Quote:
Originally Posted by Kallys
Since encrypted file size is not stored in LUKS header and encryption is only based on block position on disk, is there not a way to decrypt a whole raw device, and then try to rebuild deleted inodes based on raw content or rescue files by reading apparently free space?
|
The problem is that what matters is not the block position on the
disk but the block offset in the LUKS
container. When that container is a raw disk or a partition, then it's easy to determine where any given offset apears on the underlying media. An LVM logical volume would be somewhat harder, but still doable. But, your container is a
file in an ext4 filesystem. You have found where that file
begins on the disk, so some number of blocks immediately follow. However, at some point, call it block
N, you run into a group descriptor in that outer filesystem, and then your file's blocks resume with block
N+1 after that group descriptor. You don't know where that group descriptor begins or what its size is. You can go searching/calculating, but you will have to do that 400+ times to find all of your file's segments. That's just not practical unless your data is extremely valuable (e.g., your PhD thesis, or perhaps a large Bitcoin wallet).