Let's say you've been using a Linux machine for either a desktop or a server. During the installation you opted to have the home directory encrypted and, at some point (for whatever reason) the system will no longer boot. Is that encrypted data lost? With a little bit of work, no. I want to walk you through the process of recovering the data from your encrypted home directory. This process will require a working Linux machine with the drive containing the encrypted home directory attached and mounted. Your best bet is to handle this process on the likes of one of the more recent Ubuntu releases, as it will ensure your drive is automatically mounted when you attach it. You will also need the encryption password you created to protect your home directory.
Locating the drive
With your drive attached to your working Linux machine, open up a terminal window and issue the command ls /media. You should see the Universal Unique Identifier (UUID) for the drive in question. Chances are this will be a long string of characters. So the location of the drive will be /media/UUID (where UUID matches that of the drive in question). You will need this information in a bit.
You will also need to know the username associated with the data you need to recover. If this was a machine that housed data for multiple users, you will need all of those user names, as well as the passwords associated with their encrypted home directories.
Decrypting the home folder
The command line tool used to decrypt these home directories is ecryptfs-recover-private and is issued in the form of:
sudo ecryptfs-recover-private /media/UUID/home/.ecryptfs/USERNAME/.Private
Where UUID is the actual UUID associated with the drive and USERNAME is the username associated with the user whose encrypted home directory needs to be recovered. There is a chance you will not find that command on your system. If that is the case, issue the following to install the software:
sudo apt-get install ecryptfs-utils
When you run the ecryptfs-recover-private command, it will prompt you for the encryption password and then mount the encrypted directory with read-only access. If you need write access to the directory, issue the command as such:
sudo ecryptfs-recover-private -rw /media/UUID/home/.ecryptfs/USERNAME/.Private
You can now either open a file manager and navigate to /media/UUID/home/.ecryptfs/USERNAME/.Private or navigate to the directory within a terminal window with the command cd /media/UUID/home/.ecryptfs/USERNAME/.Private. At this point you can recover the data from the encrypted directory by copying it to another drive.
NOTE: If you get an error saying the passphrase unwrap did not succeed, you might need to issue the command:
sudo ecryptfs-unwrap-passphrase /media/UUID/home/.ecryptfs/USERNAME/.ecryptfs/wrapped-passphrase
The above command will certainly unwrap the encryption passphrase.
Flexing Linux muscles
Linux is not only flexible, it's powerful. When you find yourself in a jam, such as the inability to boot a machine, even if your user directories are encrypted, you can still gain access to that data. All you have to do is flex a little Linux muscle and you're good to go.
- Linux desktop operating system: A beginner's guide (TechRepublic)
- Phase 3 for System76 brings hardware design and construction in-house (TechRepublic)
- How to upgrade the Linux kernel with a handy GUI (TechRepublic)
- How to check your Linux servers for rootkits and malware (TechRepublic)
- 10 ways to use grep to search files in Linux (TechRepublic)
- Linux 2017: With great power comes great responsibility (ZDNet)
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.