eCryptfs - 无法解密文件名

tag-icon tag-icon encryption ecryptfs
eCryptfs - 无法解密文件名

我在 /home/username/.Data 上安装的外部硬盘上有加密数据。我正尝试将其解密到 /home/username/Data。

虽然我可以成功读取文件内容,但我无法解密文件名。

这是我正在尝试的:

$ sudo ecryptfs-add-passphrase --fnek
Passphrase: 
Inserted auth tok with sig [aaaaaaaaaaaaaaaa] into the user session keyring
Inserted auth tok with sig [bbbbbbbbbbbbbbbb] into the user session keyring

$ sudo mount -t ecryptfs /home/username/.Data /home/username/Data        
Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 2
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [aaaaaaaaaaaaaaaa]: bbbbbbbbbbbbbbbb
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=bbbbbbbbbbbbbbbb
  ecryptfs_key_bytes=32
  ecryptfs_cipher=aes
  ecryptfs_sig=aaaaaaaaaaaaaaaa
  Mounted eCryptfs

现在我正在使用Ubuntu 14.04.1 LTSecryptfs-utils 104-0ubuntu1。几个月前,使用旧版本的 Ubuntu 对外部硬盘进行了加密。

关于如何解决这个问题有什么想法吗?

编辑:

几天后,我尝试了一些不同的东西。我运行了ecryptfs-setup-private创建 ~/.Private 和 ~/Private 目录的程序。

然后我注销、登录、使用 卸载 ~/.Private ecryptfs-umount-private,将目录从外部 HD 复制到 ~/.Private,然后使用 再次安装它ecryptfs-mount-private

这样,目录名就被正确解密了。但是,我无法读取它,也无法将当前目录更改为它。

$ cd decrypted_dir_name
bash: cd: decrypted_dir_name: No such file or directory
$ ls -l
d????????? ? ?      ?         ?            ? decrypted_dir_name

答案1

更新信息:

刚刚注意到那里可能存在的问题:你说“几个月前,外部硬盘被使用旧版本的 Ubuntu 加密了。”

新版本的 eCryptfs 并不总是能处理用旧版本加密的数据。它不完全向后兼容。您应该使用加密数据的原始版本来解密数据。

或者,您可能没有使用正确的密钥进行文件名加密(fnek),请仔细检查密钥并查看挂载选项ecryptfs_fnek_sig=(fnek_sig)甚至ecryptfs_sig=(fekek_sig)

这里有一些mount -t ecryptfs看起来有用的选项(来自man ecryptfs):

ecryptfs_sig=(fekek_sig)
      Specify  the  signature  of the mount wide authentication token.
      The authentication token must be in the  kernel  keyring  before
      the  mount  is performed. ecryptfs-manager or the eCryptfs mount
      helper can be used to construct the authentication token and add
      it to the keyring prior to mounting.

ecryptfs_fnek_sig=(fnek_sig)
      Specify  the  signature  of  the mount wide authentication token
      used for filename crypto. The authentication must be in the ker‐
      nel keyring before mounting.

 ecryptfs_enable_filename_crypto=(y/n)
      Specify whether filename encryption should be enabled.  If  not,
      the  mount  helper  will  not  prompt  the user for the filename
      encryption key signature (default).

  verbosity=0/1
      If verbosity=1, the mount helper will ask you for missing values
      (default).  Otherwise, if verbosity=0, it will not ask for miss‐
      ing values and will fail if required values are omitted.

我认为您可能会发现该ecryptfs-recover-private工具比手动指定加密和文件名密钥容易得多...如果您有一个“常规”加密文件夹,它应该工作得很好,将它指向加密驱动器的“.Private”文件夹应该可以工作,也许/home/username/.Data就是这样。

以下是从其手册页中粘贴的内容:

NAME
       ecryptfs-recover-private  - find and mount any encrypted private direc‐
       tories

SYNOPSIS
       ecryptfs-recover-private [--rw] [encrypted private dir]

DESCRIPTION
       This utility is intended to  help  eCryptfs  recover  data  from  their
       encrypted  home  or  encrypted private partitions.  It is useful to run
       this from a LiveISO or a recovery image.  It must run under sudo(8)  or
       with root permission, in order to search the filesystem and perform the
       mounts.

       The program can take a target encrypted directory on the command  line.
       If  unspecified,  the utility will search the entire system looking for
       encrypted private directories,  as  configured  by  ecryptfs-setup-pri‐
       vate(1).

       If  an encrypted directory and a wrapped-passphrase file are found, the
       user is prompted for the login  (wrapping)  passphrase,  the  keys  are
       inserted into the keyring, and the data is decrypted and mounted.

       If  no  wrapped-passphrase file is found, the user will be prompted for
       their mount passphrase.  This passphrase is typically 32 characters  of
       [0-9a-f].  All users are prompted to urgently record this randomly gen‐
       erated passphrase when they first setup their encrypted private  direc‐
       tory.

       The  destination  mount of the decrypted data is a temporary directory,
       in the form of /tmp/ecryptfs.XXXXXXXX.

       By default, the mount will be read-only.  To mount with read and  write
       permission, add the --rw parameter.

答案2

我也有同样的行为,问题只是我没有选择正确的来源目录。

这是我的磁盘设置:

/mnt/usbdisk/Private/
          |-- Dir1
             |-- ECRYPTFS_FNEK_ENCRYPTED.FWa.AAAAAAAAAAAAAAAAA---
             |-- ECRYPTFS_FNEK_ENCRYPTED.FWa.BBBBBBBBBBBBBBBBB---
             |-- ECRYPTFS_FNEK_ENCRYPTED.FWa.CCCCCCCCCCCCCCCCC---
             ...
          |---Dir2
             |-- ECRYPTFS_FNEK_ENCRYPTED.FWa.DDDDDDDDDDDDDDDDD---
             ...

我在未挂载的目录中创建了 2 个未加密的普通目录(Dir1Dir2Private,以便更好地组织我的文件。它们应该在Private挂载时以明文形式显示。

但是尝试直接安装/mnt/usbdisk/Private却得到了与您相同的结果(很多???????)。 /mnt/usbdisk/Private/Dir1我通过挂载和/mnt/usbdisk/Private/Dir2作为源找回了我的文件。

我仍然没有答案,我希望你已经找到解决方案,因为这是一篇非常古老的帖子 ;-) 我是否做了我不记得的更改? 也许与ecryptfs_passthrough选项有关(虽然我玩过它,但没有任何区别)? 也许是因为我上次插入磁盘已经几个月了?

相关内容