LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Linux - General (http://www.linuxquestions.org/questions/forumdisplay.php?f=1)
-   -   recover from deleted luks encryption partition (http://www.linuxquestions.org/questions/showthread.php?t=4175435883)

unixedway 11-06-2012 07:56 AM

recover from deleted luks encryption partition
 
I had four partitions one of them was encrypted with DM-Crypt with LUKS, i was trying to upgrade the OS but by mistake i deleted all the partitions including the encrypted one , is there anyway to recover the encrypted partition coz it had all the important data ?

unSpawn 11-06-2012 09:34 AM

Quote:

Originally Posted by unixedway (Post 4823324)
is there anyway to recover the encrypted partition (..)?

If you previously saved the disk layout with 'sfdisk' (as in 'sfdisk -d /dev/devicename' > /path/somefile') then you can restore it ('cat /path/somefile | sfdisk /dev/devicename'), else boot a Live CD containing Testdisk and do a quick search to see if it can find the partitions. Note while this may restore the partition table you will only be able to access your LUKS partition if nothing was overwritten because by default the LUKS header resides in the first 2 MB of that partition AFAIK.
I should say something about making backups but I guess by now you already know its value.

unixedway 11-07-2012 03:00 PM

i used test disk to search for my partitions i could recover my home and root partitions but for the luks one, it found a luks partition with only 2 MB !!! it seems that its the header , do you know what can i do else ?

unSpawn 11-07-2012 04:47 PM

Substitute "devicename", run testdisk like explained before (quick search) then attach /tmp/sfdisk.log and testdisk.log:
Code:

sfdisk -d /dev/devicename | tee /tmp/sfdisk.log
testdisk /debug /log /dev/devicename


unixedway 11-08-2012 02:11 AM

Thank you for your response ,
Here is the output of the sfdisk and testdisk commands

sfdisk.log:

# partition table of /dev/sda

unit: sectors


/dev/sda1 : start= 20965376, size= 41943040, Id=83, bootable
/dev/sda2 : start= 62910464, size=125837312, Id=83
/dev/sda3 : start=188747776, size= 4096, Id=83
/dev/sda4 : start=188763750, size=788020380, Id= f
/dev/sda5 : start=964380672, size= 12390384, Id=82

#####################3

testdisk.log :

Hard disk list

Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63, sector size=512 - ATA ST9500325AS
Partition table type (auto): Intel
Disk /dev/sda - 500 GB / 465 GiB - ATA ST9500325AS
Partition table type: Intel


Analyse Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63

Geometry from i386 MBR: head=255 sector=63
get_geometry_from_list_part_aux head=255 nbr=2
get_geometry_from_list_part_aux head=255 nbr=2

Current partition structure:

1 * Linux 1305 8 48 3915 221 18 41943040
2 P Linux 3915 253 51 11749 1 28 125837312
3 P Linux 11749 1 29 11749 66 29 4096
4 E extended LBA 11750 0 1 60801 254 63 788020380
5 L Linux Swap 60029 234 46 60801 47 30 12390384

unSpawn 11-08-2012 08:29 PM

Maybe it's because you actually went ahead and recovered your root and home partitions (I only said "do a quick search" not "write the partition table") but your partition table looks skewed. If you don't have an extended partition (there's nothing in it) but you do have the swap partition at the end of the disk then sda3 should start at 188747776 like it does and end near the start of sda5 964380672. Changing the partition table on its own shouldn't hurt (plus I already showed you how to back it up and restore it) as long as you don't mount partitions and write to file systems. Best save the sfdisk output to USB key for easy access then boot a Live CD, preferably one that has the LUKS tools so you can see if it can read the partitions LUKS header.

unixedway 11-09-2012 01:57 AM

i did boot from live usb and found the 2MB luks partition when i click on it to mount it asked for the password then it accepted the password but gave me that error "Requested offset is beyond real size of device /dev/sda3"
and you are right about the file system problem i think i didnt have extended partition . do you think i can change the lucks partition size ?

unSpawn 11-09-2012 07:21 AM

I don't know if it sunk in yet but saying LUKS partition "had all the important data" and then just going ahead modifying the partition table to restore root and home partitions contradict each other. Your previous post shows partition boundaries now don't start where they should. Testing things I forcefully re-partition a blank disk and I get this:
Code:

]# cat sfdisk.txt | sfdisk -C60801 -H255 -S63 -f /dev/sda
Checking that no-one is using this disk right now ...
OK

Disk /dev/sda: 60801 cylinders, 255 heads, 63 sectors/track
Old situation:
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

  Device Boot Start    End  #cyls    #blocks  Id  System
/dev/sda1          0+  65269  65270- 524281243+  83  Linux
/dev/sda2          0      -      0          0    0  Empty
/dev/sda3          0      -      0          0    0  Empty
/dev/sda4          0      -      0          0    0  Empty
Warning: given size (236542) exceeds max allowable size (0)
Warning: given size (183118) exceeds max allowable size (0)
Warning: given size (4096) exceeds max allowable size (0)
Warning: given size (141848) exceeds max allowable size (45692)
Warning: given size (92314) exceeds max allowable size (31797)

