Linux – How to recover encrypted /home/ folder in Linux Mint 17.2

disk-encryptionlinux-mintpassword

The issue:
I changed my password earlier today, but I must've made a typo, because I couldn't log in afterwards. I booted into the Grub menu and started a passwordless root shell to reset my password. This was successful, as I could now enter the new new password and get past the login screen. However, as soon as I do that, I get an error that says:

Your session only lasted less than 10 seconds. If you have not logged out yourself, this could mean there is some installation problem, or that you may be out of diskspace. Try logging in with one of the failsafe sessions to see if you can fix this problem.

syndaemon: no process found
/etc/mdm/Xsession: Beginning session setup...
localuser:[username] being added to access control list
Can't create dir /home/[username]/Desktop
Can't create dir /home/[username]/Downloads
Can't create dir /home/[username]/Templates
Can't create dir /home/[username]/Public
Can't create dir /home/[username]/Documents
Can't create dir /home/[username]/Music
Can't create dir /home/[username]/Pictures
Can't create dir /home/[username]/Videos
Script for none started at run_im
Script for auto started at run_im
Script for default started at run_im
init: session.migration main process (2322)terminated with status 1
init: logrotate main process (2304) killed by TERM signal
init: Disconnected from notified D-Bus bus

I have the option to hit 'OK' which will take me back to the login screen. If I try to login again, I get the exact same message.

Note: where it says [username] in the above text, the actual error displayed my actual username. I am, however, paranoid when it comes to my online identity, hence I censored it in the error printed above.

I have tried:

rebooting the computer, both using a hard boot and using the shut down button on the login screen

booting in recovery mode and running 'fix broken packages' and 'check all files' (possibly 'all directories', I can't remember)

I have googled and searched every knowledge base I know off, but haven't found a fix

I asked at linuxquestions.org

Tried deleting and recreating my account with the same username

Also;
I've just tried to use the command line to access my encrypted files, but failed miserably

 mint@mint ~ $  ecryptfs-mount-private
 ERROR: Encrypted private directory is not setup properly

Also also

mint@mint ~ $ ecryptfs-unwrap-passphrase /media/34e5c4fa-0621-46cb-83b0-763c2a0dc49c/home/.private/[username]/.ecryptfs/wrapped-passphrase
Passphrase: 
Error: Unwrapping passphrase failed [-2]
Info: Check the system log for more information from libecryptfs

It's not related to Disk space (I'm trying to get into the largest drive, on the bottom):

mint@mint ~ $ df
df: ‘/root/.gvfs’: Permission denied
Filesystem                1K-blocks      Used Available Use% Mounted on
/cow                        2032928   1676256    250076  88% /
udev                        1979616         4   1979612   1% /dev
tmpfs                        404796      1552    403244   1% /run
/dev/sdb1                   3908100   3876388     31712 100% /cdrom
/dev/loop0                  1523456   1523456         0 100% /rofs
none                              4         0         4   0% /sys/fs/cgroup
tmpfs                       2023964        16   2023948   1% /tmp
none                           5120         0      5120   0% /run/lock
none                        2023964        84   2023880   1% /run/shm
none                         102400        28    102372   1% /run/user
/dev/mapper/mint--vg-root 956884652 103557812 804696876  12% /media/mint/34e5c4fa-0621-46cb-83b0-763c2a0dc49c

Also tried the below. It mounts the files, but doesn't decrypt

mint@mint ~ $ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/media/mint/34e5c4fa-0621-46cb-83b0-763c2a0dc49c/home/.ecryptfs/tijmen/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Error: Unwrapping passphrase and inserting into the user session keyring failed [-5]
Info: Check the system log for more information from libecryptfs
mint@mint ~ $ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/media/mint/34e5c4fa-0621-46cb-83b0-763c2a0dc49c/home/.ecryptfs/tijmen/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] n
INFO: To recover this directory, you MUST have your original MOUNT passphrase.
INFO: When you first setup your encrypted private directory, you were told to record
INFO: your MOUNT passphrase.
INFO: It should be 32 characters long, consisting of [0-9] and [a-f].

