Reconstructing a deleted encrypted home directory after mistakenly removing .ecryptfs and .Private directories is a challenging process. The successful recovery depends heavily on the availability of critical metadata files like the wrapped-passphrase and Private.sig.

I’ll break this down step by step to address your questions.

1. Understanding the Ecryptfs Directory Structure

The essential directory structure for an encrypted home directory looks like this:

/home/.ecryptfs/username/
├── .ecryptfs
│   ├── Private.mnt    # Mount point metadata
│   ├── Private.sig    # Signature of the wrapped passphrase
│   ├── wrapped-passphrase  # Encrypted version of your mount passphrase
│   └── ... other metadata files
└── .Private
    ├── (Encrypted files with random names)
    └── ... other files

What files go where?

• .Private directory: Contains encrypted user files. These files have random alphanumeric names and are encrypted.
• .ecryptfs directory: Contains metadata needed to decrypt and mount the .Private directory.

If you recovered files with .ecryptfs extensions and random filenames, they likely belong to both .ecryptfs and .Private. We need to separate these files correctly.

2. Identifying and Reconstructing Critical Files

Here are the critical files and how to identify/reconstruct them:

1. wrapped-passphrase:

   • This file contains your mount passphrase (encrypted using your login password).
   • If you do not have a backup of this file, recovery becomes very difficult. It is essential for decryption.

   What to do:

   • Search through the recovered files for the filename wrapped-passphrase. It is typically found in the /home/.ecryptfs/username/.ecryptfs/ directory.
   • If you cannot find it, you cannot use your login password to recover the mount passphrase.

2. Private.sig:

   • This file contains a hash signature of the passphrase used to unlock the encrypted directory.

   What to do:

   • Search for files with the name Private.sig. If found, place it in /home/.ecryptfs/username/.ecryptfs/.

3. Private.mnt:

   • This defines the mount point for the encrypted directory.

   What to do:

   • Search for a file named Private.mnt. If found, place it in /home/.ecryptfs/username/.ecryptfs/.

3. Sorting Recovered Files

Since you recovered a mix of files, including ones with random names, you need to manually sort and identify the critical metadata files.

Steps to Locate Files:

• Use the grep command to identify files containing recognizable patterns:

  grep -rl 'ENCRYPTION' /path/to/recovered_files
  

• Search specifically for wrapped-passphrase and Private.sig:

  find /path/to/recovered_files -type f -name '*wrapped-passphrase*'
  find /path/to/recovered_files -type f -name '*Private.sig*'
  

• Look for small files (a few kilobytes in size), as these are likely metadata files:

  find /path/to/recovered_files -type f -size -10k
  

4. Restoring the Directory Structure

If you’ve found the critical files:

1. Place the files in the correct directories:

   /home/.ecryptfs/username/.ecryptfs/wrapped-passphrase
   /home/.ecryptfs/username/.ecryptfs/Private.sig
   /home/.ecryptfs/username/.ecryptfs/Private.mnt
   

2. Place the encrypted files (random names) in:

   /home/.ecryptfs/username/.Private/
   

5. Mounting the Encrypted Directory

Once the directory structure is restored, try the following steps to mount the directory:

Step 1: Unwrap the Passphrase

If you have the wrapped-passphrase file, you can unwrap it using your login password:

ecryptfs-unwrap-passphrase /home/.ecryptfs/username/.ecryptfs/wrapped-passphrase

You’ll need to provide your login password. The output will be your mount passphrase (a 32-character hexadecimal string).

Step 2: Manually Mount the Encrypted Directory

Once you have the mount passphrase:

sudo mount -t ecryptfs /home/.ecryptfs/username/.Private /home/username \
-o ecryptfs_sig=<signature>,ecryptfs_fnek_sig=<signature>,ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes

• Replace <signature> with the signature found in Private.sig.
• Replace /home/username with your actual mount point.

If Wrapped-Passphrase Is Missing

If you do not have the wrapped-passphrase file, recovery becomes very difficult because the encrypted files cannot be decrypted without the mount passphrase.

The options are:

1. Try to locate the wrapped-passphrase using file recovery tools like PhotoRec or testdisk.
2. If you have an older backup of your encrypted home directory or passphrase, restore from that.

6. Exiting the Process Gracefully

If you need to stop and retry, always ensure the following directories have the correct permissions:

sudo chown -R username:username /home/.ecryptfs/username

Summary

1. Locate critical metadata files: wrapped-passphrase, Private.sig, and Private.mnt.
2. Restore the directory structure:
   • Metadata files to /home/.ecryptfs/username/.ecryptfs/
   • Encrypted files to /home/.ecryptfs/username/.Private/
3. Unwrap the passphrase (if wrapped-passphrase is available) and mount the directory manually.
4. If the wrapped-passphrase is missing, recovery is unlikely without an external backup.

If you face issues at any step, please share the output of the relevant commands, and I’ll assist further.