Restoring Encrypted Drive to different mount point

dirkdejager · June 9, 2023, 5:51am

Recently, we had an outage which prevented our monolith server from coming back up. Realizing we were around a month away from having to do a fresh install anyway (due to Changelog 71 ), we decided to install a new Ubuntu Server 22.04, and mount the old drive to the new server, allowing us to copy the data across once setup.

Unfortunately, when we mounted the old drive, we noticed all the /opt/data folders where encrypted as shown below in Listing 1.

Is there anyway to decrypt these drives easily onto another mount point? How would we go about decrypting the data?

root@ip-172-31-26-146:/mnt/previous/opt/data# ls -l
total 1173296
-rwxrwx---  1 root                 root        12288 Jul  3  2021 ECRYPTFS_FNEK_ENCRYPTED.FWbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xO7HHU5sGVWryVJ7zzf0iCp---
drwxr-xr-x  3 lxd                  root         4096 Jun  4 09:20 ECRYPTFS_FNEK_ENCRYPTED.FWbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xO9SZi3Z2tlfXaXSB2uqJ-4---
drwxr-xr-x  3                  998    999       4096 Jul  3  2021 ECRYPTFS_FNEK_ENCRYPTED.FWbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xOHpYnSFYy4R19RfAFET.uSU--
drwx------  6 ec2-instance-connect netdev       4096 May 23 06:11 ECRYPTFS_FNEK_ENCRYPTED.FWbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xOJw6bOqzY1olHbkpEme7icE--
drwx-----x  5 root                 root         4096 Jul  3  2021 ECRYPTFS_FNEK_ENCRYPTED.FWbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xOKnrZVjktv2oT7CR0abubh---
drwx------  7                 1003   1004       4096 Jul  3  2021 ECRYPTFS_FNEK_ENCRYPTED.FWbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xOPz0U.peKKrAxzRyIGBc7VE--
-rw-r--r--  1 root                 root      2768896 May  6 23:56 ECRYPTFS_FNEK_ENCRYPTED.FWbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xOQ95NDHMe8Ov5UUgcrCZMhk--
drwxr-xr-x 11                 1001   3002       4096 Apr 29 13:33 ECRYPTFS_FNEK_ENCRYPTED.FWbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xORryTjDJAh9--kFzRYrxivE--
drwxrwxr-x  3 nobody                 1500  124723200 Jun  4 06:00 ECRYPTFS_FNEK_ENCRYPTED.FWbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xOhzjuXhWo55sHZelE8sMjQU--
-rw-r--r--  1 root                 root   1073750016 Jul  3  2021 ECRYPTFS_FNEK_ENCRYPTED.FXbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xOFdTdE2q5Hxj9afOD4YGOKkOQcRxC2720caFsFyCKDkk-
drwxr-xr-x  4                 1004   1006       4096 Jul  3  2021 ECRYPTFS_FNEK_ENCRYPTED.FXbjk.JOrFq1fUZihm2kxwz1yOIL6yxXr5xOjvFB1YA7P.EOZUBP7HT-dmkOMPVL7RsZuzJDqD30nKk-

Listing 1. /opt/data is encrypted

Simon_Kelly · June 9, 2023, 7:48am

You should be able to use commcare-cloud to decrypt it:

cchq monolith ap deploy_db.yml --tags ecryptfs

Alternately, you could follow the steps that this playbook would run.

You can retrieve your ecryptfs password from your vault file:

cchq monolith secrets view ECRYPTFS_PASSWORD

Then you can run ecryptfs commands manually:

# Add the password to the keyring. This should prompt for the password and output a hash.
ecryptfs-add-passphrase

# mount the directory
mount -t ecryptfs -o key=passphrase:passphrase_passwd={{ ECRYPTFS_PASSWORD }},user,noauto,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig={{ PASSWORD_HASH }},verbosity=0 /opt/data/ /opt/data/

dirkdejager · June 9, 2023, 9:01am

Brilliant! Thank you Simon!

I didn't have the cchq tools installed and working yet, so I used ansible-vault decrypt to decrypt the vault.yml, and retrieved the ENCRYPTFS_PASSWORD password from there. Once I had that, I ran the following which successfully decrypted my /opt/data folder.

Thanks again,

Dirk

root@ip-172-31-26-146:/mnt/previous/home/ubuntu/.virtualenvs/cchq-3.10/bin# ecryptfs-add-passphrase
Passphrase:
Inserted auth tok with sig [efc0155XXXXXX3ae] into the user session keyring
root@ip-172-31-26-146:/mnt/previous/home/ubuntu/.virtualenvs/cchq-3.10/bin# mount -t ecryptfs -o key=passphrase:passphrase_passwd=c8d56cXX-XXXX-XXXX-XXXX-XX56cd006f68,user,noauto,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink
_sigs,ecryptfs_enable_filename_crypto=y,ecryptfs_fnek_sig=efc0155XXXXXX3ae,verbosity=0 /mnt/previous/opt/data/ /mnt/previous/opt/data/
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_fnek_sig=efc0155XXXXXX3ae
  ecryptfs_key_bytes=32
  ecryptfs_cipher=aes
  ecryptfs_sig=efc0155XXXXXX3ae
Mounted eCryptfs
root@ip-172-31-26-146:/mnt/previous/home/ubuntu/.virtualenvs/cchq-3.10/bin# cd /mnt/previous/opt/data
root@ip-172-31-26-146:/mnt/previous/opt/data# ls -l
total 1173296
-rwxrwx---  1 root                 root           55 Jul  3  2021 README
drwx-----x  5 root                 root         4096 Jul  3  2021 backups
drwxrwxr-x  3 nobody                 1500  124723200 Jun  4 06:00 blobdb
drwx------  7                 1003   1004       4096 Jul  3  2021 couchdb2
drwxr-xr-x  4                 1004   1006       4096 Jul  3  2021 elasticsearch-2.4.6
-rw-r--r--  1 root                 root   1073741824 Jul  3  2021 emerg_delete.dummy
drwxr-xr-x 11                 1001   3002       4096 Apr 29 13:33 formplayer
drwxr-xr-x  3                  998    999       4096 Jul  3  2021 kafka
drwx------  6 ec2-instance-connect netdev       4096 May 23 06:11 postgresql
drwxr-xr-x  3 lxd                  root         4096 Jun  4 09:20 redis
-rw-r--r--  1 root                 root      2757452 May  6 23:56 redis.bak.tgz
root@ip-172-31-26-146:/mnt/previous/opt/data