Unwrapping passphrase and inserting into the user session keyring failed

Updated: 19 June 2018

Summary

I was recently getting the a similar error, when trying to decrypt some data from an external drive. Every time the error message was from an invalid password, I can duplicate this all day long. Instead using ecryptfs-recover-private I was using ecryptfs-unwrap-passphrase, which I think is for specific data, though I don't feel like looking up the difference.

Note: This is not a copy/paste guide, it is more of a record of my success.

Unwrapping The Passphrase

You'll need to find your wrapped-passphrase file. If you're not sure where it is you can use find. After you mount your volume you can do:

sudo find /media -name wrapped-passphrase

You'll want to substitute the path which returns for my paths listed below.

My steps after mounting the old drive.

cd /media/_UUID_/.ecryptfs/paulj/.encryptfs
ecryptfs-unwrap-passphrase ./wrapped-passphrase
Passphrase:

It will always prompt for a passphrase, this is the password initially setup when you created the encrypted home directory when you installed Ubuntu. In the setup it highly recommends that you use a different password than your login password... if you've been trying your login password for the last hour and failing, try some different ones .. try that one password which you rarely use.

I had forgotten what mine was, I tried all of my super awesome passwords, and I kept getting this error message:

Error: Unwrapping passphrase failed [-5]
Info: Check the system log for more information from libecryptfs

After searching google for about an hour, I figured I'd try a password I knew was bad, so I put in password at the Passphrase prompt.

The following was spit out:

116b053e08564b53b2967e64e509bdc5

I reran ecryptfs-unwrap-passphrase and tried a different password and received the same -5 error message as listed above. It turns out that I had actually set the passphrase to password, probably due to my frustrations with decrypting data in ubuntu in the past.

Add Passphrase to Keying

Adding the passphrase to ecryptfs-add-passphrase, use the passphrase generated in the previous step.

sudo ecryptfs-add-passphrase --fnek
Passphrase: 116b053e08564b53b2967e64e509bdc5

Outputs:

Inserted auth tok with sig [b69fed2a22932ba4] into the user session keyring
Inserted auth tok with sig [8aad0fb4482edab3] into the user session keyring

Mount or Recover

At this point you have two options, I suggest attempting to mount, then if you can't mount, try recovering.

Mounting the Drive

It is easy to think of the .Private directory as an unmounted volume.

Again here you'll need to specify your own directories.

sudo mkdir -p /home/paulj/Private
sudo mount -t ecryptfs /media/_UUID_/.ecryptfs/paulj/.Private /home/paulj/Private

Passphrase: 116b053e08564b53b2967e64e509bdc5
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 (loaded)
 2) blowfish: blocksize = 16; min keysize = 16; max keysize = 56 (not loaded)
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 (not loaded)
 4) cast6: blocksize = 16; min keysize = 16; max keysize = 32 (not loaded)
 5) cast5: blocksize = 8; min keysize = 5; max keysize = 16 (not loaded)
Selection [aes]: aes

Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 16

Enable plaintext passthrough (y/n) [n]: n

Enable filename encryption (y/n) [n]: y <-- If your filenames display oddly, toggle this to y or n.

{this is the second value from Inserted auth tok...}
Filename Encryption Key (FNEK) Signature: 8aad0fb4482edab3

Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=8aad0fb4482edab3
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=b69fed2a22932ba4
Mounted eCryptfs

Hopefully when you initially created the encrypted drive you didn't mess around with the cypher or key bytes.

Shows all data in my old home directory.

cd /home/paulj/Private
ls -la

Note: At this point if you get invalid permission/owner/group sets, you're going to want to unmount the drive and skip down to the Recover section.

If you get a good permission set, copy that junk out out of the encrypted drive to the desktop for example.

mkdir ~/Desktop/Backup
cp -Rv ./* ~/Desktop/Backup

Recover

I discovered I couldn't successfully mount my ecryptfs. ls was displaying invalid permission/owner/group settings. It looked something like the following:

total ??
d????-??-?  ?? ??      ??      ??   ??            .
d????-??-?   6 root    root    4.0K Jun 19 11:42  ..
d???------  ?? ??      ??      ??   ??            .aptitude
d????-??-?  ?? ??      ??      ??   ??            .autoenv
-??-?--?--  ?? ??      ??      ??   ??            .autoenv_authorized
d????-??-?  ?? ??      ??      ??   ??            .aws
-??-?--?--  ?? ??      ??      ??   ??            .bash_aliases
-??-------  ?? ??      ??      ??   ??            .bash_history
-??-?--?--  ?? ??      ??      ??   ??            .bash_logout
-??-?--?--  ?? ??      ??      ??   ??            .bashrc
d????-??-?  ?? ??      ??      ??   ??            bin
d????-??-?  ?? ??      ??      ??   ??            .cache
d????-??-?  ?? ??      ??      ??   ??            code
d????-??-?  ?? ??      ??      ??   ??            .config

I am not sure why I wound up with problems with using mount, so I started messing around with ecryptfs-recover-private and had some luck.

Again, you'll have to use your own generated passphrase from above. Note that I used the --rw switch here to make the mount read/write, if you omit the switch it will mount read-only.

sudo ecryptfs-recover-private --rw /media/_UUID_/.ecryptfs/paulj/.Private

INFO: Found [/media/_UUID_/.ecryptfs/paulj/.Private].
Try to recover this directory? [Y/n]: Y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] Y
INFO: Enter your LOGIN passphrase...
Passphrase: 116b053e08564b53b2967e64e509bdc5
Inserted auth tok with sig [b69fed2a22932ba4] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.idv9OohY].

The tmp path it outputs will contain your encrypted mount.

ls -la /tmp/ecryptfs.idv9OohY

This should show your full path with proper permission sets. Now copy it out somewhere.

mkdir ~/Desktop/Recovered
sudo cp -Rv /tmp/ecryptfs.idv9OohY ~/Desktop/Recovered

In Closing

GOOD LUCK!!

You should be able to use this for any variant of Ubuntu, I for instance have used it in and between Ubuntu and Mint and Lubuntu.

If you're just finding this thread, unless you specifically used password as your Passphrase, those hex values won't work.


This is an attempt to fix it myself:

  1. Dustin Kirkland wrote in 2008:

    [...] you're trying to unwrap the mount passphrase with the wrong login password. You might try both your current, and your new password, or any other that you might have used. When you can unwrap your mount passphrase successfully, you should be able to perform the mount.

  2. The login username and login password for the new system are identical to the ones for the old system. I have written down the passphrase and I know it's correct (see proof in my question).

  3. This similar problem might be worth checking out: Trying to mount old encrypted home

  4. Also, something on the new system might not be working correctly. To rule this out, boot on a LiveCD and try from there.

...to be updated as I go along!

Tags:

Ecryptfs

11.04