Recover removed luks partition before reboot

Message

spaceham · #1 Post by **spaceham** » 21 Dec 2020, 13:35

I've done some mistake, but my system is still running and runs properly and I've still access to everything needed.
I have deleted boot partition, tried to recover it with testdisk however in the process I deleted my two other partition.
My inital setup was pretty simple:

one EFI system partition

one encrypted ext4 partition making most of the disk

one encrypted swap partition.

I've tried a deeper searc(simple search just wasn't seing so much) with testdisk here's what I found:

Code: Select all

Disk /dev/nvme0n1 - 512 GB / 476 GiB - CHS 488386 64 32
   Partition               Start        End    Size in sectors
 P EFI System                  2048    1619967    1617920 [EFI System Partition] [ESP]
 D MS Data                     2054    1619973    1617920 [NO NAME]
 D EFI System                  4096     618495     614400 [EFI System Partition]
 D MS Data                     4102     618501     614400
 D MS Data                    37699      43872       6174
 D MS Data                    43872      50045       6174 [Boot]
 D Linux filesys. data       618494 1000206893  999588400
 P Linux filesys. data       618496     622591       4096
 D Linux filesys. data       618496 1000206895  999588400
 D MS Data                374180459  374183338       2880 [NO NAME]
 D MS Data                374180483  374183362       2880 [NO NAME]
 D MS Data                374181379  374184258       2880 [NO NAME]
>P Linux filesys. data    965039160  965043255       4096

The two partition with block size of 4096 are marked as luks with bad structure. How should I identify the one to restore ?
I've been able to backup Luks header maybe they come useful ?
My partitions look like this from /sys/class/block

Code: Select all

 
#main partition
/sys/class/block/nvme0n1p2/start                                                                                                                                                                      
618496
/sys/class/block/nvme0n1p2/size                                                                                                                                                                       
964420664
#Swap partition
/sys/class/block/nvme0n1p3/start                                                                                                                                                                      
965039160
/sys/class/block/nvme0n1p3/size                                                                                                                                                                       
35167740

My current partition table looks like this:

Code: Select all

Disk /dev/nvme0n1: 1000215216 sectors, 476.9 GiB
Model: BC511 NVMe SK hynix 512GB               
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 56029EED-7ABF-414D-9D67-7ECF15B53AAC
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 1000215182
Partitions will be aligned on 2048-sector boundaries
Total free space is 998597229 sectors (476.2 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1619967   790.0 MiB   EF00  EFI System Partition

I hope someone will be able to drive me in such a mess.
Thank you

#2 Post by **recuperation** » 21 Dec 2020, 20:04

spaceham wrote: ↑21 Dec 2020, 13:35 I've done some mistake, but my system is still running and runs properly and I've still access to everything needed.
I have deleted boot partition, tried to recover it with testdisk however in the process I deleted my two other partition.
My inital setup was pretty simple:

one EFI system partition

one encrypted ext4 partition making most of the disk

one encrypted swap partition.

Size, please, if not known exactly then roughly!

I've tried a deeper searc(simple search just wasn't seing so much) with testdisk here's what I found:

Code: Select all

Disk /dev/nvme0n1 - 512 GB / 476 GiB - CHS 488386 64 32
   Partition               Start        End    Size in sectors
 P EFI System                  2048    1619967    1617920 [EFI System Partition] [ESP]
 D MS Data                     2054    1619973    1617920 [NO NAME]
 D EFI System                  4096     618495     614400 [EFI System Partition]
 D MS Data                     4102     618501     614400
 D MS Data                    37699      43872       6174
 D MS Data                    43872      50045       6174 [Boot]
 D Linux filesys. data       618494 1000206893  999588400
 P Linux filesys. data       618496     622591       4096
 D Linux filesys. data       618496 1000206895  999588400
 D MS Data                374180459  374183338       2880 [NO NAME]
 D MS Data                374180483  374183362       2880 [NO NAME]
 D MS Data                374181379  374184258       2880 [NO NAME]
>P Linux filesys. data    965039160  965043255       4096

The two partition with block size of 4096 are marked as luks with bad structure. How should I identify the one to restore ?
I've been able to backup Luks header maybe they come useful ?
My partitions look like this from /sys/class/block

Code: Select all

 
#main partition
/sys/class/block/nvme0n1p2/start                                                                                                                                                                      
618496
/sys/class/block/nvme0n1p2/size                                                                                                                                                                       
964420664
#Swap partition
/sys/class/block/nvme0n1p3/start                                                                                                                                                                      
965039160
/sys/class/block/nvme0n1p3/size                                                                                                                                                                       
35167740

My current partition table looks like this:

Code: Select all

Disk /dev/nvme0n1: 1000215216 sectors, 476.9 GiB
Model: BC511 NVMe SK hynix 512GB               
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 56029EED-7ABF-414D-9D67-7ECF15B53AAC
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 1000215182
Partitions will be aligned on 2048-sector boundaries
Total free space is 998597229 sectors (476.2 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1619967   790.0 MiB   EF00  EFI System Partition

I hope someone will be able to drive me in such a mess.
Thank you

Please post your complete log file.
You might disconnect unnecessary other drives.

