Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Then I have corrupted the filesystem with e2fsck.
I ran e2fsck on my partition an cleaned up to 30 inodes, then I canceled the operation. Now the password does not match anymore
So first I made a backup of the damaged filesystem using ddrescue...
Then I tried to rewrite the LUKS header using the same password as before.
Code:
cryptsetup luksFormat data.img
Then I tried to mount the partition, but the filesystem type could not be found:
Code:
$ cryptdisk luksOpen data.img cryptdisk
password entered
$ mount -o ro /dev/mapper/cryptdisk /mnt
mount: wrong fs type, bad option, bad superblock on /dev/mapper/cryptdisk
I already tried to convert the filesystem back to ext4 using anyfs-tools but there is a missing program called build_e2fs which i can't find in the arch user repositories.
Where do I find the package which includes build_e2fs?
Is there alternatively any other tool for converting a LUKS filesystem back to ext4?
Otherwise, is there any recovery tool for recovering data from a LUKS encrypted device?
Was the partition encrypted prior to that first "cryptsetup luksFormat" command you mentioned? Apparently not, since e2fsck managed to find remnants of a filesystem there.
Stop doing that "luksFormat" operation. All you are doing is repeatedly overwriting the first ~2 megabytes of the partition. Running "luksFormat" repeatedly with the "same password" is especially pointless. "luksFormat" generates a new random master key each time. Your password just unlocks that master key.
Rule 1 for cases like this is to immediately make an image of the affected drive or partition and then work only on the copy. If the data is really important, make at least 2 copies. The best course at this point is to let e2fsck run on one of the copies and see what you are left with. With luck, most of your data will be in subdirectories in lost+found. The subdirectory names will be lost (replaced by numbers), but the filenames within them will be intact.
But there is nothing in the /lost+found directory
There is also no other lost+found directory on my filesystem.
/dev/mapper/cryptdisk is still not mountable.
The lost+found directory will be in that mounted image, /mnt/tmp/lost+found.
You will not be able to mount /dev/mapper/cryptdisk. If there ever was an encrypted filesystem on that partition, you destroyed any possibility of recovering that when you ran luksFormat.
You said you ran e2fsck on that image. Did it claim to have repaired the filesystem? It should have found one of the backup super blocks and repaired the filesystem from that. What are the first few messages from "e2fsck data.img" when you run it now? (You can interrupt it with ctrl-c when it first asks for a y/n confirmation.)
Here are the first few messages when I run e2fsck:
Code:
$ sudo e2fsck data.img
[sudo] entering password
e2fsck 1.42.13 (17-May-2015)
data.img was not cleanly unmounted, check forced.
Resize inode not valid. Recreate<y>? yes
Pass 1: Checking inodes, blocks, and sizes
Root inode is not a directory. Clear<y>? yes
Inode 56 is in use, but has dtime set. Fix<y>? yes
Inode 56 has imagic flag set. Clear<y>? yes
Inode 56 has a extra size (2177) which is invalid
Fix<y>? yes
Inode 56 has INDEX_FL flag set but is not a directory.
Clear HTree index<y>? yes
Inode 56, i_size is 18027495076643673406, should be 0. Fix<y>? yes
Inode 56, i_blocks is 129899552004926, should be 0. Fix<y>? yes
Inode 57 is in use, but has dtime set. Fix<y>? yes
Inode 57 has imagic flag set. Clear<y>? yes
Inode 57 has a extra size (23411) which is invalid
Fix<y>? yes
Inode 58 is in use, but has dtime set. Fix<y>? yes
Inode 58 has imagic flag set. Clear<y>? yes
Inode 58 has a extra size (54115) which is invalid
Fix<y>? yes
Inode 58, i_size is 8135082117735499286, should be 0. Fix<y>? yes
Inode 58, i_blocks is 226681310199729, should be 0. Fix<y>? yes
Inode 59 is in use, but has dtime set. Fix<y>? yes
Inode 59 has a extra size (19182) which is invalid
Fix<y>? yes
Inode 60 is in use, but has dtime set. Fix<y>? yes
Inode 60 has imagic flag set. Clear<y>? yes
Inode 60 has a extra size (37703) which is invalid
Fix<y>? yes
Inode 60 has compression flag set on filesystem without compression support. Clear<y>? yes
Inode 60 has INDEX_FL flag set but is not a directory.
Clear HTree index<y>? yes
Inode 60, i_size is 11814005135297009439, should be 0. Fix<y>? yes
Inode 60, i_blocks is 36916921760685, should be 0. Fix<y>? yes
data.img: e2fsck canceled.
data.img: ***** FILE SYSTEM WAS MODIFIED *****
I don't understand the message
Code:
data.img was not cleanly unmounted, check forced.
because data.img is not mounted
When the command finishes it claims that the filesystem was modified.
Originally Posted by spiri13;5563781I don't understand the message
[code
data.img was not cleanly unmounted, check forced.[/code]
A cleanly unmounted filesystem would have a valid primary super block with a "0" in the needs_recovery bit. Since you overwrote the primary super block, it's no surprise that e2fsck did not find that.
The first time you ran it with "-y" it would have repaired the filesystem. Thereafter, you have a valid primary super block with no needs_recovery bit set, so e2fsck just reports it "clean" and exits. You would need to override that with the "-f" flag to force a check (which should not turn up any problems).
You should be able to mount that image now with the "-o loop" option.
Wait! I know what might be happening. The ext2/3/4 super block is the second 1K block in the partition. There is still a piece of the LUKS header in the first 1K block. The automatic filesystem type detection can be confused by that. Try using
Code:
mount -o loop -t ext4 date.img /mnt/tmp
Last edited by rknichols; 06-20-2016 at 04:12 PM.
Reason: Wait! ...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.