[dm-crypt] Recover a LUKS partition

[dm-crypt] Recover a LUKS partition

[fred smith]

Hi,

I rebooted my server for the first time in ages, and now I can not
mount a LUKS partition :-(

The 'cryptsetup LuksIs /dev/sdc1' returns that the partition is not
encrypted, so it is not recognising /dev/sdc2 as a LUKS partition.
Nothing has changed except a reboot and the standard Centos updates.

While I wait for 'testdisk' to finish (the drive is 1TB):

strace cryptsetup luksDump /dev/sdc1
execve("/sbin/cryptsetup", ["cryptsetup", "luksDump", "/dev/sdc1"],
[/* 21 vars */]) = 0
uname({sys="Linux", node="bob", ...})   = 0
brk(0)                                  = 0x1ea36000
brk(0x1ea36fa0)                         = 0x1ea36fa0
arch_prctl(ARCH_SET_FS, 0x1ea368d0)     = 0
brk(0x1ea57fa0)                         = 0x1ea57fa0
brk(0x1ea58000)                         = 0x1ea58000
access("/etc/selinux/", F_OK)           = 0
open("/etc/selinux/config", O_RDONLY)   = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=511, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x2b3b7c08f000
read(3, "# This file controls the state o"..., 4096) = 511
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x2b3b7c08f000, 4096)            = 0
open("/proc/mounts", O_RDONLY)          = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x2b3b7c090000
read(3, "rootfs / rootfs rw 0 0\n/dev/root"..., 4096) = 319
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x2b3b7c090000, 4096)            = 0
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=56467200, ...}) = 0
mmap(NULL, 56467200, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2b3b7c091000
close(3)                                = 0
open("/dev/sdc1", O_RDONLY|O_SYNC|O_DIRECT) = 3
ioctl(3, BLKSSZGET, 0x7fffcb0480c4)     = 0
read(3, "\353X\220BSD  4.4\0\2\1 \0\2\0\0\0\0\360\0\0
\0\20\0\0\0\0\0"..., 512) = 512
read(3, "RRaA\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
512) = 512
write(2, "/dev/sdc1 is not a LUKS partitio"..., 34/dev/sdc1 is not a
LUKS partition
) = 34
close(3)                                = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2528, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x2b3b7f66b000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2528
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x2b3b7f66b000, 4096)            = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/cryptsetup-luks.mo",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/cryptsetup-luks.mo",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/cryptsetup-luks.mo",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/cryptsetup-luks.mo",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/cryptsetup-luks.mo",
O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/cryptsetup-luks.mo", O_RDONLY)
= -1 ENOENT (No such file or directory)
write(2, "Command failed", 14Command failed)          = 14
write(2, ".", 1.)                        = 1
exit_group(-22)                         = ?

Any help or suggestions greatfully received!
Thanks

[dm-crypt] Fwd: Recover a LUKS partition

[fred smith]

Hi Guys,

I am desperate to try to recover this disk - it has important stuff on
it. Any suggestions or pointers?

I know the passphrase, but is there any way of recover the first part
of the partition? I have attached the drive via an external interface
and 'gparted' shows:

/dev/sdb1  fat32  200MiB      first sector 40          last sector 409689
/dev/sdb2  hfs+   931.19GiB  first sector 409640

Anything I can do or try?
Thanks




---------- Forwarded message ----------
From: fred smith <dopey483@gmail.com>
Date: 24 May 2010 16:45
Subject: Recover a LUKS partition
To: dm-crypt@saout.de


Hi,

I rebooted my server for the first time in ages, and now I can not
mount a LUKS partition :-(

The 'cryptsetup isLuks /dev/sdc1' returns that the partition is not
encrypted, so it is not recognising /dev/sdc2 as a LUKS partition.
Nothing has changed except a reboot and the standard Centos updates.

While I wait for 'testdisk' to finish (the drive is 1TB):

Re: [dm-crypt] Fwd: Recover a LUKS partition

[Uwe Menges]

On 05/27/2010 02:46 PM, fred smith wrote:
> I am desperate to try to recover this disk - it has important stuff on
> it. Any suggestions or pointers?

