On 2019-11-04 18:29:54, Vinícius Ávila Eichenberg wrote: > Hello, I've posted a question on Crypto Stack Exchange and someone > suggested that I asked here. This is my first time using a mailing list so > I don't know if this is the right way to do it. Hello - Your email arrived just fine. > > I have about two years of ecryptfs backups and I need to find for a > specific deleted file that probably was on one of these backups. I made a > list of all the filenames but don't know how to decrypt/decode them in any > way. Found already the key using keyctl but don't know what is the next > step but read something about parse tag 70 (?). As there is a lot of > backups it would be very time consuming to extract, mount all of them and > search for a file. There is no existing utility, that I'm aware of, to decrypt/decode eCryptfs file names. The original eCryptfs design followed RFC 4880 (OpenPGP) for formatting the crypto metadata that eCryptfs stores for each encrypted file. You'll see some of the kernel code referencing various "tag N" packet formats and most of those came from RFC 4880. The "tag 70" format used for filename encryption is one-off, if I remember correctly, and doesn't follow any pre-existing standards. > I don't have a lot of programming skills beside the very basics but I'm > willing to learn if it's necessary but thought that must have any command > like " openssl *** " that can help me. Unfortunately, no command will be of any help. A utility will have to be written or you'll have to script up the commands needed to mount and search your backups. Tyler > English is not my primary language so if it needs more explaining I'll be > glad to reformulate. > > Question on Crypto Stack Exchange (but I believe this email is a lot better > on the explaining side): > https://crypto.stackexchange.com/questions/75500/how-to-decode-decrypt-ecryptfs-filename > > Thanks in advance! > Vinicius