I've done something a bit, well, strange. I installed Ubuntu 12.04 directly onto a USB thumb stick, encrypting the /home directory as given the option during the install. The filesystem is btrfs, I believe.
I've now stuck this into my computer running Ubuntu, and I'd like to copy a file onto the USB stick. How can I go about mounting the encrypted home directory so I can copy files to it?
You can use ecryptfs-recover-private.
ecryptfs-recover-private /media/<UUID>/home/.ecryptfs/<USERNAME>/.Private
It will promt for the mount password, unlock the wrapped-passphrase and mount the directory in read only mode under /tmp/ with just single command. Use the flag --rw to mount the encrypted filesystem as read and write.
Note that as mentioned in the comments, you may need to run and exit ecryptfs-manager first for this to work.
You can check the man page for more information.
NB: This answer is correct, but another - newer and faster - way exists requiring only a single step with ecryptfs-recover-private. Make sure to check all answers below.
To get access to the data on your stick and to copy files onto it you need to mount the eCryptfs. This involves several steps:
First you should insert your stick. If Ubuntu doesn't mount it automatically (It usually does.), you should mount it.
Now you should find a directory called .Private. If you did a default installation, this directory should sit in /media/DISK/home/.ecryptfs/USERNAME/.Private. In this example DISK is the directory where your stick is mounted and USERNAME is the name of the user you entered at installation. If you can't find it yourself open a terminal and enter
sudo find /media -type d -name .Private
I assume in the following steps that the directory is in /media/DISK/home/.ecryptfs/USERNAME/.Private.
You need the mount password. This is different from your login pasword. Enter the following command into a terminal:
ecryptfs-unwrap-passphrase /media/DISK/home/.ecryptfs/USERNAME/.ecryptfs/wrapped-passphrase
You have to enter the login password from the installation of your USB-Ubuntu (not your usual password). The command outputs a passphrase. Write this down or copy it into a file.
The password enables you to unlock the directory. You need to do it in two steps:
> sudo ecryptfs-add-passphrase --fnek
Inserted auth tok with sig [123456789abcdef0] into the user session keyring
> sudo mount -t ecryptfs /media/DISK/home/.ecryptfs/USERNAME/.Private /media/myUSB
The first command adds your passphrase to the kernel keyring and the second tries to mount your .Private to the directory /media/myUSB. If the latte doesn't exist, you have to create it first:
sudo mkdir /media/myUSB
The mount command will ask again for the login password. Next it will ask for a bunch of stuff.
aes and 16).n for plaintext passthrough.y for filename encryption.ecryptfs-add-passphrase --fnek command you just typed. There are two lines starting with Inserted auth tok …. Insert the value in square brackets of the second output (123456789abcdef0).Now you can access the files in /media/myUSB and can copy from and to the directory or subdirectories.
A large part of my description is from "Live CD method of opening a encrypted home directory".
sudo ecryptfs-add-passphrase --fnek, note the sudo 2) ecryptfs-add-passphrase wants the unwrapped hex phrase but the mount takes the "login" passphrase 3) I needed to redo ecryptfs-add-passphrase after an umount
– bsb
Jan 16 '14 at 06:32
Is there way to modify the mount command so that it would also retain the original user (uid) and group?
– Ossi Viljakainen Oct 25 '17 at 14:49I had similar problem and ended here. I was migrating my system to another hard drive and have the same user with encrypted home on both old and new system.
I tried
ecryptfs-recover-private /media/old_disk/home/my_name/.Private
but that directory was in fact symbolic link to
/home/.ecryptfs/my_name/.Private/
The target directory existed, but pointed to .Private on my new disk.
Correct command should be:
ecryptfs-recover-private /media/old_disk/home/.ecryptfs/my_name/.Private
maybe ecryptfs-recover-private should display warning if it detects this pattern. It looks like common mistake.
The passphrase unwrap did not work. I needed to execute:
ecryptfs-unwrap-passphrase /media/DISK/home/.ecryptfs/USERNAME/.ecryptfs/wrapped-passphrase
root– Seanny123 Sep 04 '17 at 18:27--rwwith double dash. in case you get a mount(2) error, run thesudo ecryptfs-managerfirst and immediately exit (4). then repeat the above mount comand – ulkas Nov 17 '18 at 19:38sudo ecryptfs-add-passphrase --fnekstep from the other top answer. Only then did this work for me. – Brent Bradburn Nov 22 '18 at 02:17sudo ecryptfs-managerand select4. Exitwithout doing anything else. This has the surprising side-effect of making things work. – Brent Bradburn Jan 16 '19 at 02:48sudo ecryptfs-managersaved my life! Kudos to @ulkas - this comment should be in the answer! – Angelos Pikoulas Feb 03 '19 at 01:41/home/.ecryptfs/<USERNAME>/.Privatedirectory manually. ie: usesudo ecryptfs-recover-private /home/.ecryptfs/<USERNAME>/.Privateinstead of justsudo ecryptfs-recover-private. If I just do the latter (which should also work, but doesn't), I get the following "Permission denied" error:find: ‘/run/user/1001/gvfs’: Permission denied. This seems to be a bug in theecryptfs-recover-privatebash script which uses thefindcommand internally, and I don't understand why usingsudodoesn't fix it. – Gabriel Staples Jul 11 '19 at 06:17