Recovering .eCrytpts files from sbd1 drive

Question

When one of my RAID 1 drives went bad, after installing a replacement with one button in bios I ended up reformatting my drive. Linux then refused to recognize the new RAID formated drive, I managed to get windows to run testdisk to recover some files which I put on my new hardrive. (Although the file size seem low, I am hoping to recover something, I am hoping Linux mint encryption compresses the files.)

My problem is I am having difficulty getting ecryptfs to decrypt the files.

sudo ecryptfs-recover-private /dev/sdb1 

I get

INFO: Searching for encrypted private directories (this might take a while)...
find: ‘/run/user/1000/gvfs’: Permission denied

after I did sudo umount /run/user/1000/gvfs (I don’t really understand what this does but getting rid of it give me)

I get

sudo ecryptfs-recover-private /dev/sdb1
INFO: Searching for encrypted private directories (this might take a while)...
INFO: Hint: click 'Places' and select your hard disk, then run this again.
ERROR: No private directories found; make sure that your root filesystem is mounted.

/dev/sdb1 appears to be mounted I can interact with it with the GUI

I saw this this as a possible solution

mkdir crypted decrypted
mv recup_dir.*/*.eCryptfs crypted
sudo mount -t ecryptfs -o ecryptfs_passthrough=n,key=passphrase,ecryptfs_enable_filename_crypto=n,ecryptfs_key_bytes=16,ecryptfs_cipher=aes crypted decrypte
Note that you need to know the key size (here 16) and the algo (aes in this example).

Unfortunately I am not as familiar with terminal commands as I am with GUI, but I recognize the above example creates two dir in the home location. I need to make these two dir on sdb1 for the hard drive that I reinstalled linux on was an old HD with only 320GB, and I have 350gb of family pictures and movies I am trying to recover. So I am afraid the encrypted and decrypted files will not all fit on the drive with the home partition on it. I do have 1.6 TB free on sbd1 (the drive I recovered the files on). I can easily make the two dir crypted and decrypted on sbd1 with the GUI but I don’t really know how to interact with sbd1 using the terminal. How can I write the move command to move all the .eCryptfs into a newly created crypted folder on sdb1?

The second question I have is with the Note “that you need to know the key size (here 16) and the algo (aes in this example).” what is the key size? Is that the number of letters in the encryption password?

Answer 1

First, /dev/sdb1 is the partition "file", it's not browse-able by just going cd /dev/sdb1 or ls /dev/sdb1 but only by it's mountpoint (another directory).

You can check if & where it's mounted by checking mount itself, in a terminal this would work:

mount | grep "/dev/sdb1"

FYI, ecryptfs-recover-private is just a shell script, you could look through it yourself if you wanted, or even run the lines one at a time in a terminal & watch for different errors. It looks like it's not finding any directories named .Private, since it uses this command to search everywhere for them:

find / -type d -name ".Private"

So I'm guessing /dev/sdb1 isn't really mounted. Or if is, there's no folder named .Private which is a problem for finding your encrypted home.

I'd do this:

1. mount the partition with either of these ways:

   • in a terminal like this (I like mounting read-only / ro for recovery, just in case):

     mkdir -p /media/drive
     mount -v -o ro /dev/sdb1 /media/drive
     

   • Or most file managers can mount a drive with a click or two, but will probably mount to some other directory, maybe somewhere in /mnt or /media. Or I like using Disks / gnome-disk-utility.

2. After it's definitely mounted, just running sudo ecryptfs-recover-private should work ok, if there's a .Private folder somewhere.

   You shouldn't have to worry about the keysize or algo or any keys yourself (the script looks like it's got these as defaults: ecryptfs_cipher=aes,ecryptfs_key_bytes=16).

   • Browse the now mounted files (might need a root file browser) and look for a home folder and any .ecryptfs and .Private folders, maybe they're gone/damaged.