6

I have an encrypted share folder on my synology NAS DS413 (which uses ecryptfs). I can manually mount the encrypted folder and read the decrypted files without issue, using synologies GUI. For some reason, I have never been able to mount the encrypted folder using my passphrase . But I can always do it by using the private key generated during ecryptfs setup.

So I have since been doing some research on decrypting the encrypted files without a synology (for example if this thing catches fire or is stolen and I need to restore from backup). I've read several threads and howto's on decrypting synology/ecryptfs encrypted shares using linux and encryptfs-utils. But the howto always tells you to provide the passphrase and never mention the use of the key for decryption. So my question is how do I decrypt using the key (which works to mount and decrypt with synology's software)? The key I have is 80 bytes and is binary. The first 16 bytes are integers only and the remaining bytes appear to be random hex.

Thanks for any tips!

kevincw01
  • 63
  • 1
  • 4
  • 1
    I'd be far more concerned about disk failure & power surges, or accidental overwrite, than I would be about fire & theft. And what's synologies & just wondering what system are you running, Ubuntu, Arch, Debian, etc? – Xen2050 Jan 14 '15 at 01:52
  • raid 5 and ecryptfs backup to amazon glacier – kevincw01 Jan 14 '15 at 14:23

2 Answers2

8

Short answer: Use the passphrase $1$5YN01o9y to reveal your actual passphrase from the keyfile with ecryptfs-unwrap-passphrase (the backslashes escape the $ letters):

printf "%s" "\$1\$5YN01o9y" | ecryptfs-unwrap-passphrase keyfile.key -

Then use your passphrase with one of the instructions you probably already know, like AlexP's answer here or Robert Castle's article.

Or do it all in a single line:

mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,passwd=$(printf "%s" "\$1\$5YN01o9y" | ecryptfs-unwrap-passphrase /path/to/keyfile.key -) /path/to/encrypted/folder /path/to/mountpoint

I just tested the whole decryption process with a keyfile and can confirm its working:

  • Created a new encrypted shared folder in DSM 6.2 and downloaded the keyfile.
  • Shut down the NAS, removed a drive, connected it to a Ubuntu x64 18.04.2 machine and mounted the raid and volume group there.
  • Installed ecryptfs-utils and successfully got access to the decrypted data using the mount command mentioned above with the downloaded keyfile.

Credits: I found that $1$5YN01o9y-passphrase in a post in a German Synology forum. The user that probably actually found out the secret in 2014 is known there as Bastian (b666m).

x-ray
  • 195
  • 1
  • 4
2

See by "How To Recover Synology encrypted folders in Linux" by Robert Castle. Summary:

MOUNTOPTIONS=""
for option in                           \
  "key=passphrase"                      \
  "ecryptfs_cipher=aes"                 \
  "ecryptfs_key_bytes=32"               \
  "ecryptfs_passthrough=no"             \
  "ecryptfs_enable_filename_crypto=yes" \
; do
  MOUNTOPTIONS="${MOUNTOPTIONS}${MOUNTOPTIONS:+,}$option"
done
sudo mount -t ecryptfs -o $MOUNTOPTIONS,passwd=$PASSWORD $CRYPTDIR $TARGET
AlexP
  • 10,217
  • 32
  • 41
  • Sorry, you're using the passphrase and not the key. – kevincw01 Dec 08 '16 at 14:09
  • @kevincw01: Read the linked article, not just my summary. You can mount the filesystem by first adding the key to the keyring. – AlexP Dec 08 '16 at 15:24
  • 3
    I did read it. In fact that's the article I originally read before I posted this question. I reread it just now to make sure and I don't see anything that talks about how to use the key file instead of the passphrase. – kevincw01 Dec 08 '16 at 19:09
  • 1
    @kevincw01: What exactly is "the private key generated during ecryptfs setup"? It is something else than the eCryptfs wrapped passphrase? – AlexP Dec 08 '16 at 21:38