Enter your MOUNT passphrase: 
INFO: Success!  Private data mounted at [/tmp/ecryptfs.cQtlJNMc].
mint@mint ~ $

Other relevant info
I have Linux Mint 17.2 running on a 1TB external HDD, as my internal HD died months ago. So far, this worked like a charm. I am now using a live USB drive, as I hoped to be able to retrieve some essential files (such as my KeePass database file), but the install on the external HDD is encrypted through the use of the 'encrypt partition' option during install.

I have been using Linux Mint for about 6-8 months now, so I am somewhat proficient in the use of the terminal for day-to-day use, but I am fully ignorant on the underlying workings of Linux and the root command options at my disposal.

This is the Linux distro I'm using on the live USB, which is the same one as I've installed on the external HDD

mint@mint ~ $  cat /etc/*-release
DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=17.2
DISTRIB_CODENAME=rafaela
DISTRIB_DESCRIPTION="Linux Mint 17.2 Rafaela"
NAME="Ubuntu"
VERSION="14.04.2 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.2 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
cat: /etc/upstream-release: Is a directory

And this is the kernel
Linux 3.16.0-38-generic x86_64

I am able to see all of my folders and files using the live USB, but as they are encrypted, I can't actually access them.

—- update after first answer —-
GAD3R suggested I

Boot using Linux-mint LiveCD

Make sure that your target system's hard drive is mounted

Open a terminal

Install ecryptfs-utils documentation

sudo apt-get install -y ecryptfs-utils

And run

sudo ecryptfs-recover-private

Follow the prompts

Unfortunately, that didn't work.

mint@mint ~ $ sudo apt-get install -y ecryptfs-utils
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ecryptfs-utils is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 326 not upgraded.
mint@mint ~ $ sudo ecryptfs-recover-private
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Found [/media/mint/34e5c4fa-0621-46cb-83b0-763c2a0dc49c/home/.ecryptfs/tijmen/.Private].
Try to recover this directory? [Y/n]: y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Error: Unwrapping passphrase and inserting into the user session keyring failed [-5]
Info: Check the system log for more information from libecryptfs
mint@mint ~ $

Best Answer

Boot using Linux-mint LiveCD

Make sure that your target system's hard drive is mounted

Open a terminal

Install ecryptfs-utils documentation

sudo apt-get install -y ecryptfs-utils

And run

sudo ecryptfs-recover-private

Follow the prompts

Access your decrypted data and save somewhere else

you can also launch the graphical file browser with sudo nautilus and navigate to the temporary directory

TL;DR:

# ecryptfs-unwrap-passphrase /mnt/crypt/.ecryptfs/user/.ecryptfs/wrapped-passphrase - | ecryptfs-add-passphrase --fnek -
    < Type your login password here >
Inserted auth tok with sig [aaaaaaaaaaaaaaaa] into the user session keyring
Inserted auth tok with sig [bbbbbbbbbbbbbbbb] into the user session keyring

You will not see a prompt and must type your login password, blind, into the above command.

Replace the aaaaaaaaaaaaaaaa and bbbbbbbbbbbbbbbb below with the hex signatures between brackets from the output above, in order:

# mount -i -t ecryptfs -o ecryptfs_sig=aaaaaaaaaaaaaaaa,ecryptfs_fnek_sig=bbbbbbbbbbbbbbbb,ecryptfs_cipher=aes,ecryptfs_key_bytes=16 /mnt/crypt/.ecryptfs/user/.Private /mnt/plain

Preliminaries

It turns out just running as root did not work reliably for me; sometimes it did, sometimes it didn't. Basically, ecryptfs seems buggy and quite user-unfriendly, often confusing login passwords and mount passphrases. After going down a deep, dark rabbit hole, I have some tips that should help. These notes are for Ubuntu 17.10, ecryptfs-utils 111-0, and you should become root before starting. I assume you want to mount your home directory from /mnt/crypt (which should already be mounted) to /mnt/plain, and you should replace user with the username.

