Announcement

**NickStone** · Aug 31, 2012, 09:32 AM

There is a program called "magicrescue" should be in the repository. If you can create a live USB and install this program on to it then you might be able to recover your home partition using this program. File recovery utilities are not 100% accurate and may not be able to recover the undeleted files.

The best way of recovering deleted or damaged file system is to create regular backups and restore the file or files that you deleted by accident.

I created a live USB from the Lubuntu distro and installed both ClamAV and MagicRescue so that I can use it as a rescue disk should something drastic happen.

If you attempt to use something like MagicRescue don't write anything else to the disk.

**SecretCode** · Aug 31, 2012, 01:30 PM

Originally posted by avocado View Post

Even if I recover the files will they be irretrtievably encrypted?

The way I understand ecryptfs is that files (and directories, which are special files) are stored with encrypted contents and names, but otherwise use the regular file system structure, so recovery utilities may be able to piece together some of the files.

I also think that each file is encrypted on its own, so you should be able to decrypt whichever ones you recover using the original encryption password ... but you'll be very lucky if you can mount the encrypted data as a file system, so you would probably need to find a method of decrypting individual files rather than using the filesystem driver.

Recovery tools like testdisk may be of some help, but tools like photorec that identify magic strings within files won't be of any use.

This must have happened to somebody before! And there may be advice around the web.

**SecretCode** · Aug 31, 2012, 01:33 PM

This guy seems to have a similar problem to yours: [kubuntu] How to recover deleted .ecryptfs folder - Ubuntu Forums

More seriously - have you looked at From the Canyon Edge - : - Dustin Kirkland: Introducing ecryptfs-recover-private -- Recover your Encrypted Private Directory!

**avocado** · Sep 01, 2012, 02:05 AM

Thanks very much for your suggestions.

HI guys,

Thanks very much for your suggestions.

The 'Canyon Edge' link looks very promising.
I'll have a go at that later today.

I did keep a backup of my 'home' folder using rsync but discovered after making the error that it was only backing up the directory structure and not the files therein.
I wonder if this is also related to ecryptfs as the encrypted files are kept above the 'home' directory.
I chose the 'encrypt your home folder' option when I installed Kubuntu, but I didn't understand it worked in that way (obviously).
It was while making my backup again that I noticed the encrypted files and thought they were some kind of duplicate that I didn't need.
I thought I could safely try deleting as I had a back up anyway. Doh.
Hence my situation...

I'll post back my results.
Thanks again.

**avocado** · Sep 04, 2012, 03:16 AM

Hey,

It's not going so well.

I have been using a live ubuntu usb drive to try to recover the lost files.
Not having success so far.

Using testdisk, I can only see a single ecryptfs file which I can recover, but I cannot see the deleted home folder or related ecryptfs files.
I think this may be because I am on ext4?

Using extundelete, --restore-all on the root of the drive I get a list of ECRYPTFS_FNEK_ENCRYPTED.LotsofLettersandNumbersHer e files but it says 'unable to restore inode' and 'no data found'.

Can anyone guide me here, please?
I'm pretty linux competent but not familiar with file recovery.

Thanks.

**Guest** · Aug 04, 2013, 09:37 AM

Hi avocado,

I have a similar problem, could you find a way to read those encrypted files ?

Best regards

**SteveRiley** · Aug 05, 2013, 12:53 AM

Did you delete only the subdirectory ~/.ecryptfs, or did you also delete others?

**Guest** · Aug 05, 2013, 02:38 AM

Thank you for answering,

Actually, its a bit more difficult. The whole disk have been formatted and overwritten with Windows. I first tried with testdisk to recover the partition table but no luck with that. So i tried to recover individual files with Photorec, it still right now working but it could till now recover thousands of *.ecryptfs files. So I'm wondering if there is a way to read those files, to decrypt them knowing that i still have the login and password that were used.

**SteveRiley** · Aug 05, 2013, 12:57 PM

If you have lost your private keys and also overwritten a large part of your disk with new data, then I'm sorry but you've likely lost nearly everything.

Announcement

How to recover deleted .ecryptfs folder

How to recover deleted .ecryptfs folder

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment