LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   fail: deleted crypt-luks /dev/sda5 > how to regain access to (encrypted) data? (https://www.linuxquestions.org/questions/linux-general-1/fail-deleted-crypt-luks-dev-sda5-how-to-regain-access-to-encrypted-data-4175655186/)

Josomeister 06-05-2019 06:47 AM
fail: deleted crypt-luks /dev/sda5 > how to regain access to (encrypted) data?
 
Hello everyone. Yes a very stupid mistake.

Story behind
I wanted to format a USB stick while I was stressed in time during a conference. sudo gparted and then - don't ask me which horse was riding me - I deleted all the partitions on /dev/sda (and not /dev/sdb) and pressed okay and okay again. After I got a kernel error message I was like "fuuuk" but the computer was still running so I though "uf lucky me the harddrive was not unmounted so it was protected from writing" an finished my thing and shutted down my computer before egs backing up my password-vault :). After I rebooted the shock:

Error messages
Code:
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Reading all physical volumes. This may take a while...
After a heep of such messages the output looks as follows

Code:
ALERT! /dev/disk/by-uuid/[long-number] does not exist
Check cryptopts=source= bootarg: cat /proc/cmdline
or missing modules, devices: cat /proc/modules;
ls /dev -r Dropping to a shell.
Will skip /dev/disk/by-uuid/[long-number] if you can't fix
Code:
BusyBox v1.22.1 (Debian 1:1.22.0-19+b3) built-in shell (ash)
Enter 'help' for a list of built-in commands.
(initramfs)
Further Infos
When I boot from a live-system I can still
see and access /dev/sda1 ext2 (bootloader)
and see but not access /dev/sda2 extended
/dev/sda5 crypt-luks is not there anymore, this is probably the thing I deleted


Similar issues
Those two threads are somehow related I think, but I don't really understand it
https://www.linuxquestions.org/quest...on-4175435883/
https://www.linuxquestions.org/quest...on-4175468395/


Hope you can help me

P.s.: Backups yes, are a good thing. Sadly my last backup is quite old. So regular backups are even better, yes.

rknichols 06-05-2019 09:25 AM
The tool of choice for recovering partitions is testdisk, which can be found on System Rescue CD, GParted Live CD, and many other rescue CDs. It should be able to locate your missing LUKS partition easily.

The remaining problem is that there is no size information in the LUKS header, so testdisk cannot determine the partition size and always assumes the minimum possible size (just enough for the LUKS header). You will have to adjust the size of that partition manually. Just be sure to use a tool that simply resizes the partition and does not attempt to adjust or format the content. I suggest the "resizepart" command in the parted command.

Josomeister 06-12-2019 09:10 AM
Quote:
Originally Posted by rknichols (Post 6002392)
The tool of choice for recovering partitions is testdisk, which can be found on System Rescue CD, GParted Live CD, and many other rescue CDs. It should be able to locate your missing LUKS partition easily.

The remaining problem is that there is no size information in the LUKS header, so testdisk cannot determine the partition size and always assumes the minimum possible size (just enough for the LUKS header). You will have to adjust the size of that partition manually. Just be sure to use a tool that simply resizes the partition and does not attempt to adjust or format the content. I suggest the "resizepart" command in the parted command.
Thanks already for pointing me in the right direction. Testdisk gave me that output. Now I don't know where to start and end resizing. But I will read into it as soon as I have time.

Code:
Testdisk       
Linux        0        32        31        31        26        57        497664        Ext2 blocksize=1024 Large file Sparse supberblock 254MB/243MiB        Can‘t open filesystem. Filesystem seems damaged
Linux        0        32        31        31        26        59        497664        Ext2 blocksize=1024 Large file Sparse supberblock 254MB/243MiB        GRUB Data
Linux*        31        59        29        31        124        29        4096        LUKS1 (Data size unkown), 2097 KB / 2048 KiB        Can‘t open filesystem. Filesystem seems damaged

For all three: Structure okay

rknichols 06-12-2019 03:08 PM
Quote:
Originally Posted by Josomeister (Post 6004473)
Code:
Testdisk        Start        Start        Start        End        End        End        Size in Sectors        Sentence below        Filetable
Linux        0        32        31        31        26        57        497664        Ext2 blocksize=1024 Large file Sparse supberblock 254MB/243MiB        Can‘t open filesystem. Filesystem seems damaged
Linux        0        32        31        31        26        59        497664        Ext2 blocksize=1024 Large file Sparse supberblock 254MB/243MiB        GRUB Data
Linux*        31        59        29        31        124        29        4096        LUKS1 (Data size unkown), 2097 KB / 2048 KiB        Can‘t open filesystem. Filesystem seems damaged

For all three: Structure okay
What version of testdisk is this? Is that actual cut and pasted testdisk output?

That first partitions entry, the one marked "seems damaged", looks correct, though with an unusual starting sector (CHS 0:32:31 works out to sector 2046).

That LUKS partition has a reasonable starting location aligned on the next MiB boundary after the end of partition 1. Creating that as a primary partition starting at sector 501760 and extending to the end of the disk would be easiest. If you really want that to continue to be logical partition 5, then you would have to create an extended partition starting at least 2 sectors before that and extending to the end of the disk. Many partitioning tools will refuse to let you do that. The only one I know of that will unconditionally let you do whatever you want is sfdisk. The output from "fdisk -l" for that disk would give me the information I would need to tell you what to give to sfdisk.

Josomeister 06-16-2019 07:00 AM
Thanks for your response. I will give you the infos as soon as I have access again. But it is not the actual cut and pasted testdisk output but I wrote it down manually.
Version of testdisk: Don't know yet but I used the newest version of SystemRescue.


In the meantime I was reading a bit on cgsecurity.org and watching some youtube videos on HardDisks, CHS... egs: https://www.youtube.com/watch?v=Cj8-WNjaGuM

Now I have a theoretical question: CHS represents the logical (and not the physical) position of data represented with the three "address"-values Cylinder, Head and Sectors.
However I don't get the difference between Cylinder and Head. As I understood it: Cylinders are the amount of disks in a hard disk and the heads are the amount of read/write devices and the heads can only move all together.
Aren't therefore the cylinder value and the head value always the same as they correlate?
Why is the head value given in CHS when all the heads are moving together?

I have a lot of noob questions like that, so I would be glad if someone could point me out to a good tutorial on CHS etc

Josomeister 06-16-2019 12:44 PM
Hey there
I have now the direct log after conducting a quick and a deep search. The file can be downloaded here https://workupload.com/file/fRJ6JPm5 I copy pasted it below as well.

fdisk -l log below
sfdisk -d /dev/sda* log below as well


Code:


Sun Jun 16 17:18:46 2019
Command line: TestDisk

TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 3.14.35-std452-amd64 (#2 SMP Thu Mar 12 08:04:53 UTC 2015) x86_64
Compiler: GCC 4.8
Compilation date: 2015-03-26T18:15:26
ext2fs lib: 1.42.12, ntfs lib: libntfs-3g, reiserfs lib: 0.3.1-rc8, ewf lib: none
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size      500118192 sectors
/dev/sda: user_max  500118192 sectors
/dev/sda: native_max 500118192 sectors
/dev/sda: dco        500118192 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - 1 sectors, sector size=512
Warning: can't get size for Disk /dev/md0 - 0 B - CHS 1 2 4, sector size=512
Hard disk list
Disk /dev/sda - 256 GB / 238 GiB - CHS 31130 255 63, sector size=512 - Crucial_CT256MX100SSD1, S/N:14350D102C76, FW:MU01
Disk /dev/sdb - 16 GB / 14 GiB - CHS 15287 64 32, sector size=512 - Kingston DataTraveler G2, FW:1.00

Partition table type (auto): Intel
Disk /dev/sda - 256 GB / 238 GiB - Crucial_CT256MX100SSD1
Partition table type: Intel

Analyse Disk /dev/sda - 256 GB / 238 GiB - CHS 31130 255 63
Geometry from i386 MBR: head=255 sector=63
Current partition structure:
 1 * Linux                    0  32 33    31  26 59    497664
 2 E extended                31  59 27 31130 223  5  499615746

search_part()
Disk /dev/sda - 256 GB / 238 GiB - CHS 31130 255 63

recover_EXT2: s_block_group_nr=0/30, s_mnt_count=14/4294967295, s_blocks_per_group=8192, s_inodes_per_group=2008
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248832
recover_EXT2: part_size 497664
    Linux                    0  32 33    31  26 59    497664
    ext2 blocksize=1024 Large file Sparse superblock, 254 MB / 243 MiB

    Linux                  31  59 29    31 124 29      4096
    LUKS 1 (Data size unknown), 2097 KB / 2048 KiB

Results
  * Linux                    0  32 33    31  26 59    497664
    ext2 blocksize=1024 Large file Sparse superblock, 254 MB / 243 MiB
  P Linux                  31  59 29    31 124 29      4096
    LUKS 1 (Data size unknown), 2097 KB / 2048 KiB

interface_write()
 1 * Linux                    0  32 33    31  26 59    497664
 2 P Linux                  31  59 29    31 124 29      4096

search_part()
Disk /dev/sda - 256 GB / 238 GiB - CHS 31130 255 63

recover_EXT2: s_block_group_nr=0/30, s_mnt_count=14/4294967295, s_blocks_per_group=8192, s_inodes_per_group=2008
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248832
recover_EXT2: part_size 497664
    Linux                    0  32 33    31  26 59    497664
    ext2 blocksize=1024 Large file Sparse superblock, 254 MB / 243 MiB

block_group_nr 1

recover_EXT2: "e2fsck -b 8193 -B 1024 device" may be needed
recover_EXT2: s_block_group_nr=1/30, s_mnt_count=0/4294967295, s_blocks_per_group=8192, s_inodes_per_group=2008
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248832
recover_EXT2: part_size 497664
    Linux                    0  32 31    31  26 57    497664
    ext2 blocksize=1024 Large file Sparse superblock Backup superblock, 254 MB / 243 MiB

block_group_nr 3

recover_EXT2: "e2fsck -b 24577 -B 1024 device" may be needed
recover_EXT2: s_block_group_nr=3/30, s_mnt_count=0/4294967295, s_blocks_per_group=8192, s_inodes_per_group=2008
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248832
recover_EXT2: part_size 497664
    Linux                    0  32 31    31  26 57    497664
    ext2 blocksize=1024 Large file Sparse superblock Backup superblock, 254 MB / 243 MiB

block_group_nr 5

recover_EXT2: "e2fsck -b 40961 -B 1024 device" may be needed
recover_EXT2: s_block_group_nr=5/30, s_mnt_count=0/4294967295, s_blocks_per_group=8192, s_inodes_per_group=2008
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248832
recover_EXT2: part_size 497664
    Linux                    0  32 31    31  26 57    497664
    ext2 blocksize=1024 Large file Sparse superblock Backup superblock, 254 MB / 243 MiB

block_group_nr 7

recover_EXT2: "e2fsck -b 57345 -B 1024 device" may be needed
recover_EXT2: s_block_group_nr=7/30, s_mnt_count=0/4294967295, s_blocks_per_group=8192, s_inodes_per_group=2008
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248832
recover_EXT2: part_size 497664
    Linux                    0  32 31    31  26 57    497664
    ext2 blocksize=1024 Large file Sparse superblock Backup superblock, 254 MB / 243 MiB

block_group_nr 9

recover_EXT2: "e2fsck -b 73729 -B 1024 device" may be needed
recover_EXT2: s_block_group_nr=9/30, s_mnt_count=0/4294967295, s_blocks_per_group=8192, s_inodes_per_group=2008
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248832
recover_EXT2: part_size 497664
    Linux                    0  32 31    31  26 57    497664
    ext2 blocksize=1024 Large file Sparse superblock Backup superblock, 254 MB / 243 MiB

