Mounting your Encrypted Home from a Jaunty LiveCD

March 4, 2009

I have received a few questions lately about mounting Ubuntu Encrypted Private or Encrypted Home directories from a Jaunty LiveCD.

You can do this from a terminal with:

ubuntu@ubuntu$ sudo mount /dev/sda1 /mnt
ubuntu@ubuntu$ sudo mount -o bind /dev /mnt/dev
ubuntu@ubuntu$ sudo mount -o bind /proc /mnt/proc
ubuntu@ubuntu$ sudo mount -o bind /sys /mnt/sys
ubuntu@ubuntu$ sudo chroot /mnt
root@ubuntu$ su - kirkland
kirkland@ubuntu$ ecryptfs-mount-private
Enter your login passphrase:
Warning: Using default salt value (undefined in ~/.ecryptfsrc)
Inserted auth tok with sig [xxx] into the user session keyring
kirkland@ubuntu$ cd $HOME
kirkland@ubuntu$ ls -alF
...
kirkland@ubuntu$ cat .profile
...

The above process assumes that your ~/.ecryptfs/wrapped-passphrase file is available on this system. If you’re using 2-factor authentication and storing this elsewhere, you might need to perform an additional mount and symbolic link to make this file available.

Alternatively, if you’re trying to recover data, and you’ve recorded your mount passphrase properly, you would use

kirkland@ubuntu$ ecryptfs-add-passphrase --fnek

just before the ecryptfs-mount-private bit, to manually enter your passphrase (rather than pulling it from ~/.ecryptfs/wrapped-passphrase).

Notes:

  1. /dev/sda1 is the device serving my $HOME/.Private
  2. kirkland is my username, yours will likely be different πŸ˜‰
  3. Binding mounting /sys and /proc are critical — ecryptfs needs access to kernel information shared there
  4. The dash in “su – ” is important — don’t forget it!

:-Dustin

Advertisements

25 Responses to “Mounting your Encrypted Home from a Jaunty LiveCD”

  1. crashsystems Says:

    Thanks for the info. What I would like to know (and I’m sure it is simpler than I realize) is how to do an rsync backup of the encrypted files. When I’m logged into my Jaunty VM with encrypted home, I cannot see the .Private directory. When I boot into an ISO, I can only see the contents of .Private when I use sudo.

  2. Marius Gedminas Says:

    I love how these kinds of instructions (the ones that contain seventeen incomprehensible shell commands you wouldn’t want to dictate to your grandmother over the phone) inevitably contain the word “simple”.

    For the instructions themselves I thank you — they’ll certainly come in handy.

  3. young_einstein Says:

    Hi Dustin,

    I've just tried following your instructions, but I still can't seem to get access to the contents of my home folder?

    FWIW … I'm trying to recover files from an encrypted install which has just decided that it doesn't want to boot anymore.

    First off, I'm decrypting the drive using "sudo cryptsetup luksOpen /dev/sdc1 mybrokendrive", and then mounting it using "sudo mount /dev/ubuntu-server/root /mnt"

    That works fine, and I can see the contents of my drive *EXCEPT* for my /home folder, because that's obviously still encrypted by Ubuntu as well.

    I've tried following your instructions and everything SEEMS to be working like it should, I get all the same prompts/responses as your post, but I still CAN'T get access to my /home folder.

    When I try listing the folder contents, all I get is:

    david@ubuntu:~$ ls -alF
    total 24
    dr-x—— 3 david david 4096 2009-04-05 04:42 ./
    drwxr-xr-x 3 root root 4096 2009-03-15 10:52 ../
    lrwxrwxrwx 1 root root 56 2009-03-15 10:52 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop
    -rw——- 1 root root 300 2009-04-04 22:05 .bash_history
    lrwxrwxrwx 1 root root 23 2009-03-15 10:52 .ecryptfs -> /var/lib/ecryptfs/david/
    drwx—— 51 david david 12288 2009-03-25 18:44 .Private/
    lrwxrwxrwx 1 root root 52 2009-03-15 10:52 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt

    Inside the .Private folder is all still encrypted.

