LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   recover from deleted luks encryption partition (http://www.linuxquestions.org/questions/linux-general-1/recover-from-deleted-luks-encryption-partition-4175435883/)

unixedway 11-06-2012 07:56 AM

recover from deleted luks encryption partition
 
I had four partitions one of them was encrypted with DM-Crypt with LUKS, i was trying to upgrade the OS but by mistake i deleted all the partitions including the encrypted one , is there anyway to recover the encrypted partition coz it had all the important data ?

unSpawn 11-06-2012 09:34 AM

Quote:

Originally Posted by unixedway (Post 4823324)
is there anyway to recover the encrypted partition (..)?

If you previously saved the disk layout with 'sfdisk' (as in 'sfdisk -d /dev/devicename' > /path/somefile') then you can restore it ('cat /path/somefile | sfdisk /dev/devicename'), else boot a Live CD containing Testdisk and do a quick search to see if it can find the partitions. Note while this may restore the partition table you will only be able to access your LUKS partition if nothing was overwritten because by default the LUKS header resides in the first 2 MB of that partition AFAIK.
I should say something about making backups but I guess by now you already know its value.

unixedway 11-07-2012 03:00 PM

i used test disk to search for my partitions i could recover my home and root partitions but for the luks one, it found a luks partition with only 2 MB !!! it seems that its the header , do you know what can i do else ?

unSpawn 11-07-2012 04:47 PM

Substitute "devicename", run testdisk like explained before (quick search) then attach /tmp/sfdisk.log and testdisk.log:
Code:

sfdisk -d /dev/devicename | tee /tmp/sfdisk.log
testdisk /debug /log /dev/devicename


unixedway 11-08-2012 02:11 AM

Thank you for your response ,
Here is the output of the sfdisk and testdisk commands

sfdisk.log:

# partition table of /dev/sda

unit: sectors


/dev/sda1 : start= 20965376, size= 41943040, Id=83, bootable
/dev/sda2 : start= 62910464, size=125837312, Id=83
/dev/sda3 : start=188747776, size= 4096, Id=83
/dev/sda4 : start=188763750, size=788020380, Id= f
/dev/sda5 : start=964380672, size= 12390384, Id=82

#####################3

testdisk.log :

Hard disk list

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63, sector size=512 - ATA ST9500325AS
Partition table type (auto): Intel
Disk /dev/sda - 500 GB / 465 GiB - ATA ST9500325AS
Partition table type: Intel


Analyse Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63

Geometry from i386 MBR: head=255 sector=63
get_geometry_from_list_part_aux head=255 nbr=2
get_geometry_from_list_part_aux head=255 nbr=2

Current partition structure:

1 * Linux 1305 8 48 3915 221 18 41943040
2 P Linux 3915 253 51 11749 1 28 125837312
3 P Linux 11749 1 29 11749 66 29 4096
4 E extended LBA 11750 0 1 60801 254 63 788020380
5 L Linux Swap 60029 234 46 60801 47 30 12390384

unSpawn 11-08-2012 08:29 PM

Maybe it's because you actually went ahead and recovered your root and home partitions (I only said "do a quick search" not "write the partition table") but your partition table looks skewed. If you don't have an extended partition (there's nothing in it) but you do have the swap partition at the end of the disk then sda3 should start at 188747776 like it does and end near the start of sda5 964380672. Changing the partition table on its own shouldn't hurt (plus I already showed you how to back it up and restore it) as long as you don't mount partitions and write to file systems. Best save the sfdisk output to USB key for easy access then boot a Live CD, preferably one that has the LUKS tools so you can see if it can read the partitions LUKS header.

unixedway 11-09-2012 01:57 AM

i did boot from live usb and found the 2MB luks partition when i click on it to mount it asked for the password then it accepted the password but gave me that error "Requested offset is beyond real size of device /dev/sda3"
and you are right about the file system problem i think i didnt have extended partition . do you think i can change the lucks partition size ?

unSpawn 11-09-2012 07:21 AM

I don't know if it sunk in yet but saying LUKS partition "had all the important data" and then just going ahead modifying the partition table to restore root and home partitions contradict each other. Your previous post shows partition boundaries now don't start where they should. Testing things I forcefully re-partition a blank disk and I get this:
Code:

]# cat sfdisk.txt | sfdisk -C60801 -H255 -S63 -f /dev/sda
Checking that no-one is using this disk right now ...
OK

Disk /dev/sda: 60801 cylinders, 255 heads, 63 sectors/track
Old situation:
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

  Device Boot Start    End  #cyls    #blocks  Id  System
/dev/sda1          0+  65269  65270- 524281243+  83  Linux
/dev/sda2          0      -      0          0    0  Empty
/dev/sda3          0      -      0          0    0  Empty
/dev/sda4          0      -      0          0    0  Empty
Warning: given size (236542) exceeds max allowable size (0)
Warning: given size (183118) exceeds max allowable size (0)
Warning: given size (4096) exceeds max allowable size (0)
Warning: given size (141848) exceeds max allowable size (45692)
Warning: given size (92314) exceeds max allowable size (31797)

New situation:
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

  Device Boot Start    End  #cyls    #blocks  Id  System
/dev/sda1  * 112126  81318- 236542  1900023615  83  Linux
/dev/sda2      83366  266483  183118  1470895335  83  Linux
/dev/sda3    266484    3230-  4096  32901120  83  Linux
/dev/sda4      15109  156956  141848  1139394060    f  W95 Ext'd (LBA)
/dev/sda5      51569  143882  92314  741512205  82  Linux swap / Solaris
Warning: partitions 1 and 2 overlap

Successfully wrote the new partition table

Re-reading the partition table ...

and verifying with fdisk I get:
Code:

]# fdisk /dev/sda
Partition table entries are not in disk order
Warning: setting sector offset for DOS compatiblity

Expert command (m for help): v
Warning: partition 1 overlaps partition 2.
Warning: partition 1 overlaps partition 3.
Warning: partition 1 overlaps partition 5.
Warning: partition 2 overlaps partition 5.
Total allocated sectors -32248060 greater than the maximum 1048576000


Quote:

Originally Posted by unixedway (Post 4825522)
do you think i can change the lucks partition size ?

So, in theory yes but practically speaking I would have resorted to Testdisk deep searching for partition boundaries first, then apply common sense to what it returns and then make a logical, informed choice (after all you don't have to apply all it suggests), you modifying the partition table made recovery way more difficult than it should have been in the first place.

unixedway 11-15-2012 02:44 AM

First i am sorry for this late reply .
Second I could finally recovered all data and here is what i did ,
i used sfdisk log file so i removed the extended partition and increased sda3 partition size to end before last partition which will be sda4 after i deleted the extended one . then i exported this log file to my hard disk layout. then with live usb i tried to mount the encrypted partition but i couldn't because the file system is broken but i could only opened the LUCK as it accepted my password then i used photorec to recover my files , it could recover everything but without any structure just files only and all file names are changed !! you can imagine around 360 GB of files this way it was a complete miss up, so i tried to use dd from my encrypted partition to another usb disk and it was big surprise when i opened the usb disk and found everything as it is with complete folder structure . :)))

thanks a lot for you support

ehsdav 07-07-2013 02:49 PM

hi
can you help me on this please
http://www.linuxquestions.org/questi...on-4175468395/


All times are GMT -5. The time now is 09:20 PM.