• Duplicated encryption during install


    I was trying to install Antergos when I totally screwed up my encrypted /home folder. Here is what happened:

    My /home is sda6 and is default encrypted by Ubuntu, which is so far my main distro. During install with Cnchi I mistakenly told the script to mount sda6 as /home (with a different user as the one I use on Ubuntu), but added the option to encrypt with LUKS, because I thought that it was necessary in order to mount it. My fault. Now I can’t access my original /home, and I’m not even able to “see” the link to the encrypted home directory on Nautilus.

    Any help will be greatly appreciated. Thanks

  • Hi,

    Sorry to hear that. I’ll add an item in my TODO list to check if a partition is already encrypted to not encrypt it again!

    Well, back to your problem, I’ve NEVER tried to encrypt an already encrypted partition, so I can’t really help much here.

    Have you tried just to open it twice?

    sudo cryptsetup luksOpen /dev/sda6 AntergosHome
    and then:
    sudo cryptsetup luksOpen /dev/mapper/AntergosHome my_volume_name_in_ubuntu

    I’m positive about the first one, but I don’t know if the second one is even possible.

    I hope somebody with more experience with LUKS can shred some light here.

    Cheers!

  • @karasu Thanks for your reply.

    I’ve managed to mount the sda6 Antergos /home within the live USB easily: it only required gnome-disks to be run as root. The “upstart” session provided by the Ubuntu grub allows me as well to mount on tty1 the Antergos /home after the luksOpen first piece of code you wrote. However, I can’t find the way to access the original directory. It simply looks as if there is no more data other than the default folders. On the other hand, even if I succeed to mount it on the “upstart” session, it doesn’t let me login within a GUI environment. Only Ubuntu let me make use of the Guest session.

  • @ludenticus
    Let’s see…

    I’ve managed to mount the sda6 Antergos /home within the live USB easily: it only required gnome-disks to be run as root.

    But you still see an encrypted volume, isn’t it? Have you tried after this to open the device as I wrote in the second command?

    The “upstart” session provided by the Ubuntu grub allows me as well to mount on tty1 the Antergos /home after the luksOpen first piece of code you wrote.

    Same here, did you try, after the first command, run the second one?

    The idea is to try to mount TWICE the device. One for the antergos luks encryption and the other one for the ubuntu luks encryption you already had performed.

    Cheers!

  • @karasu

    So far, I have a working Antergos. First, I changed the fstab not to mount any /home partition; after that, I created a dir in /home/myname and chown’ed it.

    Now, the bad news is that I don’t see any second encrypted folder/file.

    In gnome-disks, I have the following:

    Screenshot from 2015-05-19 08-21-25.png

    It means that I can open/manage the encrypted partition. It asks twice for a password.

    After unlocking, however, it states that the device is 1.6% full, which I’m quite sure that is not the case. Before this huge mess, I was actually beginning a process of cleaning old/unused stuff.

    Screenshot from 2015-05-19 08-29-22.png

    At the mount point, I can only find the folder the install script automatically created and an empty lost+found folder.

    Screenshot from 2015-05-19 08-47-24.png

    I have tried the ecryptfs-recover-private command once this partition is mounted, but the output is simply: ERROR: No private directories found; make sure that your root filesystem is mounted.

    I have tried as well your suggestion of a second luksOpen. However, the answer is always the same: this is not a valid LUKS device.

    Screenshot from 2015-05-19 09-03-27.png

    Thanks a lot for your help!

  • @ludenticus Oh, I think I misunderstood you.

    You encrypted ONLY your home directory with the Ubuntu installer? Ubuntu encrypts the user directory using ecryptfs (if I recall correclty), and that’s not the same as LUKS. You SHOULD see your encrypted files after opening your partition with LUKS.

    It looks like your home partition is about 900GB and you have 20GB used. Do you think this can be right?

    Please, use CTRL+H in nautilus to see all hidden files. I’m not sure, but I think that what ecryptfs does is create another hidden directory inside /home (starts with a dot) and there stores all the encrypted files). I might be wrong because I’ve never used ecryptfs.

  • @karasu

    You are right. Ubuntu uses ecryptfs and it had encrypted my /home folder and not the whole partition, as far as I can tell.

