我在 /home/username/.Data 上安装的外部硬盘上有加密数据。我正尝试将其解密到 /home/username/Data。
虽然我可以成功读取文件内容,但我无法解密文件名。
这是我正在尝试的:
$ sudo ecryptfs-add-passphrase --fnek
Passphrase:
Inserted auth tok with sig [aaaaaaaaaaaaaaaa] into the user session keyring
Inserted auth tok with sig [bbbbbbbbbbbbbbbb] into the user session keyring
$ sudo mount -t ecryptfs /home/username/.Data /home/username/Data
Passphrase:
Select cipher:
1) aes: blocksize = 16; min keysize = 16; max keysize = 32
2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]:
Select key bytes:
1) 16
2) 32
3) 24
Selection [16]: 2
Enable plaintext passthrough (y/n) [n]:
Enable filename encryption (y/n) [n]: y
Filename Encryption Key (FNEK) Signature [aaaaaaaaaaaaaaaa]: bbbbbbbbbbbbbbbb
Attempting to mount with the following options:
ecryptfs_unlink_sigs
ecryptfs_fnek_sig=bbbbbbbbbbbbbbbb
ecryptfs_key_bytes=32
ecryptfs_cipher=aes
ecryptfs_sig=aaaaaaaaaaaaaaaa
Mounted eCryptfs
现在我正在使用Ubuntu 14.04.1 LTS和ecryptfs-utils 104-0ubuntu1。几个月前,使用旧版本的 Ubuntu 对外部硬盘进行了加密。
关于如何解决这个问题有什么想法吗?
编辑:
几天后,我尝试了一些不同的东西。我运行了ecryptfs-setup-private
创建 ~/.Private 和 ~/Private 目录的程序。
然后我注销、登录、使用 卸载 ~/.Private ecryptfs-umount-private
,将目录从外部 HD 复制到 ~/.Private,然后使用 再次安装它ecryptfs-mount-private
。
这样,目录名就被正确解密了。但是,我无法读取它,也无法将当前目录更改为它。
$ cd decrypted_dir_name
bash: cd: decrypted_dir_name: No such file or directory
$ ls -l
d????????? ? ? ? ? ? decrypted_dir_name
答案1
更新信息:
刚刚注意到那里可能存在的问题:你说“几个月前,外部硬盘被使用旧版本的 Ubuntu 加密了。”
新版本的 eCryptfs 并不总是能处理用旧版本加密的数据。它不完全向后兼容。您应该使用加密数据的原始版本来解密数据。
或者,您可能没有使用正确的密钥进行文件名加密(fnek),请仔细检查密钥并查看挂载选项ecryptfs_fnek_sig=(fnek_sig)
甚至ecryptfs_sig=(fekek_sig)
。
这里有一些mount -t ecryptfs
看起来有用的选项(来自man ecryptfs
):
ecryptfs_sig=(fekek_sig)
Specify the signature of the mount wide authentication token.
The authentication token must be in the kernel keyring before
the mount is performed. ecryptfs-manager or the eCryptfs mount
helper can be used to construct the authentication token and add
it to the keyring prior to mounting.
ecryptfs_fnek_sig=(fnek_sig)
Specify the signature of the mount wide authentication token
used for filename crypto. The authentication must be in the ker‐
nel keyring before mounting.
ecryptfs_enable_filename_crypto=(y/n)
Specify whether filename encryption should be enabled. If not,
the mount helper will not prompt the user for the filename
encryption key signature (default).
verbosity=0/1
If verbosity=1, the mount helper will ask you for missing values
(default). Otherwise, if verbosity=0, it will not ask for miss‐
ing values and will fail if required values are omitted.
我认为您可能会发现该ecryptfs-recover-private
工具比手动指定加密和文件名密钥容易得多...如果您有一个“常规”加密文件夹,它应该工作得很好,将它指向加密驱动器的“.Private”文件夹应该可以工作,也许/home/username/.Data
就是这样。
以下是从其手册页中粘贴的内容:
NAME
ecryptfs-recover-private - find and mount any encrypted private direc‐
tories
SYNOPSIS
ecryptfs-recover-private [--rw] [encrypted private dir]
DESCRIPTION
This utility is intended to help eCryptfs recover data from their
encrypted home or encrypted private partitions. It is useful to run
this from a LiveISO or a recovery image. It must run under sudo(8) or
with root permission, in order to search the filesystem and perform the
mounts.
The program can take a target encrypted directory on the command line.
If unspecified, the utility will search the entire system looking for
encrypted private directories, as configured by ecryptfs-setup-pri‐
vate(1).
If an encrypted directory and a wrapped-passphrase file are found, the
user is prompted for the login (wrapping) passphrase, the keys are
inserted into the keyring, and the data is decrypted and mounted.
If no wrapped-passphrase file is found, the user will be prompted for
their mount passphrase. This passphrase is typically 32 characters of
[0-9a-f]. All users are prompted to urgently record this randomly gen‐
erated passphrase when they first setup their encrypted private direc‐
tory.
The destination mount of the decrypted data is a temporary directory,
in the form of /tmp/ecryptfs.XXXXXXXX.
By default, the mount will be read-only. To mount with read and write
permission, add the --rw parameter.
答案2
我也有同样的行为,问题只是我没有选择正确的来源目录。
这是我的磁盘设置:
/mnt/usbdisk/Private/
|-- Dir1
|-- ECRYPTFS_FNEK_ENCRYPTED.FWa.AAAAAAAAAAAAAAAAA---
|-- ECRYPTFS_FNEK_ENCRYPTED.FWa.BBBBBBBBBBBBBBBBB---
|-- ECRYPTFS_FNEK_ENCRYPTED.FWa.CCCCCCCCCCCCCCCCC---
...
|---Dir2
|-- ECRYPTFS_FNEK_ENCRYPTED.FWa.DDDDDDDDDDDDDDDDD---
...
我在未挂载的目录中创建了 2 个未加密的普通目录(Dir1
和Dir2
)Private
,以便更好地组织我的文件。它们应该在Private
挂载时以明文形式显示。
但是尝试直接安装/mnt/usbdisk/Private
却得到了与您相同的结果(很多???????
)。
/mnt/usbdisk/Private/Dir1
我通过挂载和/mnt/usbdisk/Private/Dir2
作为源找回了我的文件。
我仍然没有答案,我希望你已经找到解决方案,因为这是一篇非常古老的帖子 ;-) 我是否做了我不记得的更改? 也许与ecryptfs_passthrough
选项有关(虽然我玩过它,但没有任何区别)? 也许是因为我上次插入磁盘已经几个月了?