davison online

a home for things that had no better place to be.

© 2022. All rights reserved.

Encryption, Backups and Recovery

08 Apr 2019

Encryption is a good thing, especially in my country where the government’s desire to know and control every detail of private citizens’ lives would make the Chinese and the Russians blush :) But don’t lock yourself out of your own data as I thought I had yesterday.

I mostly use ubuntu/xubuntu based desktop machines and laptops at home, and always take the option to encrypt home directories (the entire disk on laptops), and always partition disks manually giving /home it’s own. Ubuntu uses ecryptfs to manage the encryption and the data is automatically unlocked/decrypted when logging in; transparently to the user. So although my /home/darren directory looks perfectly normal to me when logged in and using the machine, to someone stealing the PC or disks and trying to mount them as slave drives, both the file names and the contents are unreadable;

darren@hepburn ~ $ ls -al /home/.ecryptfs/darren/.Private/
total 63980
drwx------  145 darren darren    49152 Apr  8 11:03 .
drwxr-xr-x    4 darren darren     4096 Apr  7 19:39 ..
drwxr-xr-x   86 darren darren    20480 Mar  1 00:43 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI01Sp1Y7Mbni.Gv5IWwPXFk--
drwxr-xr-x   11 darren darren    16384 Dec 11 01:15 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI0hV3GgFcVCr4j.37GTijik--
drwxrwxr-x    4 darren darren     4096 Jan  9  2017 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI2qeaiy7FAxmZ-uOnjdTHfk--
lrwxrwxrwx    1 darren darren      124 Nov  1  2015 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI2qI8IxpUtKovbFZLOS3WYE-- -> ECRYPTFS_FNEK_ENCRYPTED.FYb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeIpAMZD0J4V8wTCy4V9qGATRNRu0athRyAOGmqRvz8TNZ9E5JC8OFeRU.GiqPEP4ff
drwxrwxr-x    4 darren darren     4096 Nov  2  2015 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI2TBPVOoQu-9B662Qkm0f4k--
drwx------    2 darren darren     4096 Mar 10 11:36 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI2UvGRHd5W373h3TUCMgIO---
-rw-r--r--    1 darren darren     8192 Nov 13  2014 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI36yx0OBfD4BloNJv1XuD7U--
drwxrwxr-x    3 darren darren     4096 Nov  2  2015 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI3BypztnWrbxdQCZeBVvkkU--
drwxr-xr-x    2 darren darren     4096 Oct 23 13:47 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI3W6lWb1Jj.WUEt67ELAvWU--
-rw-r--r--    1 darren darren    12288 Feb  1  2014 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI44fBeh9bFGMuzrmJCIons---
-rw-r--r--    1 darren darren 13201408 Dec 28 00:53 ECRYPTFS_FNEK_ENCRYPTED.FWb.0NYQdohL4-RW4UL0G74SruUD2-J3nPeI458.0ZUYSR3s54SSxkI3v---
...

When it comes to backing up the contents of these directories, you should only be backing up the encrypted version and not the plain text versions. Seems obvious, but when answering queries about backing up encrypted home directories, I’ve seen more than a few people suggesting that you do precisely the opposite; i.e. rsync the plain text version somewhere while logged in. Don’t do that.

Whatever backup method you choose - dedicated backup software, simple rsync, rsnapshot (the one I use) - specify the /home/.ecryptfs directory as the source. This is the relevant bit from my /etc/rsnapshot.conf file for the machine named hepburn which is my main desktop.

backup	/home/.ecryptfs			hepburn/
backup	/etc/				hepburn/
backup	/usr/local/			hepburn/
backup	/root/				hepburn/

All good. Your backed up copies of $HOME are as safe on disk as your master copy. If you have a problem and need to restore data, simply mount a temporary decrypted version of your backup directory and copy out the files you need before unmounting the temporary directory again. And this is where I nearly had a heart attack yesterday because I forgot how to do that. Since Ubuntu does it for me on my home dir at login, and I’d not needed to recover files for some years, I just got completely lost with the steps to perform what I outlined above. Pretty stupid of me, so here I’ll document the steps for my own benefit (maybe yours too if you’re here reading this).

When you first encrypt your partition or directory at install time, ubuntu (ecryptfs) will generate a recovery password and ask you to store it safely. It’s a 32-char hex key and is used as the passphrase for the private key to decrypt the data. If you do lose it, you can recover it with the ecryptfs-unwrap-passphrase utility, which is basically what ubuntu does on login in order to use it temporarily before re-wrapping it. I had kept mine safe in my key and password manager so I had it ready to use.

Transcript of the salient commands below then as a reference for what to do next time I’m careless enough to delete stuff I really need and dumb enough to forget how to recover.

darren@hepburn ~ $ sudo ecryptfs-add-passphrase --fnek
[sudo] password for darren: 
Passphrase: 
Inserted auth tok with sig [aaaaaaaaaaaaaaaa] into the user session keyring
Inserted auth tok with sig [bbbbbbbbbbbbbbbb] into the user session keyring

… use the 32-char passphrase at the Passphrase: prompt. It needs to be added as root because root is the user that will eventually have to mount the directory. This could be a problem if you have non-root-capable users on your machine. Take note of both of the auth tokens inserted that I’ve masked above as a’s and b’s.

darren@hepburn ~ $ mkdir -p /tmp/recovery

darren@hepburn ~ $ sudo mount -t ecryptfs /path/to/your/backed-up-encrypted/home/.ecryptfs/darren/.Private/ /tmp/recovery
Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [aaaaaaaaaaaaaaaa]: bbbbbbbbbbbbbbbb
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=bbbbbbbbbbbbbbbb
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=aaaaaaaaaaaaaaaa
Mounted eCryptfs

… ensure you use the .Private directory of the backup location that you want to recover from in the first argument to the mount command. Again, input the 32-char hex key (unwrapped passphrase) if prompted. Accept defaults for the first 3 answers but say y for filename encryption. I also found that I had to use the 2nd of the auth tokens output earlier and not the first which it defaults to, but YMMV.

darren@hepburn ~ $ ls -al /tmp/recovery/
total 64012
drwx------  145 darren darren    45056 Apr  8 11:06 .
drwxrwxrwt   37 root   root      61440 Apr  8 13:22 ..
-rw-------   22 darren darren     1372 Apr 17  2018 1q
drwxrwxr-x    2 darren darren     4096 Nov  2  2015 .abook
-rw-r--r--   22 darren darren      524 Mar 22  2006 agp2.bin
drwxrwxr-x    2 darren darren     4096 Nov  2  2015 .android
-rw-rw-r--   22 darren darren       31 Sep 13  2017 .angular-cli.json
-rw-r--r--   22 darren darren      576 May 17  2011 .anyconnect
-rw-------   22 darren darren    64191 Jul 26  2007 appeal.tif
drwx------    3 darren darren     4096 Nov 15  2015 .arcv2
...

… et voila, your backed up files that you can now copy what you need from :)

darren@hepburn ~ $ sudo umount /tmp/recovery

… unmount it ASAP.

Related Posts

Discuss