  4. Matt Ballard Says:

    I’m running into possibly the same roadblock young_einstein is. I can see everything up to the encrypted home folder. Instead I see those two files:

    Access-Your-Private-Data.desktop
    readme.txt

    Additionally, I’m having trouble chrooting in, with this as a result:

    ubuntu@ubuntu:~$ sudo chroot /mnt
    /bin/bash: error while loading shared libraries: /lib/tls/i686/cmov/libdl.so.2: file too short

  5. romeo Says:

    Hi Dustin,

    I have followed all your instructions above and all function well. I can view the content of my encrypted home folder with the Ubuntu Live-CD Session.
    But now I have a problem: I don’t know how can I save my data outside the encrypted home because I don’t be able to connect, for instance, an external usb disk and to access this disk from the terminal. I have tried different ways, but every time the external disk is not readeable, or I can’t write to it, and so on.
    An external disk can be used with the normal “ubuntu” live session user, but not with the “kirkland” user.
    Have you any suggestion about?

    Many thank’s

  6. Martin Says:

    Hi Dustin!

    Thanks for the instructions, everything worked as it should. Now i want to move on to more advanced stuff.

    I want to do a live backup of my home directory in an unencrypted state. Therefore I put my home directory into an lvm volume, from which I create a snapshot.

    I then mount the snapshot and would like to do a “mount -t ecryptfs” to get to a snapshot of the decrypted data. Unfortunately I was not able to figure out how to do this. Maybe you could give me some hints?

    Thanks
    Martin

  7. schuga Says:

    Hi Dustin,
    I keep running into problems at the chroot command. I’m trying to get my encrypted home data off a harddrive I took out of a dead 64bit computer. I’m not sure if it is necessary to do this with a computer with the same architecture or if a 32bit computer is possible.
    I expected to be able to go into my encrypted file system like in a tar file – but that doesn’t seem to be the case…

  8. saran Says:

    Hi Dustin,
    I have a big problem. I have my encrypted home but the partition that had folders /proc and /sys was deleted by a new installation (ubuntu 9.10)
    there is any wave to access my encrypted data?

    Thanks
    Saran

  9. Dustin Kirkland Says:

    Saran-

    Deleted? You can’t delete /proc or /sys. Those are virtual filesystems created by the kernel on boot. There’s no persistent data stored there. It’s recreated every time you boot. If you carefully follow the instructions above, you will have a working /proc and /sys.

    :-Dustin

  10. Dustin Kirkland Says:

    schuga-

    Architecture (32 v 64) doesn’t matter. Follow the instructions above very carefully.

    :-Dustin

  11. Dustin Kirkland Says:

    Martin-

    I’m afraid that the mount -t ecryptfs command might be slightly broken in Ubuntu 9.10. There were a number of changes to that code. There’s a bug open. I will be working on that shortly.

    :-Dustin

  12. Dustin Kirkland Says:

    Romeo-

    I usually use NFS. I’ll mount a remote filesystem over the network and then use rsync -aP to copy my decrypted data off of the system.

    You should be able to use a USB disk or USB key just fine, too.

    Once you have your data mounted and accessible decrypted, open a *new* terminal, running as the ubuntu (administrative) user. This user should be able to write to the USB disk, and see the decrypted data. Use the ‘mount’ command to find the correct path to the mounted ecryptfs data outside of the chroot.

    :-Dustin

  13. Dustin Kirkland Says:

    Matt-

    Looks like you have a faulty LiveCD. Check the md5sum of your ISO, and re-burn your disk (or key) at a slower speed.

    :-Dustin

  14. saran Says:

    Thanks for your earlier reply, I still cant mount my home.
    The home folder has a broken symbolic link, pointing to the /var/lib/ecryptfs/saran folder. This folder does not exist, There any wave to mount my home having only .Private folder?
    Thanks again.

  15. Martin Says:

    Hi Dustin!

    Thanks πŸ™‚
    I’ll try it again when you fixed the bug. So when the mount command works correctly, what should I use as fnek? Or will mount -t ecryptfs automatically calculate it from the passphrase?

    Martin

  16. saran Says:

    Dustin,
    I only have my .Private folder,
    This is the out for ecryptfs-mount-private

    ERROR: Encrypted private directory is not setup properly

    I tried everything and not know what else to do.

    Saran.

  17. ck Says:

    For Saran, about ecryptfs not being setup properly … are you using your own account to run the command, or root, or the live ubuntu account? You need to run the command as yourself. I found that out last night.

    I’m not sure if this will work for me, since I have 9.10 & Dustin said there’s a bug for 9.10, but I’ll keep the information in hopes it will work, or at least hopes I won’t need it in the future.
    Two nights ago I had a problem in which Ubuntu stopped booting properly, but last night someone told me to run fsck to fix it, and it did fix it, so I don’t need these instructions at the moment.

