How did I fixed it :

I fired up the ubuntu installer and wiped my root partition. The new fresh install feels much healthier than the old one, so probably necessary anyway.

Upon first login I got a reminder to save my ecryptfs key in a safe place - I do not recall doing that from my previous install.

When I assembled my home-folder array I found what I thought was my encrypted data:

root@computer:~/mnt/user# ls -la total 8 dr-x------ 2 user user 4096 jul 2 2011 . drwxr-xr-x 8 root root 4096 feb 18 2015 .. lrwxrwxrwx 1 user user 56 jul 2 2011 Access-Your-Private-Data.desktop -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.desktop lrwxrwxrwx 1 user user 33 jul 2 2011 .ecryptfs -> /home/.ecryptfs/user/.ecryptfs lrwxrwxrwx 1 user user 32 jul 2 2011 .Private -> /home/.ecryptfs/user/.Private lrwxrwxrwx 1 user user 52 jul 2 2011 README.txt -> /usr/share/ecryptfs-utils/ecryptfs-mount-private.txt

But I was not able to unlock it.

root@computer:~# ecryptfs-unwrap-passphrase /root/mnt/user/.ecryptfs/wrapped Passphrase: ffffffffffffffffffffffffffffffff root@computer:~# ecryptfs-recover-private /root/mnt/user INFO: Found [/root/mnt/user]. Try to recover this directory? [Y/n]: INFO: Could not find your wrapped passphrase file. INFO: To recover this directory, you MUST have your original MOUNT passphras INFO: When you first setup your encrypted private directory, you were told t INFO: your MOUNT passphrase. INFO: It should be 32 characters long, consisting of [0-9] and [a-f]. Enter your MOUNT passphrase: INFO: Success! Private data mounted at [/tmp/ecryptfs.lls9FwPj]. root@computer:~# ls -la /tmp/ecryptfs.lls9FwPj total 8 dr-x------ 2 user user 4096 Jul 2 2011 . drwxrwxrwt 11 root root 4096 Sep 11 11:08 .. lrwxrwxrwx 1 user user 32 Jul 2 2011 .Private -> /home/.ecryptfs/user/. lrwxrwxrwx 1 user user 33 Jul 2 2011 .ecryptfs -> /home/.ecryptfs/user/ lrwxrwxrwx 1 user user 56 Jul 2 2011 Access-Your-Private-Data.desktop - lrwxrwxrwx 1 user user 52 Jul 2 2011 README.txt -> /usr/share/ecryptfs-

No errors, but the mount point only contain the same unencrypted data as the source folder.

Using ecryptfs-unwrap-passphrase /root/mnt/user/.ecryptfs/wrapped-passphrase I did get a key, but unfortunately it was the same one I got if I didn't supply the file as an argument, so I guess I only got my current key, not the one for the old data.

Seems both the old and new wrapped-passphrase files where the same:

root@computer:~# mount | grep md0 /dev/md0 on /root/mnt type ext4 (rw,relatime,data=ordered) root@computer:~# md5sum /home/user/.ecryptfs/wrapped-passphrase /root/mnt/user/.ecryptfs/wrapped-passphrase 52da6f1ea1ffff114795c7613b5c560e /home/user/.ecryptfs/wrapped-passphrase 52da6f1ea1ffff114795c7613b5c560e /root/mnt/user/.ecryptfs/wrapped-passphrase

I found that very odd, as the md0 was not even assembled during install.

That submystery was however solved by me reading properly:

root@computer:~# ls -l /root/mnt/user/.Private lrwxrwxrwx 1 user user 32 Jul 2 2011 /root/mnt/user/.Private -> /home/.ecryptfs/user/.Private

Seems I'd been acting on a symlink to the new home folder instead of the old data.

Reading the right file gave another (correct) key!

root@computer:~/mnt/.ecryptfs/user# ecryptfs-unwrap-passphrase /root/mnt/.ecryptfs/user/.ecryptfs/wrapped-passphrase Passphrase: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

Which is really the answer to my initial question: The wrapped-passphrase -file is encrypted using my login password, so as long as I have that file and know my password I should be able to access my data.

Using a saner path/key-combination did not unfortunately make much of a difference:

root@computer:~/mnt/.ecryptfs/user# ls -al total 52 drwxr-xr-x 4 user user 4096 Jul 2 2011 . drwxr-xr-x 3 root root 4096 Jul 2 2011 .. drwxr-xr-x 121 user user 36864 Sep 8 14:58 .Private drwx------ 2 user user 4096 Mar 15 2015 .ecryptfs root@computer:~/mnt/.ecryptfs/user# ecryptfs-recover-private /root/mnt/.ecryptfs/user INFO: Found [/root/mnt/.ecryptfs/user]. Try to recover this directory? [Y/n]: INFO: Could not find your wrapped passphrase file. INFO: To recover this directory, you MUST have your original MOUNT passphrase. INFO: When you first setup your encrypted private directory, you were told to record INFO: your MOUNT passphrase. INFO: It should be 32 characters long, consisting of [0-9] and [a-f]. Enter your MOUNT passphrase: INFO: Success! Private data mounted at [/tmp/ecryptfs.dKQkSvjC]. root@computer:~/mnt/.ecryptfs/user# ls -al /tmp/ecryptfs.dKQkSvjC total 52 drwxr-xr-x 4 user user 4096 Jul 2 2011 . drwxrwxrwt 12 root root 4096 Sep 11 12:32 .. drwxr-xr-x 121 user user 36864 Sep 8 14:58 .Private drwx------ 2 user user 4096 Mar 15 2015 .ecryptfs

Since some of the ecryptfs-tools have hardcoded paths I even tried:

root@computer:~# mount /dev/md0 /home root@computer:~# su - user Signature not found in user keyring Perhaps try the interactive 'ecryptfs-mount-private' To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. user@computer:~$ ecryptfs-mount-private Enter your login passphrase: Inserted auth tok with sig [e403598bcfe01170] into the user session keyring mount: No such file or directory

But no cigar there either.

