Inserted auth tok with sig [123456789abcdef0] into the user session keyring
> sudo mount -t ecryptfs /media/DISK/home/.ecryptfs/USERNAME/.Private /media/myUSB

The first command adds your passphrase to the kernel keyring and the second tries to mount your .Private to the directory /media/myUSB. If the latte doesn't exist, you have to create it first:

sudo mkdir /media/myUSB

The mount command will ask again for the login password. Next it will ask for a bunch of stuff.

  • Accept the default cipher and key size values (aes and 16).
  • Type n for plaintext passthrough.
  • Type y for filename encryption.
  • The last thing is the FileName Encryption Key (FNEK). Look at the output of the ecryptfs-add-passphrase --fnek command you just typed. There are two lines starting with Inserted auth tok …. Insert the value in square brackets of the second output (123456789abcdef0).

Now you can access the files in /media/myUSB and can copy from and to the directory or subdirectories.

A large part of my description is from "Live CD method of opening a encrypted home directory".

0xC0000022L
  • 5,720
qbi
  • 19,125
  • 4
    Thanks. There were three things that caught me that might help others: 1) I needed sudo ecryptfs-add-passphrase --fnek, note the sudo 2) ecryptfs-add-passphrase wants the unwrapped hex phrase but the mount takes the "login" passphrase 3) I needed to redo ecryptfs-add-passphrase after an umount – bsb Jan 16 '14 at 06:32
  • Thanks - this is wonderful! Solved also my problem :)

    Is there way to modify the mount command so that it would also retain the original user (uid) and group?

     – Ossi Viljakainen Oct 25 '17 at 14:49
7

I had similar problem and ended here. I was migrating my system to another hard drive and have the same user with encrypted home on both old and new system.

I tried 

ecryptfs-recover-private /media/old_disk/home/my_name/.Private

but that directory was in fact symbolic link to 

/home/.ecryptfs/my_name/.Private/

The target directory existed, but pointed to .Private on my new disk.

Correct command should be:

ecryptfs-recover-private /media/old_disk/home/.ecryptfs/my_name/.Private

maybe ecryptfs-recover-private should display warning if it detects this pattern. It looks like common mistake.

Piotr
  • 231
  • Oh, man.. thanks! I've spent sooo much time on this. Then thought I had it, only to realize, that it was indeed mounting my new disk... Thanks, this worked flawlessly. – quapka Aug 19 '17 at 19:23
1

The passphrase unwrap did not work. I needed to execute:

ecryptfs-unwrap-passphrase /media/DISK/home/.ecryptfs/USERNAME/.ecryptfs/wrapped-passphrase
enedil
  • 982
  • 5
  • 15
  • 27
user307400
  • 11