File recovery from ecryptfs encrypted partition

jritts

New Member
Joined
Sep 9, 2021
Messages
3
Reaction score
0
Credits
30
I recently had a massive hardware failure on my primary SSD drive.

Using safecopy, I made an image of the /home partition, which was encrypted with ecryptfs. I get errors when attempting to mount the .ISO image, related to bad blocks which are present.

Currently running scalpel in an attempt to recover pdf, doc, and odt files, odt being the most important to me.

The trouble is with the encryption . . . I'm pretty sure scalpel won't be able to carve the files out given this.

I have my login phrase but not the "wrapper" file that was used, and I am not confident that file can be recovered. Even if it is, how could I go about carving files from an encrypted image?

Any help is greatly appreciated. I've learned a hard lesson and will be keeping regular backups, and won't buy off brand storage devices again.
 


I have not run safecopy on my system partition, but it is possible I could get the wrapped passphrase there if not corrupted . . .
 
If you have ecryptfs-utils installed you can use
Code:
ecryptfs-recover-private
This will find the location of your encrypted files and will mount them decrypted in a temporary location.
while ecryptfs-unwrap-passphrase is used to display your mount passphrase. If you want to see your mount passphrase, use the following command:
Code:
ecryptfs-unwrap-passphrase /home/yourusername/.ecryptfs/wrapped-passphrase
for more information use
Code:
man ecryptfs-recover-private
Hope this helps
 
Thanks. Any idea how that can be run on an ISO that will not mount due to corruption?

Interestingly, scalpel recovered a small number of PDFs and DOC files, which were not encrypted. Possibly they were deleted, not sure why they weren't encrypted all the same . . .
 
What command are you using to mount the ISO?
 

Members online

No members online now.

Top