[dm-crypt] Formated Device

[dm-crypt] Formated Device

[tesla1]

Hi,

you probably receive often such mails: How can I rescue my data?

Here is what happened:

I have (had) an encrypted harddisk (1TB). I can't remember whether I encrypted the whole block device or the partition on it. Now I accidently formatted the disk as msdos filesystem. Again I don't know whether it was the block device or just the partition. The ouput of fdisk -l looks like this:
root@arpa:~# fdisk -l /dev/sdb

Platte /dev/sdb: 1000.2 GByte, 1000204886016 Byte
255 Köpfe, 63 Sektoren/Spuren, 121601 Zylinder
Einheiten = Zylinder von 16065 × 512 = 8225280 Bytes
Disk identifier: 0x0006044c

   Gerät  boot.     Anfang        Ende     Blöcke   Id  System
/dev/sdb1   *           1      121601   976760001    c  W95 FAT32 (LBA)

A long time ago when I destroyed the partition table of an unencrypted block device I just created a new one with the same parameters and then had access to the complete filesystem again with no data loss.

What will happen if I recreate the encrypted harddisk with 

cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sdb

which is the same command I used to encrypt the disk before? Can I rescue the data that way?
Are there any other possibilities under these circumstances?
The fact that the 1TB disk is the largest one I own doesn't make it easy to do experiments.
Thank you in advance!

-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

Re: [dm-crypt] Formated Device

[Christoph Anton Mitterer]

[-- Attachment #1: Type: text/plain, Size: 709 bytes --]

On Tue, 2010-06-01 at 22:58 +0200, tesla1@gmx.net wrote:
> What will happen if I recreate the encrypted harddisk with 
> 
> cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sdb
It won't help you, as a new volume key is generated...


> which is the same command I used to encrypt the disk before? Can I rescue the data that way?
No... it could even harm, in case the old LUKS header should be still
there (which I doubt)


> Are there any other possibilities under these circumstances?
You can try to do some forensics, and see whether you find a valid LUKS
header (with keyslots and so on)...

Or simply grab your backups of either your data, or the LUKS header ;-)



Cheers,
Chris.

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3387 bytes --]

Re: [dm-crypt] Formated Device

[Arno Wagner]

On Tue, Jun 01, 2010 at 10:58:36PM +0200, tesla1@gmx.net wrote:
> Hi,
> 
> you probably receive often such mails: How can I rescue my data?

Indeed. Short answer if the LUKS header is damaged, you typically 
cannot (in the cryptographically strong sense).
 
> Here is what happened:
> 
> I have (had) an encrypted harddisk (1TB). I can't remember whether I
> encrypted the whole block device or the partition on it. Now I accidently
> formatted the disk as msdos filesystem. Again I don't know whether it was
> the block device or just the partition. The ouput of fdisk -l looks like
> this:
>
> root@arpa:~# fdisk -l /dev/sdb
> 
> Platte /dev/sdb: 1000.2 GByte, 1000204886016 Byte
> 255 K??pfe, 63 Sektoren/Spuren, 121601 Zylinder
> Einheiten = Zylinder von 16065 ?? 512 = 8225280 Bytes
> Disk identifier: 0x0006044c
> 
>    Ger??t  boot.     Anfang        Ende     Bl??cke   Id  System
> /dev/sdb1   *           1      121601   976760001    c  W95 FAT32 (LBA)
> 
> A long time ago when I destroyed the partition table of an unencrypted 
> block device I just created a new one with the same parameters and then 
> had access to the complete filesystem again with no data loss.
> 
> What will happen if I recreate the encrypted harddisk with 
> 
> cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sdb

You will loose all recovery ability for sure.

> which is the same command I used to encrypt the disk before? Can I 
> rescue the data that way?

No.

> Are there any other possibilities under these circumstances?

If the partition was not at the beginning of the disk (where there
is not a nive new FAT allocation table), then you can recreate the
partition and access afterwards. If you get the position wrong,
you could overwrite the LUKS header. So any work you do, make a full
sectorlevel backup before.

Finding the LUKS header is not that hard, I described it some time
ago on this list. Just browse tha archives, or look at the header
fedinition, there is a magic number in there suitable for searching.

If the LUKS header was, however, at the beginning of that disk,
then congratulations, you just performed a very secure erase on
your data. 

> The fact that the 1TB disk is the largest one I own doesn't make 
> it easy to do experiments.

If you care for that data, get an 1.5TB or 2 TB disk before messing
with this any further and use that disk to make a full, sector-level
backup.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 

Re: [dm-crypt] Formated Device

[tesla1]

> > you probably receive often such mails: How can I rescue my data?
> 
> Indeed. Short answer if the LUKS header is damaged, you typically 
> cannot (in the cryptographically strong sense).

Thank you for your helpful answer you gave anyway.

> Finding the LUKS header is not that hard, I described it some time
> ago on this list. 

Good point.

Just browse tha archives, or look at the header
> fedinition, there is a magic number in there suitable for searching.

I couldn't find the archives, that's why I wrote a new mail. Now I found it after clicking a link that I got after the subscription[1], after that clicking on "Overview of all saout.de mailing lists" in the lower left corner, after that on "dm-crypt". Sorry, that's too obvious, I should have found that earlier.

> If you care for that data, get an 1.5TB or 2 TB disk before messing
> with this any further and use that disk to make a full, sector-level
> backup.

I could do some foo with the first few sectors. My sector size is usually 512 Bytes. Here is how they look like:

root@arpa:~# dd if=/dev/sdb of=block.img bs=512 count=260
260+0 Datensätze ein
260+0 Datensätze aus
133120 Bytes (133 kB) kopiert, 0,0174116 s, 7,6 MB/s
root@arpa:~# hexdump block.img 
0000000 b8fa 1000 d08e 00bc b8b0 0000 d88e c08e
0000010 befb 7c00 00bf b906 0200 a4f3 21ea 0006
0000020 be00 07be 0438 0b75 c683 8110 fefe 7507
0000030 ebf3 b416 b002 bb01 7c00 80b2 748a 8b01
0000040 024c 13cd 00ea 007c eb00 00fe 0000 0000
0000050 0000 0000 0000 0000 0000 0000 0000 0000
*
00001b0 0000 0000 0000 0000 044c 0006 0000 0180
00001c0 0001 fe0c ffff 003f 0000 5982 7470 0000
00001d0 0000 0000 0000 0000 0000 0000 0000 0000
*
00001f0 0000 0000 0000 0000 0000 0000 0000 aa55
0000200 0000 0000 0000 0000 0000 0000 0000 0000
*
0020000 d29d 5309 832c e806 74d8 c9e4 95f3 9521
0020010 914c 01bd 2fb1 0fd8 cdb8 dacd 84d1 c210
0020020 9c4a a1ce 4784 a4d1 8f5c ce60 3d59 cb62
...
[* STAR stands for repeat last line]

and 
root@arpa:~# dd if=/dev/sdb1 of=partition.img bs=512 count=100
100+0 Datensätze ein
100+0 Datensätze aus
51200 Bytes (51 kB) kopiert, 0,0112693 s, 4,5 MB/s
root@arpa:~# hexdump partition.img 
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
0018200 d29d 5309 832c e806 74d8 c9e4 95f3 9521
...
=>1581056 Bytes are empty.
 
Something tells me there is no LUKS header any more (no LUKS MAGIC L). So I am the happy owner of an empty 1024GByte backup medium now! 

Again, thanks for your help.

[1] http://www.saout.de/mailman/options/dm-crypt/
-- 
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01