Sorry, I was looking at some old notes. You should mount using the -i option to suppress the ecryptfs mount helper if you're using a passphrase stored in your keyring. -Damian On Tue, Jul 7, 2015 at 2:21 PM, Wiest, Damian <damian.wiest@xxxxxxxxxxxx> wrote: > If you've got a copy of the auth tok sig that was used, you can > repeatedly call ecryptfs-add-passphrase with your guess until you get > a match. This will add the passphrase to your keyring, so you may > want to clean up bad guesses with keyctl. > > To avoid this situation in the future I would suggest using either the > ecryptfs-manager or ecryptfs-insert-wrapped-passphrase commands to > load the passphrase to your keyring. ecryptfs-manager will ask you to > enter your passphrase twice to catch typos and the > ecryptfs-insert-wrapped-passphrase command will fail if you enter the > wrapping passphrase incorrectly. You can then use the auth tok sig in > your mount command instead of the actual passphrase. > > # ecryptfs-insert-wrapped-passphrase-into-keyring ./wrapped.passphrase > Passphrase: > Inserted auth tok with sig [2df13936c580ecff] into the user session keyring > > # mount -t ecryptfs ./.secret ./secret -o > ecryptfs_sig=2df13936c580ecff,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,key=passphrase,ecryptfs_enable_filename_crypto=n,ecryptfs_passthrough=n > Passphrase: > Attempting to mount with the following options: > ecryptfs_unlink_sigs > ecryptfs_fnek_sig=4e8a0ece5dbf48c8 > ecryptfs_key_bytes=16 > ecryptfs_cipher=aes > ecryptfs_sig=ff09227dc73d8090 > Mounted eCryptfs > > You will still be prompted for a passphrase when mounting, but you can > enter anything and ecryptfs will use the sig you provided to locate > the passphrase in your keyring. Be aware that the values for > ecryptfs_sig and ecryptfs_fnek_sig that will displayed after mounting > are bogus. Also, always test mounting your filesystem a few times to > ensure there are no surprises and backup your passphrase to a secure > location. > > -Damian > > > On Mon, Jul 6, 2015 at 5:58 PM, Marc Peña Segarra <segarrra@xxxxxxxxx> wrote: >> >> Hi all, >> >> I'm using Ubuntu 14.04 and I use ecryptfs to encrypt arbitrary >> directories; to mount the directories I use a command like this: >> >> sudo mount -t ecryptfs .secret/ secret/ -o >> key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=n,ecryptfs_enable_filename_crypto=n >> >> The thing is that, somehow, I messed it up when pasting the password >> on the first mount in one of the directories (yeah, I know that the >> message saying that I've never mounted with that key before should >> have been quite clarifying)...copied all the data and unmounted it. >> >> Now, when I mount it and try to read files I get errors and messages >> like this in dmesg: >> >> [ 4210.614158] ecryptfs_parse_options: eCryptfs: unrecognized option >> [ecryptfs_debug=5] >> [ 4215.347261] Could not find key with description: [306437480dxxxxxx] >> [ 4215.347269] process_request_key_err: No key >> [ 4215.347272] ecryptfs_parse_packet_set: Could not find a usable >> authentication token >> [ 4215.347277] Valid eCryptfs headers not found in file header region >> or xattr region, inode 919485 >> >> After downloading the code of the Ubuntu package I found out that in >> the directory tests/userspace there were the tests for verifying >> passphase signs, so I thought that I could use that to iterate through >> mutations of the pasted passphrase in the hope of reproducing the mess >> I provoked. >> >> The problem I'm having is that the test program expects four parameters: >> pass >> salt >> expected_sig >> expected_fekek >> >> But since in my configuration I don't have a "file encryption key, >> encryption key" I don't know how I could modify it in order to try to >> find my passphrase; or should I use any other executable from >> ecryptfs? >> >> Thanks a lot! >> -- >> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html -- Confidentiality Notice: This e-mail transmission may contain confidential or legally privileged information that is intended only for the individual or entity named in the e-mail address. If you have received this communication in error, please notify me by return e-mail, and destroy this communication and all copies thereof, including any attachments. Apervita ® is a registered trademark of Apervita Inc. -- To unsubscribe from this list: send the line "unsubscribe ecryptfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
