1

I just accidentally overwrote the LUKS metadata of my volume with a new LVM header. I have copy of the original LUKS header but can't find it. Just in case, I made a dd image of the first 10MB of the now corrupt volume on a thumb drive.

My question is: is it still possible to recover the LUKS header? In particular, if I run 'cryptsetup luksFormat' with the same passphrase, key length, etc., will I see the old data? Is there any salting involved and can I specify the salt, too?

I guess if sizeof(lvm2 header) < position_of_salt_in_LUKS_header, I might be able to fix things. Could someone please point me to the relevant headers?

Did I totally bite it, or is there any slim chance...?

zonko
  • 11
  • 2

2 Answers2

3

LUKS2 has a backup header, but LUKS1 (which you are probably using, as LUKS2 is quite new and few distros support it yet) does not.

If you didn't backup the header yourself, you are screwed. Go to your backups.

If you did backup the header, then restore the first 2MB of the block device, as this is the LUKS1 header length, and you might have a chance.

dd bs=2M count=1 if=/home/zonko/backup_luks_header.bin of=/dev/block_device

As Sven noted in a comment, you can also use cryptsetup luksHeaderRestore, which effectively does the same thing.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
0

For future panic-stricken folks funneled here by a search engine: You are neither the first nor last person to own-goal. Be kind to yourself.

Also, if something similar happens to you and you have no backup, and no header-backup, first make sure you've actually overwritten the LUKS header instead of just thinking you have.

In particular, if you use an encrypted partition, the LUKS header is (as you would guess) located at the start of the partition, not the start of the device. So if you just overwrote the start of your block device and erased your partition table (perhaps with a dd mishap? ask me how I know...), your partition may not show up, but it's still there, just as long as you haven't written into the partition (first partition is usually location at 1MB=1024KB). If that's the case, recreating the partition table is all that's needed.

As always, when disaster strikes - first make an image of your disk and experiment on it, so you don't end up making a bad situation worse.

To check if the header is still there, open the block device in a hex-editor and look for the primary and/or secondary LUKS headers

#define MAGIC_1ST "LUKS\xba\xbe"
#define MAGIC_2ND "SKUL\xba\xbe"

If either is there you just got very lucky.

To restore the partition table some people suggest testdisk, but in my case cfdisk was enough to recreate the partition table, and undo the damage. Luckily, I overwrote only the first 30k of the drive, and LUKS was installed on the first (and only) partition. Which also made it easy to recreate the partition table.

Also, if you're reading this - backup your LUKS header now with

sudo cryptsetup luksHeaderBackup   --header-backup-file BACKUP_FILENAME  DEVICE
RecoveringDDer
  • 1
  • 1