Credit where credit is due: this guide is taken mostly from the Ubuntu wiki page. Also, this is not an easy “one-click” process. You should proceed carefully, especially if you don’t have much experience with the command line.

1. Start Ubuntu (from a separate install, from the LiveCD, etc) and mount the source filesystem (this is usually as simple as going to the Places menu and selecting the partition)
2. Start a terminal (Alt+F2 -> gnome-terminal) and navigate to the partitions home directory. Usually this will look like the following:

   cd /media/9e6325c9-1140-44b7-9d8e-614599b27e05/home/

3. Now navigate to the users ecryptfs directory (things to note: it is ecryptfs not encryptfs and your username does not coincide with your full name – the one you click on when you log in)

   cd .ecryptfs/username

4. The next step is to recovery your “mount password” which is different from the password you use to log in (when it asks you, type in the login password used for this account – for which you are trying to recover the data). Take note of the returned password (you can copy it by selecting it and pressing Shift+Ctrl+C if you are using the Gnome Terminal)

   ecryptfs-unwrap-passphrase .ecryptfs/wrapped-passphrase

5. Now create a directory where you would like to mount the decrypted home directory:

   sudo mkdir /media/decrypted

6. Execute the following and type in (or better – copy-paste) the mount password you’ve recovered earlier

   sudo ecryptfs-add-passphrase --fnek

   It will return something like the following. Take note of the second key (auth tok):

   Inserted auth tok with sig [9986ad986f986af7] into the user session keyring 
   Inserted auth tok with sig [76a9f69af69a86fa] into the user session keyring

7. Now you are ready to mount the directry:

   
   sudo mount -t ecryptfs /media/9e6325c9-1140-44b7-9d8e-614599b27e05/home/.ecryptfs/username/.Private /media/decrypted
    Passphrase:  # mount passphrase
    Selection: aes
    Selection: 16
    Enable plaintext passthrough: n 
    Enable filename encryption: y # this is not the default!
    Filename Encryption Key (FNEK) Signature: # the second key (auth tok) noted
   

   You will probably get a warning about this key not being seen before (you can type yes) and asking if it should be added to your key cache (you should type no, since you won’t be using it again probably).

That’s it, now (assuming everything went right) you can access your decrypted folder in /media/decrypted. The biggest gotcha is that home/username/.Private is in fact a symlink, which – if you have an other partition mounted – will point you to the wrong directory, so you should use the home/.ecryptfs/username directory directly.

HTH

The lesson of the day: you shouldn’t let your AV vendor provide general security. The lesson comes to us via Graham Cluley’s Sophos blog, which informs us that Sophos released a free encryption tool. So, what’s wrong with it?

• It uses symmetric crypto! Let me repeat that for you: it uses symmetric cryptography and recommends that you communicate the encryption password to the counterparty via an other communication channel. So much for ease of use and the asynchronous nature of email!
• The feature sheet starts out by declaring that PKI has failed us, and then it touts a proprietary centralized solution for managing passwords.

In conclusion: this is a software which shouldn’t have been made. It is simplistic, cumbersome to use and provides no added benefit over using something like 7-zip with encryption (which also uses AES, also does compression – most probably better compression – and it to can create SFX password protected archives).

Go and install Thunderbird with Enigmail.

For added fun: the brochure says “Protects against “brute force” attacks by increasing response times each time the user enters the wrong password”, and they then proceed to give you a CLI and COM interface to the program which can be used directly to bruteforce the archives and without these timeouts. Nice!