how to decrypt ecryptfs file with private key instead of passphrase

Short answer: Use the passphrase $1$5YN01o9y to reveal your actual passphrase from the keyfile with ecryptfs-unwrap-passphrase (the backslashes escape the $ letters):

printf "%s" "\$1\$5YN01o9y" | ecryptfs-unwrap-passphrase keyfile.key -

Then use your passphrase with one of the instructions you probably already know, like AlexP's answer here or Robert Castle's article.

Or do it all in a single line:

mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,passwd=$(printf "%s" "\$1\$5YN01o9y" | ecryptfs-unwrap-passphrase /path/to/keyfile.key -) /path/to/encrypted/folder /path/to/mountpoint

I just tested the whole decryption process with a keyfile and can confirm its working:

  • Created a new encrypted shared folder in DSM 6.2 and downloaded the keyfile.
  • Shut down the NAS, removed a drive, connected it to a Ubuntu x64 18.04.2 machine and mounted the raid and volume group there.
  • Installed ecryptfs-utils and successfully got access to the decrypted data using the mount command mentioned above with the downloaded keyfile.

Credits: I found that $1$5YN01o9y-passphrase in a post in a German Synology forum. The user that probably actually found out the secret in 2014 is known there as Bastian (b666m).


See by "How To Recover Synology encrypted folders in Linux" by Robert Castle. Summary:

MOUNTOPTIONS=""
for option in                           \
  "key=passphrase"                      \
  "ecryptfs_cipher=aes"                 \
  "ecryptfs_key_bytes=32"               \
  "ecryptfs_passthrough=no"             \
  "ecryptfs_enable_filename_crypto=yes" \
; do
  MOUNTOPTIONS="${MOUNTOPTIONS}${MOUNTOPTIONS:+,}$option"
done
sudo mount -t ecryptfs -o $MOUNTOPTIONS,passwd=$PASSWORD $CRYPTDIR $TARGET