LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Recovery of encrypted data drive (https://www.linuxquestions.org/questions/linux-newbie-8/recovery-of-encrypted-data-drive-4175680829/)

skippy36g 08-21-2020 09:13 PM
Recovery of encrypted data drive
 
I am not able to recover a data drive (Not a boot drive) I found that the drive was no longer encrypted and empty. I do not remember formatting it but that is what it looks like. The drive had been formatted with ext4 encryption.(LUKS) Is there a way to recover the drive? I have not attempted to write any data to the drive.

syg00 08-21-2020 11:49 PM
Do you have a backup of the LUKS header ?. Else the prognosis is not good - from the crypsetup FAQ ...
Quote:
For example, if you create a new filesystem on a non-mapped LUKS container, chances are good that all data is lost permanently.
There is one user here that seems to have more expertise than most and will no doubt offer a better opinion.

rknichols 08-22-2020 09:01 AM
Liklihood of recovery depends on how the drive was formatted and what was overwritten. If the drive had been partitioned and just the partition table was lost, then successful recovery is likely. testdisk should be able to locate the encrypted partition. It will not be able to determine the correct size for the partition (there is nothing in the LUKS header that tells the size), so you will have to use a partitioning tool to extend the size manually.

If the entire, unpartitioned drive was encrypted and the LUKS header is now missing, no recovery is possible.

One fairly quick test you can do to see if there is a LUKS header present somewhere on the drive is to run a hex editor tool like hexedit and search for the hexadecimal sequence "4C 55 4B 53 BA BE" (that's the ASCII characters "LUKS" followed by the hex bytes 0xBA and 0xBE). If that is found, then recovery might be possible. If it is not found, chances for recovery are nil. (It should be at the start of the disk or partition, so waiting several hours for the whole disk to be searched is probably pointless.)

skippy36g 08-22-2020 12:06 PM
I tried typing the above letters and numbers into the hexedit program and received a file not found message. As for a LUKS header I had not even heard of such a thing until now. I certainly did not make a backup of it. How do you make such a backup?

syg00 08-22-2020 09:24 PM
A good start would be to spend some time on the FAQ I mentioned - here.

rknichols 08-22-2020 10:46 PM
Quote:
Originally Posted by skippy36g (Post 6158414)
I tried typing the above letters and numbers into the hexedit program and received a file not found message.
Literally, "file not found"?? If so, you are doing something wrong. The message from hexedit should be just "not found" in the middle of the screen (after some time, quite a long time on a large disk, spent searching).

syg00 08-23-2020 04:06 AM
I wonder if we have a terminology clash here - (ex-)Windows users use the term "drive" differently to *nix users. Personally I'd just scrape the first couple of meg of the pertinent partition/drive and look for the string LUKS. Then you can mess with hex editors to confirm in need.
Code:
dd if=/dev/sdd1 bs=2M count=1 | strings | grep LUKS
Note the /dev/sdd1 is example only - plucked from the ether.


All times are GMT -5. The time now is 06:24 PM.