A good start would be to get some things straight. In your first email
you eg. left open if /dev/sdc1 or /dev/sdc2 is the partition supposed to
be encrypted. A bit of history would probably also help (initial
partition layout, what you did that it's different now, etc.).

> I know the passphrase, but is there any way of recover the first part
> of the partition? I have attached the drive via an external interface
> and 'gparted' shows:
> 
> /dev/sdb1  fat32  200MiB      first sector 40          last sector 409689
> /dev/sdb2  hfs+   931.19GiB  first sector 409640

Does not look good to me, because (sdb2 first sector) < (sdb1 last sector).

You could scan the disk for LUKS header (eg. here "hexdump -C /dev/sda2
| less" shows that the first bytes are "LUKS" (4c 55 4b 53)).

"testdisk" may also help. Good practice is to always work on a copy of
the disk to recover, not the original.

If you have lost the LUKS header, recovery is impossible, because that's
exactly what crypto stuff is for. Reconsider your backup strategy.

Yours, Uwe

Re: [dm-crypt] Fwd: Recover a LUKS partition

[orinoco]

Hi fred,

On Thu, 27 May 2010 13:46:03 +0100
fred smith <dopey483@gmail.com> wrote:
> I am desperate to try to recover this disk - it has important stuff on
> it. Any suggestions or pointers?
> I know the passphrase, but is there any way of recover the first part
> of the partition? I have attached the drive via an external interface
> and 'gparted' shows:
> /dev/sdb1  fat32  200MiB      first sector 40          last sector
> 409689 /dev/sdb2  hfs+   931.19GiB  first sector 409640
> Anything I can do or try?

I have a LUKS encrypted hard disk with destroy 1st part
(accidently overwritten with encrypted cache)
myself.
From what I learned on this list about LUKS there is no way to recover
it because there is no backup of it at the end or anywhere else in the
partition. The key passphrase is AFAIK no help because it is only used
to encrypt the real key used for encryption of the partition itself.
So the only way to recover it would be to "guess" this key, but this is
as safe as strong encrpytion can be.

So, at this point I would consider your data as lost, 
but hope dies last. You could keep the disk and maybe future generations
can recover the data.

regards

orinoco

> ---------- Forwarded message ----------
> From: fred smith <dopey483@gmail.com>
> Date: 24 May 2010 16:45
> Subject: Recover a LUKS partition
> To: dm-crypt@saout.de
> 
> 
> Hi,
> 
> I rebooted my server for the first time in ages, and now I can not
> mount a LUKS partition :-(
> 
> The 'cryptsetup isLuks /dev/sdc1' returns that the partition is not
> encrypted, so it is not recognising /dev/sdc2 as a LUKS partition.
> Nothing has changed except a reboot and the standard Centos updates.
> 
> While I wait for 'testdisk' to finish (the drive is 1TB):
> _______________________________________________

Re: [dm-crypt] Fwd: Recover a LUKS partition

[fred smith]

Hi Uwe,

Point taken on backup - but we all hate hearing that afterwards :-)
I accept that point 100% though.

This disk is only meant to have one partition :-( I think that is part
of the problem. There was only one partition which I presume to be
sdb1.