Start Easy

The first thing to try is:

# ecryptfs-recover-private /mnt/crypt/.ecryptfs/user/.Private

If this works, well, you're lucky. If not, it may give an error message from mount about no such file or directory. This is extremely misleading: what it really means is your mount passphrase is wrong or missing.

Get The Signatures

Here is the important part: we need to verify ecryptfs is really trying the right mount passphrase(s). The passphrases must be loaded into the Linux kernel before ecryptfs can mount your filesystem. ecryptfs asks the kernel for them by their signature. The signature is a 16-byte hex value (and is not cryptographically sensitive). You can find the passphrase signatures ecryptfs is expecting:

# cat /mnt/crypt/.ecryptfs/user/.ecryptfs/Private.sig
aaaaaaaaaaaaaaaa
bbbbbbbbbbbbbbbb

Remember these. The goal is to get passphrases with these signatures loaded into the kernel and then tell ecryptfs to use them. The first signature (aaaaaaaaaaaaaaaa) is for the data, and the second (bbbbbbbbbbbbbbbb) is the FileName Encryption Key (FNEK).

Get the mount passphrase

This command will ask you for you login password (with a misleading prompt), and output your mount passphrase:

# ecryptfs-unwrap-passphrase /mnt/crypt/.ecryptfs/user/.ecryptfs/wrapped-passphrase

Copy this but be careful!!, as this is extremely cryptographically sensitive, the keys to the kingdom.

Try an interactive mount

The next thing to try is:

# mount -t ecryptfs /mnt/crypt/.ecryptfs/user/.Private /mnt/plain

The crucial thing here is that mount needs your (super-sensitive) mount passphrase that we just copied (not your login password).

This will ask you some questions, and you can accept the defaults except say yes to Enable filename encryption. It may give you a warning and ask to cache the signatures; you can say yes to both, but do double-check that you've got the right mount passphrase.

You will see the options that mount has decided to try for you:

Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=bbbbbbbbbbbbbbbb
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=aaaaaaaaaaaaaaaa
Mounted eCryptfs

If the signatures are wrong (don't match what you got from Private.sig), the mount won't work.

...but it will very unhelpfully report that it did. You will have to do an ls /mnt/plain and cat a file to make sure. At this point you can also look in /var/log/syslog and verify that ecryptfs is looking for the same signatures we are.

There are clearly two serious issues with ecryptfs here, and we have to work around them.

Load the keys into the kernel

If the interactive mount didn't help, we have to load the keys into the kernel ourselves and manually specify them in the mount options.

# ecryptfs-add-passphrase --fnek

And paste in your (super-senstive) mount passphrase copied from above. This should output:

Inserted auth tok with sig [aaaaaaaaaaaaaaaa] into the user session keyring
Inserted auth tok with sig [bbbbbbbbbbbbbbbb] into the user session keyring

Mount manually

Now the passphrases are loaded into the kernel, and we just need to tell mount to use them:

# umount /mnt/plain
# mount -i -t ecryptfs -o ecryptfs_sig=aaaaaaaaaaaaaaaa,ecryptfs_fnek_sig=bbbbbbbbbbbbbbbb,ecryptfs_cipher=aes,ecryptfs_key_bytes=16 /mnt/crypt/.ecryptfs/user/.Private /mnt/plain

You'll notice the options are similar to what the interactive mount printed out, except we're manually telling ecryptfs what's up.

Hopefully this works. If not, you can check that the keys are loaded into the kernel with the correct signatures using keyctl list @u, which should print out at least the two signatures you're expecting.

Best Answer

Related Solutions

Linux – Mint – Can’t login “your home directory…” error

Linux Mint Encryption – Mount: No Such File or Directory with Encrypted Recovery