    I had already tried to discover any hidden file/folder. No luck so far. After mounting the LUKS partition, there are only two folders inside it: the output of sudo ls -la -R /run/media/evillegas/4a9784dc-6816-48f4-9264-ce7078b4673a, which is the mounting point of /dev/sda6, shows nothing but the /evillegas (intended as home folder) and the default associated folders recently created, and the .lost+found. That’s why gnome-disk-utility reported only 1.6% used, when I’m sure that it is almost full. Same story with baobab as root:

    Screenshot from 2015-05-20 19-13-41.png

    lsblk gives the following output

    Screenshot from 2015-05-20 18-40-21.png

    ls -la /dev/disk/by-uuid/ results in:

    Screenshot from 2015-05-20 18-44-12.png

    /dev/disk/by-id/

    Screenshot from 2015-05-20 18-56-59.png
    My «original» /home partition, however, had a different UUID, not listed above. In the Ubuntu /etc/fstab there was this line (no longer working as such if I copy it to the Antergos /etc/fstab/ or if I leave it within Ubuntu boot):

    Screenshot from 2015-05-20 18-53-31.png

  • @ludenticus

    I’m terribly sorry but I think you lost your files. I’ve checked the code and to be able to create a LUKS encrypted partition it needs to wipe out the first 2MB of the partition (so if it’s already encrypted it won’t fail), so it deleted your filesystem information.

    I do not know if there’s some tool that would be able to restore those files (as the data is there).

    I will add a warning in Cnchi for the user when it selects using LUKS on a partition.

  • @karasu

    I will try to recover the ext4 lost partition via testdisk. Before doing any change in a copy of the 900Gb original, I’m going to create a «dummy» partition, so to speak, and see if there is any chance. Please, indicate me the commands of the cnchi python installer, provided that my options were:

    1. mount /dev/sda6 as home
    2. use LUKS encryption
    3. not to format the partition

    I guess something went wrong (apart from my data loss), because not even the Antergos system recognized the partition after the install. Maybe my indication not to format left an incomplete encryption?

    Anyway, thanks for the follow-up.

  • @ludenticus
    I’ve been using an encrypted home in Ubuntu for many years and I never lost my data. Ubuntu encrypts only your personal folder, not a whole partition, and it’s easy to recover your data in case of problem. Just type:
    sudo ecryptfs-recover-private
    (Of course, after you mount your LUKS partition). It should look for encrypted folders and ask for your password if it finds any. Then it will show your files and you can copy them to a safe place.
    I run this from another Ubuntu, or from a live Ubuntu cd. I think it may be run also from Antergos, since you can install the package “ecryptfs-utils” from arch, but I never tried it.

    Intel NUC D54250WYK, 16 Gb RAM, 1 Tb SSD
    Multi -boot (no MS-Win &no UEFI) Legacy MBR with GPT

  • @ant77 It won’t work. The problem is that when creating the LUKS partition, Cnchi deletes the first 2MB, to be able to create the LUKS encryption (if Cnchi does not do this and the partition was encrypted before, this new encryption would fail).

    I’ve added a warning message that will be displayed in Cnchi 0.10, so this never happens again.

    I never thought somebody would try to encrypt a partition with LUKS with preexisting data on it, my bad.

    So @ludenticus , of your list, before encrypting the partition with LUKS (point 2), Cnchi wipes out the first 2MB of the partition (but never formats the entire partition). Even there’s hope, I would not be very optimistic about recovering your data, sorry.

  • @karasu
    Thanks for explaining …and sorry for @ludenticus 's data.
    Is there any hope that Antergos will go the “debian way” for encrypting home (with ecryptfs). LUKS is great for empty partitions or external HD or USB sticks, but NOT for home folders.
    I tried many times to use ecryptfs on Arch (I followed step by step their wiki guide), but always failed:
    lsof: WARNING: can’t stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs

    Intel NUC D54250WYK, 16 Gb RAM, 1 Tb SSD
    Multi -boot (no MS-Win &no UEFI) Legacy MBR with GPT

  • @ant77 In fact, some work is already done in Cnchi to use it, but I’ve never got the time to finnish it. Oh, but I went to use encFS instead of encryptFS. To tell you the truth, I can’t decide which one is better.

    https://wiki.archlinux.org/index.php/EncFS#Comparison_to_eCryptFS

    Cheers!

luks14 encryption11 install78 home3 cnchi113 Posts 13Views 3576
Log in to reply