LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   File recovery from encrypted filesystem (known password) (https://www.linuxquestions.org/questions/linux-newbie-8/file-recovery-from-encrypted-filesystem-known-password-4175508468/)

kentronix 06-19-2014 05:17 AM
File recovery from encrypted filesystem (known password)
 
I have an MRT NAS unit running some form of embedded linux, The data partition was encrypted (I know the password) but there was a filesystem failure of some sort which ended up with the partition getting reformatted (same size and same encryption/password). Later on I discovered our backup had also failed for another reason so am trying to get what I can of this reformatted drive.

I am quite used to file recovery using live CDs but because the drive is encrypted I am a bit lost. I can mount the new volume but what I really need to do is unencrypt from the raw device, somehow. Presumnably the mounted new filesystem will not conatain any traces of what was there pre-format ? Or have I got that wrong.

I want to stress I set this up in the first place so I do know the password.

I am pretty sure I am fighting a losing battle here but wanted to check with you chaps before giving up. My understanding of what level the encryption actually happens is a bit lacking and I am not sure how to find out. In case it helps the encryption password was asked for by the device at the point of formatting so I am assuming it is at the partition level, but that is just a guess really.


Any advice or places to look for more info ?

mreff555 06-19-2014 07:13 AM
It doesn't sound like you are going to be able to recover anything. You should be able to mount the partition if it's valid. A boot CD may not have the required software installed. You could try this link to mount it manually

http://askubuntu.com/questions/63594...m-command-line

kentronix 06-19-2014 07:43 AM
Thanks for your quick response, I made a little progress. It seems as well as the standard encrypted device /dev/hdc2, there is also a device called /dev/loop0, which when I mount it shows the new unencrypted files post format, presumably there is some kind of decryption between the two, I am not sure of the method but it all seems to be setup at boot time and as it seems to be a non standard linux version I gave up hunting. Finding a non encrypted version of the device is probably the best hope for me anyway.

I will have a go at a block level copy of /dev/loop0 in the vein attempt that it may have file reminants.

If I have any luck I will of course report back. Thanks for the link I am reading up now.....

rknichols 06-19-2014 08:58 AM
If you could post the output from "blkid /dev/hdc2" or "file -ks /dev/hdc2" it might help determine what type of encryption was used and whether any recovery is possible.

kentronix 06-19-2014 09:10 AM
Unfortunately the linux version doesn't seem to have either blkid or file, it is a really cut down embedded version I think.

However when I use mount I get the info :-

/dev/hdc2 on /mnt/ide3 type ext2 (rw,loop=/dev/loop1,encryption=AES128)

Guessing here but I assumed that meant the device /dev/loop1 is a unencrypted version of /dev/hdc2.

My hope is that a dd of loop1 to a spare drive (which i am currently running now) will result in an unencrypted unmounted version of the raw partition.

I am admittedly way out of my depth here :)

rknichols 06-19-2014 09:41 AM
What would be even more helpful would be a dd of the first megabyte of /dev/hdc2. You could run "file -ks" on the output from that and see what you are dealing with.

kentronix 06-19-2014 09:57 AM
I will let my existing dd process finish and then give it a go tomorrow, fingers crossed, and thanks for your help.

rknichols 06-19-2014 01:28 PM
Just to let you know in advance, if "file -sk" simply reports "data", that is a good thing in your case as it means that the encryption key probably was derived from the password. Your problem is then the same as recovering old data from a formatted, but unencrypted, filesystem.

However, if "file -sk" reports "LUKS encrypted" you are out of luck. Your data was encrypted with a random master key that is unrelated to the password, and the password simply allows extracting that master key from the LUKS header. Since the original master key was lost when the new LUKS header was written, there is no way to decrypt your old data.

kentronix 06-20-2014 10:39 AM
Wow, well I had a fair amount of success. After using dd to copy the loop device off to another zero'd device I then mounted that device in a pc running a live linux boot CD and used photorec to scan for files.

I now have close to 17,000 files to sift through. Enough are definitely proven to be from the encrypted drive before it was formatted so now it is just a case of finding the important ones (obviously the directory structure, filenames and extensions have all been lost).

Thanks for your help, I have learnt lots here. Part of which is that at no point during this was I required to input the encryption password so in this case encryption has only served the purpose of making recovery harder NOT of making anything actually any more secure. As the device boots it automounts the encrypted partition (via a loop), so if anybody steals the hardware (it is a portable NAS) then encryption is pointless because as long as you can boot, you can copy off the unencrypted partition for file recovery elsewhere.

Thanks again
Kentronix


All times are GMT -5. The time now is 05:56 AM.