block_group_nr 25

recover_EXT2: "e2fsck -b 204801 -B 1024 device" may be needed
recover_EXT2: s_block_group_nr=25/30, s_mnt_count=0/4294967295, s_blocks_per_group=8192, s_inodes_per_group=2008
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248832
recover_EXT2: part_size 497664
    Linux                    0  32 31    31  26 57    497664
    ext2 blocksize=1024 Large file Sparse superblock Backup superblock, 254 MB / 243 MiB

block_group_nr 27

recover_EXT2: "e2fsck -b 221185 -B 1024 device" may be needed
recover_EXT2: s_block_group_nr=27/30, s_mnt_count=0/4294967295, s_blocks_per_group=8192, s_inodes_per_group=2008
recover_EXT2: s_blocksize=1024
recover_EXT2: s_blocks_count 248832
recover_EXT2: part_size 497664
    Linux                    0  32 31    31  26 57    497664
    ext2 blocksize=1024 Large file Sparse superblock Backup superblock, 254 MB / 243 MiB

    Linux                  31  59 29    31 124 29      4096
    LUKS 1 (Data size unknown), 2097 KB / 2048 KiB

Results
    Linux                    0  32 31    31  26 57    497664
    ext2 blocksize=1024 Large file Sparse superblock Backup superblock, 254 MB / 243 MiB
    Linux                    0  32 33    31  26 59    497664
    ext2 blocksize=1024 Large file Sparse superblock, 254 MB / 243 MiB
  * Linux                  31  59 29    31 124 29      4096
    LUKS 1 (Data size unknown), 2097 KB / 2048 KiB

interface_write()
 1 * Linux                  31  59 29    31 124 29      4096
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

TestDisk exited normally.

fdisk -l log Link to logfile
Code:
Disk /dev/sda: 238.5 GiB, 256060514304 bytes, 500118192 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x73ea9efc
Partition 2 does not start on physical sector boundary.

Device    Boot    Start      End    Blocks  Id System
/dev/sda1 *        2048    499711    248832  83 Linux
/dev/sda2        501758 500117503 249807873  5 Extended


Disk /dev/sdb: 15 GiB, 16030597120 bytes, 31309760 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x2d357b37

Device    Boot Start      End  Blocks  Id System
/dev/sdb1 *    2048  31309759 15653856  c W95 FAT32 (LBA)


sfdisk -d /dev/sda* log link to the logfile

Code:
# partition table of /dev/sda
unit: sectors

/dev/sda1 : start=    2048, size=  497664, Id=83, bootable
/dev/sda2 : start=  501758, size=499615746, Id= 5
/dev/sda3 : start=        0, size=        0, Id= 0
/dev/sda4 : start=        0, size=        0, Id= 0

rknichols 06-16-2019 03:06 PM
Please don't use QUOTE tags except for quoting from another post. It changes formatting and makes it hard to include your text in a reply. Use CODE tags to preserve formatting.

All you should need to do is put the following text in a file and use this file as input to sfdisk.
Code:
unit: sectors

/dev/sda1 : start=  2048, size=    497664, Id=83, bootable
/dev/sda2 : start= 501758, size= 499615746, Id=5
/dev/sda5 : start= 501760, size= 499615744, Id=83
Then,
Code:
sfdisk /dev/sda </path/to/the/file
That will leave partition 1 and the extended partition as they are now, and create partition 5 starting where testdisk found the LUKS container and extending to the end of the disk.

Josomeister 06-17-2019 04:52 AM
it worked. thank you very much!

thanks for the feedback as well. I changed from quote to code.

best

syg00 06-17-2019 04:55 AM
Lucky fella - especially with luks header. If anything had written to that ... ugh.

Nice one (again) rknichols.


All times are GMT -5. The time now is 10:30 PM.