search

vgough / encfs

EncFS: an Encrypted Filesystem for FUSE.
https://vgough.github.io/encfs/
Other
2.08k stars 276 forks source link

encrypted files missing on mounted encfs volume on mac os x #266

Closed ghost closed 7 years ago

ghost commented 7 years ago

Hi,

I am having the following issue with a previously created encfs volume. I lost my laptop and now I am trying to recover my encrypted files out of a Box synced folder. I see the encrypted files on the synced folder.. i.e:

$ ls -li
total 952
30435134 drwx------  21 erick  staff     714 19 Jan 03:14 ,tyYfayr2VxRbcD
30435132 drwx------  14 erick  staff     476 19 Jan 03:14 7Bm8F0Ox
30452353 -rw-r--r--   1 erick  staff       0  7 Jun  2016 CDeDbdfPGplEg,
30620464 drwx------   3 erick  staff     102 19 Jun  2016 RMtuMW3NjJyasamo6qVAy64
30435133 drwx------  11 erick  staff     374 19 Jan 03:14 W,tziNsEM12hJOad
33225424 -rw-------   1 erick  staff   10244 30 Nov 17:10 Y2FsrHbLigfS88-
30435139 -rw-------   1 erick  staff    8196  7 Jun  2016 f5nUo8h7Tiy2Io1
30435135 drwx------   7 erick  staff     238 19 Jun  2016 p9VanxZc0-
30435131 drwx------   6 erick  staff     204  7 Jun  2016 qjZ6XALwzs5
33225423 -rw-------   1 erick  staff  460192 14 Nov 20:00 uiMysiQpfAO38xHlKlZJJ-

on the mounted volume, I see however:

$ ls -li
total 0
30452353 -rw-r--r--  1 erick  staff  0  7 Jun  2016 test.txt

just one file.. looking at the inode number, one can see the corresponding file in the encrypted folder.. namely: 30452353 -rw-r--r-- 1 erick staff 0 7 Jun 2016 CDeDbdfPGplEg, but all other files are nowhere to be seen.

I mounted the volume enabling debug and so on and I don't see anything "suspicious".. other than that "Attribute not found" error which my instinct tells me it might just be noise.. either way pls take a look at the following logs (somewhat edited for brevity)

$ encfs -v -f  ~/Box\ Sync/Secured ~/Secured
2017-01-20 07:12:59,314 VER [main.cpp:548] Root directory: /Users/erick/Box Sync/Secured/
2017-01-20 07:12:59,315 VER [main.cpp:549] Fuse arguments: (fg) (threaded) (keyCheck) encfs /Users/erick/Secured/ -f -o use_ino -o default_permissions -o local 
2017-01-20 07:12:59,317 VER [FileUtils.cpp:294] found new serialization format
2017-01-20 07:12:59,317 VER [FileUtils.cpp:308] subVersion = 20100713
2017-01-20 07:12:59,317 VER [Interface.cpp:110] checking if ssl/aes(3:0:2) implements ssl/aes(3:0)
2017-01-20 07:12:59,317 VER [SSL_Cipher.cpp:328] allocated cipher ssl/aes, keySize 32, ivlength 16
2017-01-20 07:12:59,317 VER [FileUtils.cpp:1575] useStdin: 0
EncFS-Passwort: 
2017-01-20 07:13:05,858 VER [Interface.cpp:110] checking if ssl/aes(3:0:2) implements ssl/aes(3:0)
2017-01-20 07:13:05,858 VER [SSL_Cipher.cpp:328] allocated cipher ssl/aes, keySize 32, ivlength 16
2017-01-20 07:13:06,453 VER [FileUtils.cpp:1583] cipher key size = 52
2017-01-20 07:13:06,453 VER [Interface.cpp:110] checking if nameio/block(4:0:2) implements nameio/stream(2:1)
2017-01-20 07:13:06,453 VER [Interface.cpp:110] checking if nameio/block32(4:0:2) implements nameio/stream(2:1)
2017-01-20 07:13:06,453 VER [Interface.cpp:110] checking if nameio/null(1:0:0) implements nameio/stream(2:1)
2017-01-20 07:13:06,453 VER [Interface.cpp:110] checking if nameio/stream(2:1:2) implements nameio/stream(2:1)
2017-01-20 07:13:06,476 VER [encfs.cpp:645] doing statfs of /Users/erick/Box Sync/Secured

... last message repeated several times ... 

2017-01-20 07:13:06,479 VER [DirNode.cpp:644] created FileNode for /Users/erick/Box Sync/Secured/
2017-01-20 07:13:06,479 VER [encfs.cpp:128] op: getattr : /Users/erick/Box Sync/Secured/
2017-01-20 07:13:06,479 VER [encfs.cpp:645] doing statfs of /Users/erick/Box Sync/Secured
2017-01-20 07:13:06,479 VER [encfs.cpp:645] doing statfs of /Users/erick/Box Sync/Secured
2017-01-20 07:13:06,480 VER [encfs.cpp:96] op: getxattr : /Users/erick/Box Sync/Secured/

2017-01-20 07:13:06,480 VER [encfs.cpp:102] op: getxattr error: Attribute not found
                                                                                                         ... only error I can find.. relevant?)

2017-01-20 07:13:06,480 VER [encfs.cpp:645] doing statfs of /Users/erick/Box Sync/Secured

... last message repeated several times ... 

