securely restoring an ecryptfs encrypted backup

Question

I'm using ecryptfs to backup the entire contents of my Ubuntu box to an external hard drive enclosure. I've followed this guide and have things properly backing-up and encrypted as I want.

That's all well and good until I have to actually use the encrypted backup, and that's got me wondering. In the event that I lose my entire primary hard drive, what files/info should I readily have access to in order to de-crypt my backup? Besides the options used to setup the initial encryption, are these the only two things I need:?

• passphrase
• sig key

Answer 1

For a backup, you might just need to remember the passphrase and the options you used to set up the encrypted folder, so everything in the example page you linked:

To see the files again, just mount the directory with ecryptfs filesystem.

# mount -t ecryptfs /home/sk/unixmen/ /home/sk/unixmen/

Select key type to use for newly created files:
1) tspi
2) passphrase
Selection: 2 <---- Type 2 and press enter
Passphrase:  <---- Enter the passphrase
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: <---- Press Enter
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: <---- Press Enter
Enable plaintext passthrough (y/n) [n]: <---- Press Enter
Enable filename encryption (y/n) [n]: <---- Press Enter
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=5c116acdf1d0dd89
Mounted eCryptfs

The ecryptfs_sig is derived from the passphrase, so is really just to verify you've entered the right passphrase, not really essential to the mount command.

I can't say I like the "Add your passphrase in this file" part of the automatic mount section, detracts from the security by having the passphrase in plain text. Your system can use eCryptFS & PAM to automatically mount encrypted folders on login, using your login passphrase to "wrap"/encrypt the eCryptFS key. See man ecryptfs & the man pages for it's tools, like ecryptfs-setup-private

Answer 2

I found a much nicer solution, after struggling with the above for a couple of hours.

sudo ecryptfs-recover-private

It's super simple to use, just run it and it will find your old private directory, then mount it in /tmp for you.

From the man page:

ecryptfs-recover-private - find and mount any encrypted private directories

This utility is intended to help eCryptfs recover data from their encrypted home or encrypted private partitions. It is useful to run this from a LiveISO or a recovery image. It must run under sudo(8) or with root permission, in order to search the filesystem and perform the mounts.