How To Recover Synology encrypted folders in Linux

My shiny new Synology DS413 can encrypt shared folders, and has hardware based encryption, making it speedy and low CPU usage when using encryption. Yay.
Now I can secure my data fully with FileVault 2 on my Mac and AES encrypted folders (inc TimeMachine backups) on the NAS. This guide at Synology shows you how to do this.

But, what if the NAS drives or the synology fails/is stolen/destroyed/otherwise unusable, and I am left with my encrypted backup disks. Well, as long as you have that encryption key you should be fine, expect that Synology are not too clear on how you use it if you don’t have your NAS.

Can I buy a new one and restore the back up to that using that key? Maybe. Hopefully. That is not a good enough plan.

Can you recover the encrypted data off the backups? Yes.

You need:

  • A linux machine (a virtual machine will do fine)
  • Your backup disks
  • Your passwords that you used to encrypt the folders

Here I am using Ubuntu 11 on VirtualBox on OSX Mountain Lion

  1. Plug in your USB drive
  2. Go to VirtualBox > Settings > Ports > USB.
  3. Add a device filter and select the USB disk from the list
  4. Unmount the drive and unplug
  5. Start Ubuntu
  6. Install ecryptfs from the Ubuntu Software Center
  7. Plug in the drive
  8. Open the terminal
  9. Your USB drive will be mounted under /media with a path to the encrypted filesystem such as
  10. /media/1.41.12-2647/backup/@MyFolder@
  11. Create a mount point for the filesystem
  12. sudo mkdir /mnt/MyFolder
  13. Mount the encrypted folder
  14. sudo mount -t ecryptfs /media/1.41.12-2647/backup/@MyFolder@ /mnt/MyFolder
  15. Enter the passphrase you used to to encrypt the drive when prompted
  16. Choose the AES cipher
  17. Choose 32 bytes as the key size
  18. Choose n for Enable plaintext passthrough
  19. Choose y for Enable filename encryption
  20. Press return to accept the default for the Filename Encryption Key (FNEK) Signature
  21. The first time you do this you may get the following warning
  22. WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
    it looks like you have never mounted with this key 
    before. This could mean that you have typed your 
    passphrase wrong.
  23. Choose yes to proceed with the mount and yes to append the sig to the cache file
  24. Done. Go to /mnt/MyFolder and retrieve your data.

Or you can create a shell script and paste in the following code to simplify the task

stty -echo
read -p "Enter passphrase: " PASS; echo
stty echo

sudo mount -t ecryptfs -o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,passwd=$PASS $1 $2

and use it like this:

sh /media/1.41.12-2647/backup/@MyFolder@ /mnt/MyFolder

Tags: , , ,


Feel free to join the discussion by leaving your own comment
  1. Jafet
    October 13, 2012 at 15:52 #

    Nice guide Robert! Thanks!
    I didn’t quite follow how you came up with the keysize and the other options. But, it worked for me so that’s fine.

    • robert
      October 13, 2012 at 20:37 #

      Guesswork. The cipher had to be AES as it is optimised for AES encryption. The key file that you download is 32 bytes, so I took that as a first try. The file names are encrypted so that option had to be yes, and plain text passthrough just seemed unlikely.

This site uses Cookies - By using this site or closing this you agree to our Cookies policy.