Restoring *.eCryptfs-files

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
ct82
Posts: 5
Joined: 22 Dec 2017, 19:40

Restoring *.eCryptfs-files

#1 Post by ct82 »

Hi,

could someone explain to me how restoring the *.eCryptfs files created by photorec on an ecryptfs-encrypted partition should work in theory?

There seems to be no documentation and the filetype eCryptfs seems to be unique to photorec.

There were a few questions like this in the forum but my impression was that none of the respective users was successful in restoring any files...

Any hints appreciated.

Cheers,
Chris

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Restoring *.eCryptfs-files

#2 Post by cgrenier »

eCryptfs are encrypted files under Linux. Encryption is not at partition level, but at files level.
eCryptfs is frequently used on Ubuntu ( https://help.ubuntu.com/lts/serverguide/ecryptfs.html ) and on some Android phone.
PhotoRec can recover deleted eCryptfs encrypted files but as they are encrypted, you still have to unlock the directory holding the files with your password...

ct82
Posts: 5
Joined: 22 Dec 2017, 19:40

Re: Restoring *.eCryptfs-files

#3 Post by ct82 »

Thanks for your reply.
cgrenier wrote: 24 Dec 2017, 10:48 PhotoRec can recover deleted eCryptfs encrypted files but as they are encrypted, you still have to unlock the directory holding the files with your password...
Could you please provide more information on how to exactly accomplish this? What I did so far was putting all resulting files into a single/flat directory and perform a `ecryptfs-recover-private` on this directory. However, what then gets mounted under `/tmp` is exactly the same directory with everthing still encrypted. This is similar to what was another user reported in this thread:

viewtopic.php?f=7&t=2660&p=8809&hilit=ecryptfs#p8809

I have all passwords/passphrases and the system I am trying to recover files from is the same I am trying to do the recovery know. .ecrpyfs and .Private are still in place. No reinstall or anything in between. So this should more or less be the simplest setup one could thing of for recovering files on ecryptfs.

ct82
Posts: 5
Joined: 22 Dec 2017, 19:40

Re: Restoring *.eCryptfs-files

#4 Post by ct82 »

Should I create a bug report regarding this issue?

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Restoring *.eCryptfs-files

#5 Post by cgrenier »

Here is an example of decrypting files:

Code: Select all

mkdir crypted decrypted
mv recup_dir.*/*.eCryptfs crypted
sudo mount -t ecryptfs -o ecryptfs_passthrough=n,key=passphrase,ecryptfs_enable_filename_crypto=n,ecryptfs_key_bytes=16,ecryptfs_cipher=aes crypted decrypted
Note that you need to know the key size (here 16) and the algo (aes in this example).

ct82
Posts: 5
Joined: 22 Dec 2017, 19:40

Re: Restoring *.eCryptfs-files

#6 Post by ct82 »

I appreciate your help.

Still, the mounted "decrypted" folder only contains the same encrypted file (for this test, I only took a single file out of the thoundands of *.eCryptfs I actually have).

Yet, if I start creating new files in the "decrypted" folder I find their encrypted counterparts within the "crypted" folder. Unmounting the folder and mounting it again using the same command decrypts my newly created files, but not the one created using photorec.

So it seems like the *.eCryptfs-files are not really detected as beeing ecryptfs-encrypted files. If I copy arbitrary plaintext-files to the "crypted"-folder before performing the mount, these files just get copied over to the "decrypted" folder, just like the *.eCryptfs-file.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Restoring *.eCryptfs-files

#7 Post by cgrenier »

Can you double check that you are using the option "ecryptfs_enable_filename_crypto=n" ?

ct82
Posts: 5
Joined: 22 Dec 2017, 19:40

Re: Restoring *.eCryptfs-files

#8 Post by ct82 »

I can't believe how god-damn-stupid I've been for the last two weeks... :cry:

After double-checking this option you mentioned, with the same result I always ended up with from the very beginning, namely a eCryptfs-file in the decrypted folder, I realized that the filesizes between the "encrypted" and "decrypted" folder were different. So for the first time, I actually opened one of these files in vi: Still looked binary, but then I found some plain SQL within the file! It was a decrypted SQLite database...

Even though I knew from the past that photorec does not recover filenames, I was still somehow expecting it to at least resolve the file extension or so... so far I was only using photorec on unencrypted drives, where at least the file extension is recovered (and since I always use exif-metadata to generate a filename and never really use the ones generated by my cameras, the scrumbled rest of the filename was never an issue for me). But no, the extension remains "eCryptfs" even though everythings decrypted successfully. And based on what I already knew before, it somehow makes sense...

Right now I let a program scan my decrypted folder looking for jpg-"magic" and perform the required file-extension renaming myself...

So, I can't tell you how sorry I am for bothering you for so long with this total non-issue! Thanks for not giving up, because otherwise I probably would have given up already without every seeing any of my files again.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Restoring *.eCryptfs-files

#9 Post by cgrenier »

You can use fidentify (or file) to identify the correct file extension.

Locked