2017-01-20 07:13:06,482 VER [DirNode.cpp:644] created FileNode for /Users/erick/Box Sync/Secured/G7NxoleXq75Z8DUjHY9Igg,WdrGud1
2017-01-20 07:13:06,482 VER [encfs.cpp:128] op: getattr : /Users/erick/Box Sync/Secured/G7NxoleXq75Z8DUjHY9Igg,WdrGud1
2017-01-20 07:13:06,482 VER [encfs.cpp:645] doing statfs of /Users/erick/Box Sync/Secured

... last message repeated several times ... 

2017-01-20 07:13:06,511 VER [encfs.cpp:96] op: getxattr : /Users/erick/Box Sync/Secured/
2017-01-20 07:13:06,511 VER [encfs.cpp:102] op: getxattr error: Attribute not found
2017-01-20 07:13:06,534 VER [encfs.cpp:96] op: getxattr : /Users/erick/Box Sync/Secured/
2017-01-20 07:13:06,535 VER [encfs.cpp:102] op: getxattr error: Attribute not found
2017-01-20 07:13:06,535 VER [DirNode.cpp:644] created FileNode for /Users/erick/Box Sync/Secured/-zs7hYNUeI0sFS1
2017-01-20 07:13:06,535 VER [encfs.cpp:128] op: getattr : /Users/erick/Box Sync/Secured/-zs7hYNUeI0sFS1
2017-01-20 07:13:06,536 VER [DirNode.cpp:644] created FileNode for /Users/erick/Box Sync/Secured/-zs7hYNUeI0sFS1
2017-01-20 07:13:06,536 VER [encfs.cpp:128] op: getattr : /Users/erick/Box Sync/Secured/-zs7hYNUeI0sFS1
2017-01-20 07:13:06,540 VER [encfs.cpp:645] doing statfs of /Users/erick/Box Sync/Secured
2017-01-20 07:13:06,541 VER [encfs.cpp:645] doing statfs of /Users/erick/Box Sync/Secured
2017-01-20 07:13:06,542 VER [encfs.cpp:645] doing statfs of /Users/erick/Box Sync/Secured

... these messages get repeated several times for the different files in the encrypted folder..

Some details about the creation of this volume one or two years ago, I can't remember.. I followed a guide online to create a Boxcryptor compatible volume with the following settings:

AES 256 encryption with 1024 byte block size, stream filename encoding, no filename initialization vector chaining, no per-file initialization vectors, no external chained IV, no random bytes to each block header. file-hole pass-through is enabled.

I highlighted the stream encoding cause I know there are some issues related to case insensitive filesystems and what not.. at the time there was no base32 encoding I believe. Anyway, just mentioning in case it is relevant.

The version I am using right now is 1.9.1 on Mac OS X Sierra btw.

Your help in recovering these files would be greatly appreciated! Thanks in advance.

ghost commented 7 years ago

One more thing.. this is the .encfs6.xml file associated with this volume:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!DOCTYPE boost_serialization>
<boost_serialization signature="serialization::archive" version="14">
<cfg class_id="0" tracking_level="0" version="20">
    <version>20100713</version>
    <creator>EncFS 1.8.1</creator>
    <cipherAlg class_id="1" tracking_level="0" version="0">
        <name>ssl/aes</name>
        <major>3</major>
        <minor>0</minor>
    </cipherAlg>
    <nameAlg>
        <name>nameio/stream</name>
        <major>2</major>
        <minor>1</minor>
    </nameAlg>
    <keySize>256</keySize>
    <blockSize>1024</blockSize>
    <uniqueIV>0</uniqueIV>
    <chainedNameIV>0</chainedNameIV>
    <externalIVChaining>0</externalIVChaining>
    <blockMACBytes>0</blockMACBytes>
    <blockMACRandBytes>0</blockMACRandBytes>
    <allowHoles>1</allowHoles>
    <encodedKeySize>52</encodedKeySize>
    <encodedKeyData>
ie68ekS+YLtwmhM39r/pd0GrbAJLcG2aB9p5ERspLl0XKE84jiu5z6fffa8KRRfKYy0oXg==
    </encodedKeyData>
    <saltLen>20</saltLen>
    <saltData>
dme+3C36j51pZUEAO8rtuWXPiHk=
    </saltData>
    <kdfIterations>219920</kdfIterations>
    <desiredKDFDuration>500</desiredKDFDuration>
</cfg>
</boost_serialization>
ghost commented 7 years ago

update: I just tried to mount the volume on Ubuntu, which comes packaged with the same version of encfs I used originally to encrypt the files (1.8.1) and the same thing happens.. so this is not version nor mac specific it would seem .. :-/

ghost commented 7 years ago

ok.. I do have a theory what might be happening.. if the key in .encfs6.xml changed somehow .. that would cause this problem, correct?. But I haven't touched this file and this had been working the whole time on my previous laptop.. I just lost the laptop, re synced the box folder and now it is different?.. I am going nuts here :-(

ghost commented 7 years ago

ok.. after a lot of investigation it seems that the problem was indeed that I managed to create an alternative .encfs6.xml on an old machine a while ago, but this folder was never synced with the cloud service (box). So this was "a time bomb". I used this folder for years then on a newer computer, and it always worked fine, until this newer computer got stolen and I turned on the old computer.. which then caused the "poisoned" .enc6xml to be synced with the cloud and overwrote the keys, with which all the files in the directory were encrypted.

Thru sheer luck I was able to dig the old .enc6xml out of a hard backup lying in some basement in another country .. so i got my data back. But yeah.. users beware of this "gotcha".. or is that a feature?.. one can rig a "data bomb" which makes all data inaccessible should a "trap" computer be activated :-)