[SOLVED] recover from deleted luks encryption partition
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I had four partitions one of them was encrypted with DM-Crypt with LUKS, i was trying to upgrade the OS but by mistake i deleted all the partitions including the encrypted one , is there anyway to recover the encrypted partition coz it had all the important data ?
is there anyway to recover the encrypted partition (..)?
If you previously saved the disk layout with 'sfdisk' (as in 'sfdisk -d /dev/devicename' > /path/somefile') then you can restore it ('cat /path/somefile | sfdisk /dev/devicename'), else boot a Live CD containing Testdisk and do a quick search to see if it can find the partitions. Note while this may restore the partition table you will only be able to access your LUKS partition if nothing was overwritten because by default the LUKS header resides in the first 2 MB of that partition AFAIK.
I should say something about making backups but I guess by now you already know its value.
i used test disk to search for my partitions i could recover my home and root partitions but for the luks one, it found a luks partition with only 2 MB !!! it seems that its the header , do you know what can i do else ?
Maybe it's because you actually went ahead and recovered your root and home partitions (I only said "do a quick search" not "write the partition table") but your partition table looks skewed. If you don't have an extended partition (there's nothing in it) but you do have the swap partition at the end of the disk then sda3 should start at 188747776 like it does and end near the start of sda5 964380672. Changing the partition table on its own shouldn't hurt (plus I already showed you how to back it up and restore it) as long as you don't mount partitions and write to file systems. Best save the sfdisk output to USB key for easy access then boot a Live CD, preferably one that has the LUKS tools so you can see if it can read the partitions LUKS header.
Last edited by unSpawn; 11-09-2012 at 05:11 AM.
Reason: /f/v/
i did boot from live usb and found the 2MB luks partition when i click on it to mount it asked for the password then it accepted the password but gave me that error "Requested offset is beyond real size of device /dev/sda3"
and you are right about the file system problem i think i didnt have extended partition . do you think i can change the lucks partition size ?
I don't know if it sunk in yet but saying LUKS partition "had all the important data" and then just going ahead modifying the partition table to restore root and home partitions contradict each other. Your previous post shows partition boundaries now don't start where they should. Testing things I forcefully re-partition a blank disk and I get this:
Code:
]# cat sfdisk.txt | sfdisk -C60801 -H255 -S63 -f /dev/sda
Checking that no-one is using this disk right now ...
OK
Disk /dev/sda: 60801 cylinders, 255 heads, 63 sectors/track
Old situation:
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System
/dev/sda1 0+ 65269 65270- 524281243+ 83 Linux
/dev/sda2 0 - 0 0 0 Empty
/dev/sda3 0 - 0 0 0 Empty
/dev/sda4 0 - 0 0 0 Empty
Warning: given size (236542) exceeds max allowable size (0)
Warning: given size (183118) exceeds max allowable size (0)
Warning: given size (4096) exceeds max allowable size (0)
Warning: given size (141848) exceeds max allowable size (45692)
Warning: given size (92314) exceeds max allowable size (31797)
New situation:
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System
/dev/sda1 * 112126 81318- 236542 1900023615 83 Linux
/dev/sda2 83366 266483 183118 1470895335 83 Linux
/dev/sda3 266484 3230- 4096 32901120 83 Linux
/dev/sda4 15109 156956 141848 1139394060 f W95 Ext'd (LBA)
/dev/sda5 51569 143882 92314 741512205 82 Linux swap / Solaris
Warning: partitions 1 and 2 overlap
Successfully wrote the new partition table
Re-reading the partition table ...
and verifying with fdisk I get:
Code:
]# fdisk /dev/sda
Partition table entries are not in disk order
Warning: setting sector offset for DOS compatiblity
Expert command (m for help): v
Warning: partition 1 overlaps partition 2.
Warning: partition 1 overlaps partition 3.
Warning: partition 1 overlaps partition 5.
Warning: partition 2 overlaps partition 5.
Total allocated sectors -32248060 greater than the maximum 1048576000
Quote:
Originally Posted by unixedway
do you think i can change the lucks partition size ?
So, in theory yes but practically speaking I would have resorted to Testdisk deep searching for partition boundaries first, then apply common sense to what it returns and then make a logical, informed choice (after all you don't have to apply all it suggests), you modifying the partition table made recovery way more difficult than it should have been in the first place.
First i am sorry for this late reply .
Second I could finally recovered all data and here is what i did ,
i used sfdisk log file so i removed the extended partition and increased sda3 partition size to end before last partition which will be sda4 after i deleted the extended one . then i exported this log file to my hard disk layout. then with live usb i tried to mount the encrypted partition but i couldn't because the file system is broken but i could only opened the LUCK as it accepted my password then i used photorec to recover my files , it could recover everything but without any structure just files only and all file names are changed !! you can imagine around 360 GB of files this way it was a complete miss up, so i tried to use dd from my encrypted partition to another usb disk and it was big surprise when i opened the usb disk and found everything as it is with complete folder structure . ))
it was big surprise when i opened the usb disk and found everything as it is with complete folder structure . ))
Hello,
As if I just followed your footsteps -- the whole story is the same including the message of "Requested offset is beyond real size of device /dev/sdb2"
I just try to decypher the steps you followed until the solution
1. you removed your extended partition. I don't have to as I have no extended partition here just unallocated space.
2. you have increased the 2MB LUKS partition size so that it reached your last partiton (former sda5, now sda4). I will have to look for a tool that can extend the partition size as GParted refused.
3. you have exported the log file to your hard disk layout. Er... I couldn't catch this one.
4. live USB (you booted a linux) you have tried to mount the encrypted partition (that is now extended to few hundred gigs).
5. LUKS accepted your password but did not show the filesystem and the file recovery tool helped only a little.
6. then you dumped your encrypted partition to an USB disk. That sounds foggy to me: "dd from encrypted partition to another USB disk" == the encrypted partition was successfully mounted (passwrod accepted), deciphering algorithm was active and, using DD, you have created an un-encrypted copy of the original filesystem. Is that interpretation correct?
Precondition:
- LUKS partition (2MB size) visible.
- when asked for password, it is accepted
- partition is not mounted because its wrong size
1. I have looked for an empty HDD same (or larger) than the encrypted disk
2. Cloned the whole encrypted HDD. Safety measure, to keep original data intact
# sudo dd if=/dev/sdb of=/dev/sdc bs=4096
- the operation was surprisingly fast via USB3 (240GB in 40 minutes)
from now on the repair was done on the copy not on the original
3. fdisk
# sudo fdisk -l /dev/sdc
Disk /dev/sdc: 465,8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0003a46d
Device Boot Start End Sectors Size Id Type
/dev/sdc1 * 2048 2000895 1998848 976M 83 Linux
/dev/sdc2 2002944 2007039 4096 2M 83 Linux -- here is the incorrect partition size
4. enter fdisk interactive mode
# sudo fdisk /dev/sdc
Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
5. delete partition with wrong size
Command (m for help): d
Partition number (1,2, default 2): 2
Partition 2 has been deleted.
6. create new partition at the same starting sector, with original partition size.
Note that offered default first sector is not that one we need.
Command (m for help): n
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 2
First sector (2000896-998233439, default 2000896): 2002944 -- avoid the default value
Last sector, +sectors or +size{K,M,G,T,P} (2002944-998233439, default 998233439): 500118191 -- original partition size
Created a new partition 2 of type 'Linux' and of size 237,5 GiB.
7. Write changes to disk
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.