Bug #409
Recovering Files From A LUKS and eCryptfs Encrypted Filesystem
Description
I've encountered a problem where I have lost my USB booloader used to boot into my primary OS; which consists of two LUKS encrypted partitions, one for / and one for /home. Not only were the partitions encrypted, but also the user folders via ecryptfs. Luckily, I was not ultra-paranoid and only used a passphrase with LUKS and not a passphrase/keyfile combination. To begin I booted into a live ubuntu environment and dropped into a root shell:
sudo su
Open and mount the LUKS containers¶
- First open up the LUKS encrypted partitions:
cryptsetup luksOpen /dev/sda5 root cryptsetup luksOpen /dev/sda6 home
NOTE: This will prompt for a passphrase. Recovering the passphrase is beyond the scope of this guide.
- Next, mount the mapped partitions:
mount /dev/mapper/root /mnt mount /dev/mapper/home /mnt/home
- Mount the device, process, and system mountpoints:
mount --bind /dev /mnt/dev mount --bind /sys /mnt/sys mount --bind /proc /mnt/proc
Mount the Read-Only eCryptfs¶
Now that I had access to both my root and home partitions, I needed to recover my personal files. These were encrypted using ecryptfs, and it just so happens there is a tool just for recovering ecryptfs partition.
- From the root terminal, run the recovery command:
ecryptfs-recover-private
This will prompt a few questions including the login passphase of the user's directory that recovery is ran on. Once the recovery is complete, a read-only version will be available.
Transfer the files to another machine¶
Now that I had access to my files, I used rsync to backup my files to another machine:
cd /tmp/ecrypt.63f8g4 rsync -avh --progress -n . -e ssh user@backup.example.com:/path/to/backup/folder
NOTE: Make sure to remove the -n flag to remove the 'dry-run' option.