I'll answer this question, as the author of ecryptfs-setup-private, and one of the maintainers of eCryptfs.
eCryptfs provides very strong cryptographic protection of your data "at rest" -- ie, when your system is powered off or hibernated. However, you should beware that when your system is running, and your home directory is mounted, your data is protected exclusively by DAC (Discretionary Access Controls) -- ie, UNIX filesystem permissions. By default in Ubuntu, if you're using an Encrypted Home Directory, then your $HOME directory has 700 permissions -- so no other users on the system besides you (and root) will be able to see your data while its mounted. Now when your data is mounted, then it is safely locked away in encryption.
As always, you should still have a very strong LOGIN passphrase, however. Your LOGIN passphrase is used to encrypt and decrypt a much longer and strong randomly generated mount passphrase, which is stored in $HOME/.ecryptfs/wrapped-passphrase
. If an attacker has access to $HOME/.ecryptfs/wrapped-passphrase
, then they can try and decrypt that file by guessing your LOGIN passphrase. If they do decrypt that, then they will have access to your long/random MOUNT passphrase and your data is no longer safe. As a stronger measure of security, some paranoid users (such as myself) store their wrapped-passphrase file on secure removable media such as a USB key or an SD-card, and use a symbolic link to link it into place at $HOME/.ecryptfs/wrapped-passphrase
. This should only be attempted by expert users.
Cheers!
I figured out my problem. I was running the command and giving it my HOME directory, and for some reason it was saying it was successful in mounting it. However, it was lying. Turns out you need to run the command with the .Private folder that each user has, its located in
sudo ecryptfs-mount-private /home/.ecryptfs/<username>/.Private
The command is supposed to recurse and find that folder for you, but I was impatient and gave it my home folder. I'm not sure why it said it was successful when it clearly wasn't, but if you give it that .Private folder, and then enter your login password, it should mount it to a folder inside /tmp/ and you can do whatever else you want to do with the data =)
Best Answer
I had a similar issue. I was able to solve it using the instructions here:
http://deferred.io/posts/2013/01/06/recovering-ecryptfs-home-dir.html
The key for me was to first navigate to:
before I ran the command:
Before I just navigated to
/media
and ranI entered my passphrase and I received a SUCCESS notification. Unfortunately, I was still unable to access
/tmp/ecryptfs.(randomcharacters)
It took me two days to finally find a solution that worked.