Restore (partially?) formatted LUKS drive

1

I just accidentally formatted my 2TB hard drive and may have lost all my files

On this hard drive were:

  • ~1.7TB encrypted LVM-LUKS Container
  • ~250GB Partition NTFS

I don't care about the data in the unencrypted NTFS partition but the other one is really really important to me.

I used the Gnome "Disks" utility and formatted it with the options "GPT partition table" and "overwrite existing data" (complete wipe). I noticed that I selected the wrong disk just a few seconds after starting it and immediately unplugged it.

Testdisk produced the following output:

The following partition can't be recovered:
MS Data 3906963422 4395241404 488277983
NTFS, blocksize=4096, 249 GB / 232 GiB


Results
MS Data 2046 3906963413 3906961368
ext4 blocksize=4096 Large_file Sparse_SB Backup_SB, 2000 GB / 1862 GiB
MS Data 2048 6143 4096
LUKS 1 (Data size unknown), 2097 KB / 2048 KiB
MS Data 3418685440 3906963422 488277983
NTFS found using backup sector, blocksize=4096, 249 GB / 232 GiB


Hint for advanced users. dmsetup may be used if you prefer to avoid to rewrite the partition table for the moment:
echo "0 3906961368 linear /dev/sda 2046" | dmsetup create test0
echo "0 4096 linear /dev/sda 2048" | dmsetup create test1
echo "0 488277983 linear /dev/sda 3418685440" | dmsetup create test2


interface_write()

No partition found or selected for recovery

Apparently there still exists a LUKS header. This thread says that I should create a new partition starting from the start of the LUKS partition but I'm not sure where that is and how I should do this?

EDIT: Apparently the LUKS header still exists:

$ sudo dd if=/dev/sda skip=8 count=2500 | hexdump -C | less

00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000ff000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
000ff010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000ff020  00 00 00 00 00 00 00 00  78 74 73 2d 70 6c 61 69  |........xts-plai|
000ff030  6e 36 34 00 00 00 00 00  00 00 00 00 00 00 00 00  |n64.............|
000ff040  00 00 00 00 00 00 00 00  73 68 61 32 35 36 00 00  |........sha256..|
000ff050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000ff060  00 00 00 00 00 00 00 00  00 00 10 00 00 00 00 20  |............... |
000ff070  d8 70 6f 0c 41 d7 4c 84  42 8d 5f 9c fd 80 67 6d  |.po.A.L.B._...gm|
000ff080  dd d0 b8 8c 91 90 08 01  27 21 05 6f 4e 54 97 70  |........'!.oNT.p|
000ff090  68 02 57 c5 68 55 de 02  87 0e e3 74 b1 c7 81 90  |h.W.hU.....t....|
000ff0a0  b0 5d 3e 78 00 05 98 9e  39 36 38 66 63 64 65 32  |.]>x....968fcde2|
000ff0b0  2d 31 32 66 32 2d 34 65  31 35 2d 61 64 62 32 2d  |-12f2-4e15-adb2-|
000ff0c0  63 35 38 65 34 38 36 32  63 64 66 35 00 00 00 00  |c58e4862cdf5....|
000ff0d0  00 ac 71 f3 00 2d 7c d4  a6 04 45 07 34 26 ac 52  |..q..-|...E.4&.R|
000ff0e0  13 2b 26 99 4a 6d 54 88  e4 20 47 33 89 62 83 12  |.+&.JmT.. G3.b..|
000ff0f0  94 ed 22 ef 26 38 9c 63  00 00 00 08 00 00 0f a0  |..".&8.c........|
000ff100  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000ff110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000ff120  00 00 00 00 00 00 00 00  00 00 01 08 00 00 0f a0  |................|
000ff130  00 00 de ad 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000ff140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Dominik Schmidt

Posted 2019-03-09T22:10:42.267

Reputation: 123

The answer of this question depends on when you aborted the formatting of the disk. It should be possible to retrieve the data of the LUKS disk if you haven't overwritten it (if it's the second partition on the drive). But to prevent an unnecessary question: I'm sure that it's possible, but I don't know how. – zx485 – 2019-03-09T22:30:20.917

@zx485 Thanks, yeah I'm not sure exactly. Testdisk seems to find a "LUKS 1" partition but I have no idea how I would go about restoring it. – Dominik Schmidt – 2019-03-09T22:38:21.027

What, exactly, did you do? “Formatting” is quite ambiguous. – Daniel B – 2019-03-09T23:21:42.890

It might be possible to recover some data, but not if you continue to write to that disk or attempt to create a new partition. – DrMoishe Pippik – 2019-03-10T00:11:22.403

Answers

2

Assuming 512b sectors, you have the LUKS partition starting at sector 2048 (which is the default start location) and the NTFS partition starting at sector 3418685440.

testdisk cannot recover the partitions automatically because LUKS does not store a fixed "data size" – always it uses the rest of the partition as the encrypted data. But since you know where the 2nd partition starts, that tells you where the 1st partition ends anyway. So that gives you these partitions:

         START          SIZE          END
1         2048   +3418683391   3418685439   LUKS partition
2   3418685440    +488277983   3906963423   NTFS partition

If you want, first use the previously suggested commands to set up temporary block devices and take a look at whether the offsets are right:

  • Using device-mapper:

    echo "0 <size> linear /dev/sda <start>" | dmsetup create test1
file -s /dev/mapper/test1
dmsetup remove test1

  • Using addpart:

    addpart /dev/sda 1 <start> <size>
file -s /dev/sda1
delpart /dev/sda 1

If the start offset was right, file -s ... will recognize the LUKS or NTFS header.

To rebuild the real partition table:

  1. Run fdisk /dev/sda. Press g to create a GPT partition table.
  2. Press n to create the first partition.
  3. Input 2048 as first sector.
  4. Input 3418685439 as the last sector.
  5. If asked about erasing the found header/signature, be sure to answer n.
  6. Again press n to create the second partition.
  7. Input 3418685440 as the first sector.
  8. Accept the default last sector.
  9. Again reply "No" n to the prompt about found signature.
  10. Input w to write the partition table.

user1686

Posted 2019-03-09T22:10:42.267

Reputation: 283 655

Asked: 2019-03-09T22:10:42.267

Viewed: 680 times

Active: 2019-03-10T00:56:40.647