#3 Post by **recuperation** » 21 Dec 2020, 20:05

spaceham wrote: ↑21 Dec 2020, 13:35 I've done some mistake, but my system is still running and runs properly and I've still access to everything needed.
I have deleted boot partition, tried to recover it with testdisk however in the process I deleted my two other partition.
My inital setup was pretty simple:

one EFI system partition

one encrypted ext4 partition making most of the disk

one encrypted swap partition.

Size, please, if not known exactly then roughly!

I've tried a deeper searc(simple search just wasn't seing so much) with testdisk here's what I found:

Code: Select all

Disk /dev/nvme0n1 - 512 GB / 476 GiB - CHS 488386 64 32
   Partition               Start        End    Size in sectors
 P EFI System                  2048    1619967    1617920 [EFI System Partition] [ESP]
 D MS Data                     2054    1619973    1617920 [NO NAME]
 D EFI System                  4096     618495     614400 [EFI System Partition]
 D MS Data                     4102     618501     614400
 D MS Data                    37699      43872       6174
 D MS Data                    43872      50045       6174 [Boot]
 D Linux filesys. data       618494 1000206893  999588400
 P Linux filesys. data       618496     622591       4096
 D Linux filesys. data       618496 1000206895  999588400
 D MS Data                374180459  374183338       2880 [NO NAME]
 D MS Data                374180483  374183362       2880 [NO NAME]
 D MS Data                374181379  374184258       2880 [NO NAME]
>P Linux filesys. data    965039160  965043255       4096

The two partition with block size of 4096 are marked as luks with bad structure. How should I identify the one to restore ?
I've been able to backup Luks header maybe they come useful ?
My partitions look like this from /sys/class/block

Code: Select all

 
#main partition
/sys/class/block/nvme0n1p2/start                                                                                                                                                                      
618496
/sys/class/block/nvme0n1p2/size                                                                                                                                                                       
964420664
#Swap partition
/sys/class/block/nvme0n1p3/start                                                                                                                                                                      
965039160
/sys/class/block/nvme0n1p3/size                                                                                                                                                                       
35167740

My current partition table looks like this:

Code: Select all

Disk /dev/nvme0n1: 1000215216 sectors, 476.9 GiB
Model: BC511 NVMe SK hynix 512GB               
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 56029EED-7ABF-414D-9D67-7ECF15B53AAC
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 1000215182
Partitions will be aligned on 2048-sector boundaries
Total free space is 998597229 sectors (476.2 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1619967   790.0 MiB   EF00  EFI System Partition

I hope someone will be able to drive me in such a mess.
Thank you

Please post your complete log file.
You might disconnect unnecessary other drives.

spaceham · #4 Post by **spaceham** » 22 Dec 2020, 09:42

GPT partition is less than 316 669 952 bytes
luks / partition is 493 783 379 968 bytes
luks swap is 18 005 882 880 bytes

I already know that the restored GTP/EFI partition is bigger than it should at the moment.

I've attached the log from deep search.

testdisk.log.bz2: compressed testdisk.log; (11.3 KiB) Downloaded 176 times

Thank you for your answer

spaceham · #5 Post by **spaceham** » 23 Dec 2020, 10:38

Whouhou this is solved
After analyzing all those data more precisely,
I've done another testdisk run , and finally understood that my GPT partition shouldn't be that big and is in fact not the one I though.

So to conclude I've marked this partition to be added:

Code: Select all

A EFI System                  4096     618495     614400

I then added 2 other partitions with those informations:
Partition Data:
Sector
begin: 964420644
end: 965039159
type: Linux sys - Luks
Partition SWAP:
Sector
start: 965039160
end: 1000206899
type: Linux sys - Luks
I've rebooted et voilà, it simply works.

Have a nice day and thanks for the great tool.

cgsecurity.org

Recover removed luks partition before reboot Topic is solved

Recover removed luks partition before reboot

Re: Recover removed luks partition before reboot

Re: Recover removed luks partition before reboot

Re: Recover removed luks partition before reboot

Re: Recover removed luks partition before reboot