New situation:
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

  Device Boot Start    End  #cyls    #blocks  Id  System
/dev/sda1  * 112126  81318- 236542  1900023615  83  Linux
/dev/sda2      83366  266483  183118  1470895335  83  Linux
/dev/sda3    266484    3230-  4096  32901120  83  Linux
/dev/sda4      15109  156956  141848  1139394060    f  W95 Ext'd (LBA)
/dev/sda5      51569  143882  92314  741512205  82  Linux swap / Solaris
Warning: partitions 1 and 2 overlap

Successfully wrote the new partition table

Re-reading the partition table ...

and verifying with fdisk I get:
Code:

]# fdisk /dev/sda
Partition table entries are not in disk order
Warning: setting sector offset for DOS compatiblity

Expert command (m for help): v
Warning: partition 1 overlaps partition 2.
Warning: partition 1 overlaps partition 3.
Warning: partition 1 overlaps partition 5.
Warning: partition 2 overlaps partition 5.
Total allocated sectors -32248060 greater than the maximum 1048576000


Quote:

Originally Posted by unixedway (Post 4825522)
do you think i can change the lucks partition size ?

So, in theory yes but practically speaking I would have resorted to Testdisk deep searching for partition boundaries first, then apply common sense to what it returns and then make a logical, informed choice (after all you don't have to apply all it suggests), you modifying the partition table made recovery way more difficult than it should have been in the first place.

unixedway 11-15-2012 02:44 AM

First i am sorry for this late reply .
Second I could finally recovered all data and here is what i did ,
i used sfdisk log file so i removed the extended partition and increased sda3 partition size to end before last partition which will be sda4 after i deleted the extended one . then i exported this log file to my hard disk layout. then with live usb i tried to mount the encrypted partition but i couldn't because the file system is broken but i could only opened the LUCK as it accepted my password then i used photorec to recover my files , it could recover everything but without any structure just files only and all file names are changed !! you can imagine around 360 GB of files this way it was a complete miss up, so i tried to use dd from my encrypted partition to another usb disk and it was big surprise when i opened the usb disk and found everything as it is with complete folder structure . :)))

thanks a lot for you support

ehsdav 07-07-2013 02:49 PM

hi
can you help me on this please
http://www.linuxquestions.org/questi...on-4175468395/

elemes 01-15-2017 10:08 AM

how resize
 
Quote:

Originally Posted by unixedway (Post 4829806)
it was big surprise when i opened the usb disk and found everything as it is with complete folder structure . :)))


Hello,

As if I just followed your footsteps -- the whole story is the same including the message of "Requested offset is beyond real size of device /dev/sdb2"
I just try to decypher the steps you followed until the solution

1. you removed your extended partition. I don't have to as I have no extended partition here just unallocated space.

2. you have increased the 2MB LUKS partition size so that it reached your last partiton (former sda5, now sda4). I will have to look for a tool that can extend the partition size as GParted refused.

3. you have exported the log file to your hard disk layout. Er... I couldn't catch this one.

4. live USB (you booted a linux) you have tried to mount the encrypted partition (that is now extended to few hundred gigs).

5. LUKS accepted your password but did not show the filesystem and the file recovery tool helped only a little.

6. then you dumped your encrypted partition to an USB disk. That sounds foggy to me: "dd from encrypted partition to another USB disk" == the encrypted partition was successfully mounted (passwrod accepted), deciphering algorithm was active and, using DD, you have created an un-encrypted copy of the original filesystem. Is that interpretation correct?

Thanks for recalling any bit after four years.

elemes 01-15-2017 10:03 PM

SOLVED.

Precondition:
- LUKS partition (2MB size) visible.
- when asked for password, it is accepted
- partition is not mounted because its wrong size

1. I have looked for an empty HDD same (or larger) than the encrypted disk

2. Cloned the whole encrypted HDD. Safety measure, to keep original data intact
# sudo dd if=/dev/sdb of=/dev/sdc bs=4096
- the operation was surprisingly fast via USB3 (240GB in 40 minutes)
from now on the repair was done on the copy not on the original

3. fdisk

# sudo fdisk -l /dev/sdc

Disk /dev/sdc: 465,8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0003a46d

Device Boot Start End Sectors Size Id Type
/dev/sdc1 * 2048 2000895 1998848 976M 83 Linux
/dev/sdc2 2002944 2007039 4096 2M 83 Linux
-- here is the incorrect partition size

4. enter fdisk interactive mode

# sudo fdisk /dev/sdc

Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


5. delete partition with wrong size

Command (m for help): d
Partition number (1,2, default 2): 2

Partition 2 has been deleted.


6. create new partition at the same starting sector, with original partition size.
Note that offered default first sector is not that one we need.

Command (m for help): n
Partition type
p primary (1 primary, 0 extended, 3 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 2
First sector (2000896-998233439, default 2000896): 2002944 -- avoid the default value
Last sector, +sectors or +size{K,M,G,T,P} (2002944-998233439, default 998233439): 500118191 -- original partition size

Created a new partition 2 of type 'Linux' and of size 237,5 GiB.


7. Write changes to disk

Command (m for help): w

The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.

onebuck 01-16-2017 07:33 AM

Moderator response
 
@elemes

Please do not resurrect necro threads. OP last Activity: 03-07-14 04:09 for this thread so no reply likely.

You would be better off creating a new thread with your information & query in the proper forum.

Please consider looking at; http://www.linuxquestions.org/questi...#faq_lqwelcome to help you to create a new thread.


All times are GMT -5. The time now is 05:03 PM.