LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-19-2014, 06:17 AM   #1
kentronix
LQ Newbie
 
Registered: Jun 2014
Posts: 5

Rep: Reputation: Disabled
File recovery from encrypted filesystem (known password)


I have an MRT NAS unit running some form of embedded linux, The data partition was encrypted (I know the password) but there was a filesystem failure of some sort which ended up with the partition getting reformatted (same size and same encryption/password). Later on I discovered our backup had also failed for another reason so am trying to get what I can of this reformatted drive.

I am quite used to file recovery using live CDs but because the drive is encrypted I am a bit lost. I can mount the new volume but what I really need to do is unencrypt from the raw device, somehow. Presumnably the mounted new filesystem will not conatain any traces of what was there pre-format ? Or have I got that wrong.

I want to stress I set this up in the first place so I do know the password.

I am pretty sure I am fighting a losing battle here but wanted to check with you chaps before giving up. My understanding of what level the encryption actually happens is a bit lacking and I am not sure how to find out. In case it helps the encryption password was asked for by the device at the point of formatting so I am assuming it is at the partition level, but that is just a guess really.


Any advice or places to look for more info ?
 
Old 06-19-2014, 08:13 AM   #2
mreff555
Member
 
Registered: Sep 2011
Location: Philly
Distribution: Gentoo
Posts: 470

Rep: Reputation: Disabled
It doesn't sound like you are going to be able to recover anything. You should be able to mount the partition if it's valid. A boot CD may not have the required software installed. You could try this link to mount it manually

http://askubuntu.com/questions/63594...m-command-line
 
Old 06-19-2014, 08:43 AM   #3
kentronix
LQ Newbie
 
Registered: Jun 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Thanks for your quick response, I made a little progress. It seems as well as the standard encrypted device /dev/hdc2, there is also a device called /dev/loop0, which when I mount it shows the new unencrypted files post format, presumably there is some kind of decryption between the two, I am not sure of the method but it all seems to be setup at boot time and as it seems to be a non standard linux version I gave up hunting. Finding a non encrypted version of the device is probably the best hope for me anyway.

I will have a go at a block level copy of /dev/loop0 in the vein attempt that it may have file reminants.

If I have any luck I will of course report back. Thanks for the link I am reading up now.....

Last edited by kentronix; 06-19-2014 at 09:09 AM.
 
Old 06-19-2014, 09:58 AM   #4
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 2,959

Rep: Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268
If you could post the output from "blkid /dev/hdc2" or "file -ks /dev/hdc2" it might help determine what type of encryption was used and whether any recovery is possible.
 
Old 06-19-2014, 10:10 AM   #5
kentronix
LQ Newbie
 
Registered: Jun 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Unfortunately the linux version doesn't seem to have either blkid or file, it is a really cut down embedded version I think.

However when I use mount I get the info :-

/dev/hdc2 on /mnt/ide3 type ext2 (rw,loop=/dev/loop1,encryption=AES128)

Guessing here but I assumed that meant the device /dev/loop1 is a unencrypted version of /dev/hdc2.

My hope is that a dd of loop1 to a spare drive (which i am currently running now) will result in an unencrypted unmounted version of the raw partition.

I am admittedly way out of my depth here
 
Old 06-19-2014, 10:41 AM   #6
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 2,959

Rep: Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268
What would be even more helpful would be a dd of the first megabyte of /dev/hdc2. You could run "file -ks" on the output from that and see what you are dealing with.
 
Old 06-19-2014, 10:57 AM   #7
kentronix
LQ Newbie
 
Registered: Jun 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
I will let my existing dd process finish and then give it a go tomorrow, fingers crossed, and thanks for your help.
 
Old 06-19-2014, 02:28 PM   #8
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 2,959

Rep: Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268Reputation: 1268
Just to let you know in advance, if "file -sk" simply reports "data", that is a good thing in your case as it means that the encryption key probably was derived from the password. Your problem is then the same as recovering old data from a formatted, but unencrypted, filesystem.

However, if "file -sk" reports "LUKS encrypted" you are out of luck. Your data was encrypted with a random master key that is unrelated to the password, and the password simply allows extracting that master key from the LUKS header. Since the original master key was lost when the new LUKS header was written, there is no way to decrypt your old data.
 
Old 06-20-2014, 11:39 AM   #9
kentronix
LQ Newbie
 
Registered: Jun 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Wow, well I had a fair amount of success. After using dd to copy the loop device off to another zero'd device I then mounted that device in a pc running a live linux boot CD and used photorec to scan for files.

I now have close to 17,000 files to sift through. Enough are definitely proven to be from the encrypted drive before it was formatted so now it is just a case of finding the important ones (obviously the directory structure, filenames and extensions have all been lost).

Thanks for your help, I have learnt lots here. Part of which is that at no point during this was I required to input the encryption password so in this case encryption has only served the purpose of making recovery harder NOT of making anything actually any more secure. As the device boots it automounts the encrypted partition (via a loop), so if anybody steals the hardware (it is a portable NAS) then encryption is pointless because as long as you can boot, you can copy off the unencrypted partition for file recovery elsewhere.

Thanks again
Kentronix
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
encrypted file system: password-less encryption? hydraMax Linux - Security 1 01-24-2011 01:33 AM
Encrypted Password File Management Question jcllings Linux - General 2 05-21-2010 06:05 PM
How to use key file instead of password for LUKS encrypted file systems? lucmove Linux - Security 2 06-30-2009 10:17 AM
Loading encrypted filesystem password over LAN at boot time? rjlee Linux - Security 4 07-12-2008 04:15 PM
.iso File recovery on EXT3 filesystem on Gentoo sussane Linux - Software 2 12-16-2007 10:37 PM


All times are GMT -5. The time now is 02:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration