Ubuntu
ecryptfs-utils package

Document recovery of Ubuntu-style encrypted home from external USB and get it to the top of Google

Bug #689969 reported by Paul Sladen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ecryptfs-utils (Ubuntu)
Fix Released
High
Unassigned

Bug Description

The documentation covering Ubuntu's out-of-the-box encrypted partitions, and the recovery there-of, is dire. The common case is that a user has salvaged the hard-disk out of another laptop, connected it using an external USB<->SATA/IDE converter and just wants to get to the encrypted data.

Ubuntu provides out-of-the-box single tickbox support for setting up encypted home directories, and even encourages the user to save a backup recovery key. When the user comes to needing to use it, they have no idea how to. The top result on Google is completely irrelevant and demonstrates the lack of public knowledge:

  http://ubuntuforums.org/showthread.php?t=1182940

Then there is tonnes of information on LUKS and/or device-mapper. Neither of which is relevant:

  https://help.ubuntu.com/community/EncryptedFilesystemHowto

Eventually the user might happen upon:

  https://help.ubuntu.com/community/EncryptedPrivateDirectory

which has little nuggets (mount -t encyptfs) in the right direction, but talks about the generic case, rather than being optimised for the use-case that Ubuntu ships *out-of-the-box*. The particular documentation tells the user to ignore scary error messages, even though ignoring scary error messages doesn't help. It confuses login passwords and recovery passwords and uses different terminology to the original Ubuntu installer/setup utility. It suggests that the user entered a recovery key, when actually the setup-utility provided one.

Ideally there would be something with heuristics, that asked for the "passphrase from the original machine" and failing that asked for the back up key "this is a long sequence of numbers and letters and is NN characters long". Even better would be some documentation to say (in three lines or so) how to mount a home directory that was created with the out-of-the-box setup onto a recovery machine in such a way as the user was guided through the defaults and these were sanity checked. If the default is to use encrypted filenames, then that should be the default in the mount tool too.

It would appear that the two magic lines necessary are something along the lines of:

  1a. ecryptfs-unwrap-passphrase /media/...long.string.../home/.ecryptfs/username/.ecryptfs/wrapped-passphrase
  1b. enter login password from other machine
  1c. note down 32-digit hex key
  2a. sudo echo okay (to make sure your local sudo password is cached and reduce confusion)
  2b. sudo mount -t ecryptfs /media/...long.string.../home/.ecryptfs/username/.Private /somewhere/
  2c. past 32-digit hex key at "Password:" prompt
  2d. aes (default)
  2e. 16 (default)
  2f. no (default)
  2g. yes (yes to encrypted filenames)
  2h. [enter] (default, based on key entered in 2c(?) )
  2i. yes (just get on with it)
  2j. no (wouldn't help)
  2k. you may now see "Mounted eCryptfs"

if you're unlucky and happen to be me, you now also get the kernel stracktrace below.

See original description
Paul Sladen (sladen)
description: updated
Paul Sladen (sladen)
Changed in ecryptfs-utils (Ubuntu):
importance: Undecided → High
description: updated
Revision history for this message
Paul Sladen (sladen) wrote :

Then in a cunning last ditch poly to put the user off (if it looks like they're getting close), the system may hand them an OOPS:

[47397.716015] [<c02fbbdf>] ? ecryptfs_parse_tag_70_packet+0x2cf/0x5e0
[47397.716015] [<c02f9a9b>] ? ecryptfs_decode_and_decrypt_filename+0xdb/0x150
[47397.716015] [<c02f3063>] ? ecryptfs_filldir+0x33/0xb0
[47397.716015] [<c02a7a96>] ? call_filldir+0x96/0xd0
[47397.716015] [<c02f3030>] ? ecryptfs_filldir+0x0/0xb0
[47397.716015] [<c02a7c3f>] ? ext4_dx_readdir+0x16f/0x270
[47397.716015] [<c01e682d>] ? filemap_fault+0x11d/0x470
[47397.716015] [<c01ea72a>] ? __alloc_pages_nodemask+0xea/0x600
[47397.716015] [<c02f3030>] ? ecryptfs_filldir+0x0/0xb0
[47397.716015] [<c02a8266>] ? ext4_readdir+0x3e6/0x4c0
[47397.716015] [<c01e43a2>] ? unlock_page+0x42/0x50
[47397.716015] [<c01ff768>] ? __do_fault+0x3c8/0x4f0
[47397.716015] [<c01ee3aa>] ? lru_cache_add_lru+0x2a/0x50
[47397.716015] [<c02f3030>] ? ecryptfs_filldir+0x0/0xb0
[47397.716015] [<c031a7a0>] ? security_file_permission+0x90/0xb0
[47397.716015] [<c0235246>] ? vfs_readdir+0x96/0xb0
[47397.716015] [<c02f3030>] ? ecryptfs_filldir+0x0/0xb0
[47397.716015] [<c02f2fd9>] ? ecryptfs_readdir+0x59/0xb0
[47397.716015] [<c0234ef0>] ? filldir64+0x0/0xf0
[47397.716015] [<c0235246>] ? vfs_readdir+0x96/0xb0
[47397.716015] [<c0234ef0>] ? filldir64+0x0/0xf0
[47397.716015] [<c02353ea>] ? sys_getdents64+0x6a/0xc0
[47397.716015] [<c05fb494>] ? syscall_call+0x7/0xb

Paul Sladen (sladen)
description: updated
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

I've used the instructions here hundreds of times:
 * http://blog.dustinkirkland.com/2009/03/mounting-your-encrypted-home-from.html

And that page has received many, many thousands of hits.

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

I've long considered putting together a little interactive command line script that runs the commands in that blog post, prompting for the user specific pieces, putting that tool in ecryptfs-utils, and making sure that its runable from a live cd. I can probably whip something together that's useful for the majority of use cases, ie recovering from an ubuntu live cd.

As for getting the documentation to the top hit in Google, that's hardly something that we can solve within this bug.

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

See ecryptfs-recover-private in the latest release.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 84-0ubuntu1

---------------
ecryptfs-utils (84-0ubuntu1) natty; urgency=low

  * src/desktop/ecryptfs-record-passphrase: fix typo, LP: #524139
  * debian/rules, debian/control:
    - disable the gpg key module, as it's not yet functional
    - clean up unneeded build-deps
    - also, not using opencryptoki either
  * doc/manpage/ecryptfs.7: fix minor documentation bug, reported by
    email by Jon 'maddog' Hall
  * doc/manpage/ecryptfs-recover-private.1, doc/manpage/Makefile.am,
    po/POTFILES.in, src/utils/ecryptfs-recover-private,
    src/utils/Makefile.am: add a utility to simplify data recovery
    of an encrypted private directory from a Live ISO, LP: #689969
 -- Dustin Kirkland <email address hidden> Fri, 17 Dec 2010 20:14:45 -0600

Changed in ecryptfs-utils (Ubuntu):
status: New → Fix Released
joopbraak (joopbraak)
summary: - Document recovery of Ubuntu-style encypted home from external USB and
+ Document recovery of Ubuntu-style encrypted home from external USB and
get it to the top of Google
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.