Doing the same thing withouth mounting md0 to /home does not work either however.

user@computer:~$ dash -e -x `which ecryptfs-mount-private` + PRIVATE_DIR=Private + WRAPPING_PASS=LOGIN + PW_ATTEMPTS=3 + TEXTDOMAIN=ecryptfs-utils + gettext Enter your login passphrase: + MESSAGE=Enter your login passphrase: + [ -f /home/user/.ecryptfs/wrapping-independent ] + WRAPPED_PASSPHRASE_FILE=/home/user/.ecryptfs/wrapped-passphrase + MOUNT_PASSPHRASE_SIG_FILE=/home/user/.ecryptfs/Private.sig + /sbin/mount.ecryptfs_private + [ -f /home/user/.ecryptfs/wrapped-passphrase -a -f /home/user/.ecryptfs/Private.sig ] + tries=0 + stty -g + stty_orig=2d00:5:bd:ca1b:3:1c:7f:1f:4:0:1:0:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 + [ 0 -lt 3 ] + echo -n Enter your login passphrase: Enter your login passphrase:+ stty -echo + head -n1 + LOGINPASS=MyLoginPassword + stty 2d00:5:bd:ca1b:3:1c:7f:1f:4:0:1:0:11:13:1a:ff:12:f:17:16:ff:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 + echo + wc -l + [ 2 = 1 ] + printf %s\0 MyLoginPassword + ecryptfs-insert-wrapped-passphrase-into-keyring /home/user/.ecryptfs/wrapped-passphrase - Inserted auth tok with sig [93196f7a8af1fdfe] into the user session keyring + break + [ 0 -ge 3 ] + /sbin/mount.ecryptfs_private mount: No such file or directory user@computer:~$ ls -l /sbin/mount.ecryptfs* -rwxr-xr-x 1 root root 25944 jul 13 19:13 /sbin/mount.ecryptfs -rwsr-xr-x 1 root root 19024 jul 13 19:13 /sbin/mount.ecryptfs_private

So there is probably some magic happening (via PAM?) during normal login that's missing in my example.

Booting a live-cd I was able to access the data!

root@ubuntu:~# apt install mdadm Reading package lists... Done [...] root@ubuntu:~# mdadm --assemble /dev/md0 /dev/sd[bc]1 mdadm: /dev/md0 has been started with 2 drives. root@ubuntu:~# mount /dev/md0 /home root@ubuntu:/home# ecryptfs-recover-private /home/.ecryptfs/user/.PrivateINFO: Found [/home/.ecryptfs/user/.Private]. Try to recover this directory? [Y/n]: INFO: Found your wrapped-passphrase Do you know your LOGIN passphrase? [Y/n] Y INFO: Enter your LOGIN passphrase... Passphrase: Inserted auth tok with sig [f403498bcfd01070] into the user session keyring INFO: Success! Private data mounted at [/tmp/ecryptfs.uHQ0z177]. root@ubuntu:/home# ls /tmp/ecryptfs.uHQ0z177/ | grep Doc Documents

But even then the tools work less then perfectly:

root@ubuntu:/home# ecryptfs-recover-private INFO: Searching for encrypted private directories (this might take a while)... find: ‘/run/user/999/gvfs’: Permission denied find: File system loop detected; ‘/sys/kernel/debug/pinctrl’ is part of the same file system loop as ‘/sys/kernel/debug’.

So I'm starting to think that most problems I've had with this is just that ecryptfs could probably be quite a bit improved on the usability side of things.

Rebooting into my real install I'm now able to access the data:

root@computer:~# mount /dev/md0 mnt root@computer:~/mnt/.ecryptfs/user/.Private# cd /root/mnt/.ecryptfs/user/.Private/ root@computer:~/mnt/.ecryptfs/user/.Private# ecryptfs-recover-private . INFO: Found [.]. Try to recover this directory? [Y/n]: INFO: Found your wrapped-passphrase Do you know your LOGIN passphrase? [Y/n] INFO: Enter your LOGIN passphrase... Passphrase: Inserted auth tok with sig [f4f3498bcfd01070] into the user session keyring INFO: Success! Private data mounted at [/tmp/ecryptfs.ZMqBVhRu]. root@computer:~/mnt/.ecryptfs/user/.Private# ls /tmp/ecryptfs.ZMqBVhRu | grep Doc Documents

EDIT :

Seems the "search"-tool ecryptfs-recover-private is not that good at locating .Private folders. Giving the right absolute path works as it should.

ecryptfs-recover-private only searches when not supplied with any argument. If a path is supplied it must be pointing to the .Private folder.

In this example:

ecryptfs-recover-private /root/mnt/.ecryptfs/user/.Private

And, yes, wrapped-passphrase is obfuscated using your LOGIN password, if you know your password and have the file you do not need the actual KEY printout.

Sorry for the long post, but hopefully my "diary" here can save someone else a few hours.