I will do the hexdump on both partitions and come back to you.
Cheers


On 27 May 2010 18:13, Uwe Menges <uwe.menges@web.de> wrote:
> On 05/27/2010 02:46 PM, fred smith wrote:
>> I am desperate to try to recover this disk - it has important stuff on
>> it. Any suggestions or pointers?
>
> A good start would be to get some things straight. In your first email
> you eg. left open if /dev/sdc1 or /dev/sdc2 is the partition supposed to
> be encrypted. A bit of history would probably also help (initial
> partition layout, what you did that it's different now, etc.).
>
>> I know the passphrase, but is there any way of recover the first part
>> of the partition? I have attached the drive via an external interface
>> and 'gparted' shows:
>>
>> /dev/sdb1  fat32  200MiB      first sector 40          last sector 409689
>> /dev/sdb2  hfs+   931.19GiB  first sector 409640
>
> Does not look good to me, because (sdb2 first sector) < (sdb1 last sector).
>
> You could scan the disk for LUKS header (eg. here "hexdump -C /dev/sda2
> | less" shows that the first bytes are "LUKS" (4c 55 4b 53)).
>
> "testdisk" may also help. Good practice is to always work on a copy of
> the disk to recover, not the original.
>
> If you have lost the LUKS header, recovery is impossible, because that's
> exactly what crypto stuff is for. Reconsider your backup strategy.
>
> Yours, Uwe
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

Re: [dm-crypt] Fwd: Recover a LUKS partition

[fred smith]

I have done a dump on both partitions. No sign of LUKS :-( Nothing there.

Its all gone. I must have had finger trouble or something and
wiped/partitioned the wrong drive.

Oh well that will teach me to concentrate when using fdisk!!

Thanks for your help.
Cheers


On 27 May 2010 18:13, Uwe Menges <uwe.menges@web.de> wrote:
> On 05/27/2010 02:46 PM, fred smith wrote:
>> I am desperate to try to recover this disk - it has important stuff on
>> it. Any suggestions or pointers?
>
> A good start would be to get some things straight. In your first email
> you eg. left open if /dev/sdc1 or /dev/sdc2 is the partition supposed to
> be encrypted. A bit of history would probably also help (initial
> partition layout, what you did that it's different now, etc.).
>
>> I know the passphrase, but is there any way of recover the first part
>> of the partition? I have attached the drive via an external interface
>> and 'gparted' shows:
>>
>> /dev/sdb1  fat32  200MiB      first sector 40          last sector 409689
>> /dev/sdb2  hfs+   931.19GiB  first sector 409640
>
> Does not look good to me, because (sdb2 first sector) < (sdb1 last sector).
>
> You could scan the disk for LUKS header (eg. here "hexdump -C /dev/sda2
> | less" shows that the first bytes are "LUKS" (4c 55 4b 53)).
>
> "testdisk" may also help. Good practice is to always work on a copy of
> the disk to recover, not the original.
>
> If you have lost the LUKS header, recovery is impossible, because that's
> exactly what crypto stuff is for. Reconsider your backup strategy.
>
> Yours, Uwe
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>

Re: [dm-crypt] Fwd: Recover a LUKS partition

[Arno Wagner]

On Thu, May 27, 2010 at 07:53:29PM +0200, orinoco wrote:
> Hi fred,
> 
> On Thu, 27 May 2010 13:46:03 +0100
> fred smith <dopey483@gmail.com> wrote:
> > I am desperate to try to recover this disk - it has important stuff on
> > it. Any suggestions or pointers?
> > I know the passphrase, but is there any way of recover the first part
> > of the partition? I have attached the drive via an external interface
> > and 'gparted' shows:
> > /dev/sdb1  fat32  200MiB      first sector 40          last sector
> > 409689 /dev/sdb2  hfs+   931.19GiB  first sector 409640
> > Anything I can do or try?
> 
> I have a LUKS encrypted hard disk with destroy 1st part
> (accidently overwritten with encrypted cache)
> myself.
> From what I learned on this list about LUKS there is no way to recover
> it because there is no backup of it at the end or anywhere else in the
> partition. 

That is correct. Overwrite the start of a LUKS partition/disk
and your data is toast, unless you did a manual backup of the
LUKS header.

> The key passphrase is AFAIK no help because it is only used
> to encrypt the real key used for encryption of the partition itself.
> So the only way to recover it would be to "guess" this key, but this is
> as safe as strong encrpytion can be.
> 
> So, at this point I would consider your data as lost, 
> but hope dies last. You could keep the disk and maybe future generations
> can recover the data.

I rather doubt that, at least for the next 30 or so years.

Arno

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier