User:Aries97/Scratch Pad/Mount Encrypted Ubuntu Home Directory

From Gentoo Wiki
Jump to: navigation, search

Introduction

Ubuntu allows users to encrypt their home directories upon installation. In case of hardware failure it is easy to decrypt and access these files with Gentoo so they can be recovered. The encrypted home directory and either the login password, or the decryption passphrase are all that's required.

eCryptfs setup

The files and filenames are individually encrypted and decrypted on the fly using eCryptfs. eCryptfs needs to be enabled in the kernel:

The wiki has an excellent set of instructions: https://wiki.gentoo.org/wiki/Ecryptfs

The short version:

Note
The short version listed here is the simplest possible example. It may not be appropriate for your system.
root #cd /usr/src/linux
root #make menuconfig
KERNEL
File systems  --->
   [*] Miscellaneous filesystems  --->
       <M>   eCrypt filesystem layer support
Security options  --->
   [*] Enable access key retention support
root #make && make modules_install
root #mount /boot
root #make install

Reboot!

Install the ecrypt file system utilitys:

root #emerge --ask sys-fs/ecryptfs-utils


Locating the Files

Locate the Ubuntu encrypted home directory for decryption. If the home directory is on an external hard drive Gentoo may have automagically mounted it at:

/run/media/{username}/{UUID}

As an example we will use:

/run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/

The decryption target would then be the users home directory:

/run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/user

That folder is, however, empty; except for some symbolic links. Ubuntu puts the encrypted home directory files in a different directory; which is then decrypted and mounted on the fly to the users home directory by ecryptfs. All of the encrypted files for our example are located here:

/run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/.ecryptfs/user/.Private

Decryption Passphrase

The passphrase is a 16-byte hexadecimal number that Ubuntu asks the user to record after installation is complete. As an example: 7069ca27397aa8ac9163fe7a703257f7

If the decryption passphrase is known move on to the next step.

If the decryption passphrase is unknown it can be discovered by using the logon password to decrypt the wrapped-passphrase file:

/run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/.ecryptfs/user/.ecryptfs/wrapped-passphrase

Unwrap the Passphrase:

user $ecryptfs-unwrap-passphrase /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/.ecryptfs/user/.ecryptfs/wrapped-passphrase
Passphrase: 
7069ca27397aa8ac9163fe7a703257f7

Filename Encryption

The filename encryption key is needed before the files can be accessed. Also the decryption passphrase needs to be added to the user session keyring. Accomplish both of these things with the following command:

root #ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [fe4b983ff729814b] into the user session keyring
Inserted auth tok with sig [cd7b5893b93c0920] into the user session keyring

The filename encryption key is output as a hexadecimal number in the second set of brackets. The example filename encryption key is cd7b5893b93c0920

Decrypt and Mount

Give the mount command with type ecryptfs followed by the location of the encrypted files, followed by a location to mount the decrypted files at:

root #mount -t ecryptfs /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/.ecryptfs/user/.Private /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/user

At the interactive prompt make the following eight entries/choices:

  • Passphrase
  • Cipher: AES
  • Key bytes: 16
  • plaintext passthrough: n
  • filename encryption: n
  • Filename Encryption Key
  • proceed?: yes
  • append sig?: no
Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: aes
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 16
Enable plaintext passthrough (y/n) [n]: n
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [fe4b983ff729814b]: cd7b5893b93c0920
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=cd7b5893b93c0920
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=fe4b983ff729814b
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key 
before. This could mean that you have typed your 
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [fe4b983ff729814b] to
[/root/.ecryptfs/sig-cache.txt] 
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.

The decrypted files are now available for recovery or backup. In the example they are at: /run/media/anon/27a70809-cb85-43eb-908f-ecb759dd4c99/home/user

Warning
eCryptfs decrypts and encrypts files and filenames on the fly.

The files are not permanently decrypted at this point.

They are simply available for copying or modification.

Troubleshooting

Mount Fails

mount: mount(2) failed: No such file or directory
Error mounting eCryptfs: [-1] Operation not permitted
Check your system logs; visit <http://ecryptfs.org/support.html>
That usually means the key wasn't added to the user session keyring. Try dmesg | tail for a more detailed error message:
[17955.991447] Could not find key with description: [91f6e7ae96b0047e]
[17955.991449] process_request_key_err: No key
[17955.991451] Could not find valid key in user session keyring for sig specified in mount option: [91f6e7ae96b0047e]
[17955.991452] One or more global auth toks could not properly register; rc = [-2]
[17955.991453] Error parsing options; rc = [-2]
To fix make sure that ecryptfs-add-passphrase --fnek is run by the same user that is mounting the filesystem.