decrypting eCryptfs files recovered by photorec

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
pkfpvtkr
Posts: 4
Joined: 20 Sep 2019, 16:13

decrypting eCryptfs files recovered by photorec

#1 Post by pkfpvtkr »

photorec recovered a lot of eCryptfs files for me, and I'm trying post #5 from ...pic.php?t=7535
supplying it the passphrase from running a ecryptfs-unwrap-passphrase on the actual system, but then i get warnings like

WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

even though i've copied/pasted the key, then i get this

mount: /home/username/Desktop/decrypted: wrong fs type, bad option, bad superblock on /home/username/Desktop/crypted, missing codepage or helper program, or other error.
Error mounting eCryptfs: [-1] Operation not permitted

The default settings were used on the encrypted home folder so it should be AES and 16 as advised to be checked in that other post, any ideas on what else could be the issue here?

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: decrypting eCryptfs files recovered by photorec

#2 Post by cgrenier »

Please provide the exact command line you used.

pkfpvtkr
Posts: 4
Joined: 20 Sep 2019, 16:13

Re: decrypting eCryptfs files recovered by photorec

#3 Post by pkfpvtkr »

Sorry, bad link, it's actually viewtopic.php?f=7&t=7535

Here is the command
sudo mount -t ecryptfs -o ecryptfs_passthrough=n,key=passphrase,ecryptfs_enable_filename_crypto=n,ecryptfs_key_bytes=16,ecryptfs_cipher=aes crypted decrypted

then when it prompts for the passphrase, I take the passphrase I copied from a ecryptfs-unwrap-passphrase and paste it in. then I get the following (put X's in some spots for privacy)

WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [xxxxxxxxxxxxxxxx] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
Not adding sig to user sig cache file; continuing with mount.
mount: /home/xxx/Desktop/decrypted: wrong fs type, bad option, bad superblock on /home/xxx/Desktop/crypted, missing codepage or helper program, or other error.
Error mounting eCryptfs: [-1] Operation not permitted
Check your system logs; visit <http://ecryptfs.org/support.html>

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: decrypting eCryptfs files recovered by photorec

#4 Post by cgrenier »

The algo may be something other than aes and/or the ecryptfs_key_bytes may be different than 16.
Maybe it's possible to get the values use previously from log files...

pkfpvtkr
Posts: 4
Joined: 20 Sep 2019, 16:13

Re: decrypting eCryptfs files recovered by photorec

#5 Post by pkfpvtkr »

The home directory was originally encrypted when Linux Mint was loaded, which I believe uses /usr/bin/ecryptfs-setup-private which has this in it:

CIPHER="aes"
KEYBYTES="16"

I'm not sure if there's a more accurate way to tell.

pkfpvtkr
Posts: 4
Joined: 20 Sep 2019, 16:13

Re: decrypting eCryptfs files recovered by photorec

#6 Post by pkfpvtkr »

Anything else I can try, or do you think I'm out of luck?

Locked