[RESOLVED] LUKS partition entry removed by mistake, not formatted

asked 2016-11-19 09:10:36 -0600

Fabash gravatar image

updated 2016-11-20 11:14:38 -0600

Hello

I have a 8GB memory stick whose only partition is (was...) a LUKS encrypted one. Unfortunately, I had removed this partition from Windows by mistake, not formatted the device.

So, instead of a similar entry (from my old 4GB stick)

sdb                                             8:16   1   3,8G  0 disk  
└─sdb1                                          8:17   1   3,8G  0 part  
  └─luks-<xxxxxxxxx> 253:3    0   3,8G  0 crypt /run/media/<me>/<mount_point>

I have now only the first line.

Is there a mean to recreate correctly to entry to this LUKS partition, and be able to retrieve my data ? Could I use a dd command, and by trying to determine first sector of it, dump it in a file and then try to mount this file ?

I don't want to try to create any partition to avoid modifying any data.

Thanks for any advice.

Edit: I have found the solution since then. In order to help anyone, here is a quick command lists I used:

# Find the start sector (offset) of the LUKS header
$ sudo hexdump -C /dev/<device> | grep 'LUKS' 
00100000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|

# Save (dump) in a file from this offext: 0x00100000 bytes / bs(512bytes) = 2048
sudo dd if=/dev/<device> of=LUKS_part.bin bs=512 skip=2048
15726592+0 records in
15726592+0 records out
8052015104 bytes (8,1 GB, 7,5 GiB) copied, 396,029 s, 20,3 MB/s

# Quick verification that it's done correctly by checking firsts 16 bytes
$ sudo hexdump -C LUKS_part.bin | head -1
00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|

# Create a loopback device from this file
$ sudo losetup -f LUKS_part.bin
$ losetup -a
/dev/loop0: []: (/home/user/LUKS_part.bin)

# Open the crypted device and mount it
$ sudo cryptsetup luksOpen /home/user/LUKS_part.bin recovery
Enter passphrase for /home/user/LUKS_part.bin:

$ sudo mkdir -p /mnt/recovery
$ sudo mount /dev/mapper/recovery /mnt/recovery

$ ls /mnt/recovery
total 1,5G
<...data recovered...>

Of course, it worked for me as I didn't change any byte since my mistake.

edit retag flag offensive close merge delete

Comments

All credits go to the user on this forum's thread: https://ubuntuforums.org/showthread.p...

Fabash gravatar imageFabash ( 2016-11-20 11:13:09 -0600 )edit
add a comment