Mount Encrypted Ubuntu Home/Guide

Introduction
Ubuntu allows users to encrypt their home directories upon installation. In case of hardware failure it is easy to decrypt and access these files with Gentoo so they can be recovered. The encrypted home directory and either the login password, or the decryption passphrase are all that's required.

eCryptfs setup
The files and filenames are individually encrypted and decrypted on the fly using eCryptfs. eCryptfs needs to be enabled in the kernel:

More information on eCryptfs can be found here.

Reboot!

Install the ecrypt file system utilitys:

Locating the Files
Locate the Ubuntu encrypted home directory for decryption. If the home directory is on an external hard drive Gentoo may have automagically mounted it at:



As an example we will use:



The decryption target would then be the users home directory:



That folder is, however, empty; except for some symbolic links. Ubuntu puts the encrypted home directory files in a different directory; which is then decrypted and mounted on the fly to the users home directory by ecryptfs. All of the encrypted files for our example are located here:



Decryption Passphrase
The passphrase is a 16-byte hexadecimal number that Ubuntu asks the user to record after installation is complete. The example passphrase is:

If the decryption passphrase is known move on to the next step.

If the decryption passphrase is unknown it can be discovered by using the logon password to decrypt the wrapped-passphrase file:



Unwrap the Passphrase:

Filename Encryption
The filename encryption key is needed before the files can be accessed. Also the decryption passphrase needs to be added to the user session keyring. Accomplish both of these things with the following command:

The filename encryption key is output as a hexadecimal number in the second set of brackets. The example filename encryption key is

Decrypt and Mount
Give the mount command with three options: type ecryptfs, the location of the encrypted files, and the location to mount the decrypted files at. The example command is:

At the interactive prompt make the following eight entries/choices:
 * Passphrase
 * Cipher: AES
 * Key bytes: 16
 * plaintext passthrough: n
 * filename encryption: n
 * Filename Encryption Key
 * proceed?: yes
 * append sig?: no

The decrypted files are now available for recovery or backup. In the example they are at: 

Troubleshooting
Mount Fails mount: mount(2) failed: No such file or directory Error mounting eCryptfs: [-1] Operation not permitted Check your system logs; visit 


 * That usually means the key wasn't added to the user session keyring. Try dmesg | tail for a more detailed error message:

[17955.991447] Could not find key with description: [91f6e7ae96b0047e] [17955.991449] process_request_key_err: No key [17955.991451] Could not find valid key in user session keyring for sig specified in mount option: [91f6e7ae96b0047e] [17955.991452] One or more global auth toks could not properly register; rc = [-2] [17955.991453] Error parsing options; rc = [-2]


 * To fix make sure that ecryptfs-add-passphrase --fnek is run by the same user that is mounting the filesystem.