    Dustin: has the fix been edited into the blog post for 9.10 already, or are you still working on that?

  18. Wildner Says:

    Hello Dustin, Following your info. I could see and manipulate any files, but I cannot recovery them. I tried to mount the files encrypted by my other ubuntu partition.
    I tried to copy the files by this command:
    wildner@widner-desktop:~$ cp /home/wildner/Mariah\ Carey\ -\ I\ Wanna\ Know\ What\ Love\ Is.mp3 /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
    -su: cp: /home/wildner/Mariah Carey – I Wanna Know What Love Is.mp3: Not a directory
    wildner@widner-desktop:~$ cp /home/wildner/Linux /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
    -su: cp: /home/wildner/Linux: No such file or directory
    wildner@widner-desktop:~$ cp /home/wildner/Linux/*.* /dev/sdb6/media/fc549a2f-b218-452d-9041-ccf76734002d/wildner/Documentos
    -su: cp: /home/wildner/Linux/*.*: No such file or directory
    How do I copy the files to the other partition?

    Thansks in advance

  19. lc Says:

    hi,

    I followed your instructions with a 9.04 CD for a crashed 9.10 installation, and after ecryptfs-mount-private I get:
    ecryptfs-insert-wrapped-passphrase-into-keyring: error while loading shared libraries: libecryptfs.so.0: cannot open shared object file: No such file or directory
    what to do now?
    I also tired it with a 9.10 CD, but the result is the same. I have Ubuntu on one ext4 partition

  20. blarneyrabble Says:

    Worked for me on 9.10
    I recovered my data onto a usb drive by typing: sudo mkdir /mnt/usb && sudo mount /dev/sdd1 /mnt/usb

    after the chroot, when I did the su – username , it told me to run ecryptfs-mount-private and that asked me for my passphrase and then I entered my user password and everything worked out just fine

  21. Jason Says:

    Sweet, thanks Dustin.
    Note that this will not work with the Karmic 9.10 liveCD although you may be able to replace the ecyptfs package with that from the Jaunty repository (not tested). Also, I had a raid0 array with an lvm2 volume. I first had to enable raid and lvm in Jaunty and then mount my logical volume as follows:
    sudo -i
    apt-get update
    apt-get install dmraid mdadm lvm2
    modprobe dm-raid4-5
    vgchange -a y
    mount /dev/mapper/”volume name-root” /mnt
    then continue as above

  22. OmarG Says:

    It sorta’ worked for me. If i use the folder GUI browser (nautilus i think its called) my folder is still locked but i can use the terminal to look at a list of what i got and am now trying to copy (cp) to my usb but since i’m not having any success i’m guessing i have to mount my usb too. I have ubuntu 9.10 karmic koala and am new to linux and my HD won’t boot. Ubuntu rocks though :p

  23. robMietto Says:

    Hi, Dustin.
    When I go to “su – User” it responds “No directory, logging in with HOME=/”. If I continue with ecryptfs-mount-private, then I receive a message: “ERROR: Encrypted private directory is not setup properly”. There is some trick here…

    Could you please illuminate it?

    rob

  24. robMietto Says:

    … To be more clearly?

    [ until this point all right ]
    ubuntu@ubuntu:~$ sudo chroot /mnt
    root@ubuntu:/# < -- answer
    root@ubuntu:/# su – rob
    No directory, logging in with HOME=/
    To run a command as administrator (user “root”), use “sudo “.
    See “man sudo_root” for details.

    rob@ubuntu:/$ < -- answer
    rob@ubuntu:/$ ecryptfs-add-passphrase –fnek
    Passphrase: < -- yes, i have my passphrase
    Inserted auth tok with sig [ee9a16399aeb0e85] into the user session keyring
    Inserted auth tok with sig [9a9c1f340c8ec93e] into the user session keyring
    rob@ubuntu:/$ ecryptfs-mount-private
    ERROR: Encrypted private directory is not setup properly
    rob@ubuntu:/$

    thanxs

    rob (with ubuntu 9.10)

  25. Dustin Kirkland Says:

    To reiterate what is stated just below “POST A COMMENT” …

    Please do not use blog comments for support requests! Blog comments do not scale well to this effect.

    Instead, please use Launchpad for Bugs and Questions.
    * bugs.launchpad.net
    * answers.launchpad.net

    Thanks,
    :-Dustin


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: