lost luks partition using testdisk. how to recover?

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
lemongrab
Posts: 3
Joined: 11 Dec 2017, 08:04

lost luks partition using testdisk. how to recover?

#1 Post by lemongrab »

I ran testdisk to recover the System Reserved partition for my Windows 10 installation. I toggled what I thought to be the deleted partition and from D to P, but didn't do so for any of the other partitions, which I reckon I should have? In the process, I lost access to my LUKS partition and tried to toggle it. I then only Can I fix this by simply changing the partition type from "MS Data"

Code: Select all

Partition			Start	End	Size in sectors
>P MS Data			2048  804863	802816
D MS Data			526337 804864	278528
>P MS Data			804864 1083391	278528
>P MS Data			1083392 245972990	244889599
D MS Data		        1083393 245972991	244889599 (backup sector)
>P MS Data 		245972291	490862589	244889599
This is the structure that yields the most recovered partitions and the last one is my LUKS partition. I'm quite new to testdisk and did not realize just how...powerful it is. I just also discovered that I can hit "T" to change the type for any of the partitions selected and was wondering if the recovery process is simply a matter of changing the partition from MS Data to the one most compatible with my LUKS partition. It's also curious that LUKS partition as well as the other partitions defaulted to MS Data, but that's another story. thanks!

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: lost luks partition using testdisk. how to recover?

#2 Post by cgrenier »

TestDisk should detect the beginning of LUKS partition.
Identify the LUKS partition found by TestDisk.
As the LUKS unencrypted header doesn't contain the LUKS container size, TestDisk has no way to set the correct end for the partition.
Use 'a' to manually add a partition beginning at the same location than the LUKS partition found by TestDisk and ending at the end of the disk or just before the next partition.
Set this partition as MS Data, LUKS, P(rimary).
Once all partitions are listed, on next screen, choose Write, confirm, Quit.

lemongrab
Posts: 3
Joined: 11 Dec 2017, 08:04

Re: lost luks partition using testdisk. how to recover?

#3 Post by lemongrab »

thanks for the response. I realized that I didn't mention which partition the luks container resides in: sda5, which doesn't exist anymore but shows up as, I believe, sda4. That said, I was wondering what you meant by
Use 'a' to manually add a partition beginning at the same location than the LUKS partition found by TestDisk and ending at the end of the disk or just before the next partition.
Set this partition as MS Data, LUKS, P(rimary).
Would I need to know the beginning and end of the luks container to use this? I didn't record any information about the partition table prior to using testdisk as the interface had me believe that it would detect everything just fine.

On another note, I ran testdisk on a backup that I made of the partition 6 months ago and the luks container is showing up as "Unknown". the backup is detected just fine by my bootloader and behaves as expected and I would like the version that got messed up to behave in the same way that my backup is. Does that mean that I would have to change the partition type to "unknown"? I had also checked gparted and the partition is showing up as an NTFS partition, instead of a LUKS on LVM partition. Thanks.

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: lost luks partition using testdisk. how to recover?

#4 Post by cgrenier »

TestDisk will find the beginning of the LUKS partition but not its end.
As you know this partition was using the remaining of the disk, you can use 'a' to manually add a partition starting at the location found by testdisk and ending just before the end of the disk.

lemongrab
Posts: 3
Joined: 11 Dec 2017, 08:04

Re: lost luks partition using testdisk. how to recover?

#5 Post by lemongrab »

using the help here: https://ubuntuforums.org/showthread.php?t=1643334 and here https://www.youtube.com/watch?v=35n_1ISkQnM, I just ran hexdump -C -n 512 /dev/sdb4 and this is what I see below:

Code: Select all

00000000  eb 52 90 4e 54 46 53 20  20 20 20 00 02 01 00 00  |.R.NTFS    .....|
00000010  00 00 00 00 00 f8 00 00  3f 00 ff 00 00 88 10 00  |........?.......|
00000020  00 00 00 00 80 00 80 00  fe b7 98 0e 00 00 00 00  |................|
00000030  18 a6 7c 00 00 00 00 00  30 00 00 00 00 00 00 00  |..|.....0.......|
00000040  02 00 00 00 08 00 00 00  50 cb ab c1 d9 b4 d2 01  |........P.......|
00000050  00 00 00 00 fa 33 c0 8e  d0 bc 00 7c fb 68 c0 07  |.....3.....|.h..|
00000060  1f 1e 68 66 00 cb 88 16  0e 00 66 81 3e 03 00 4e  |..hf......f.>..N|
00000070  54 46 53 75 15 b4 41 bb  aa 55 cd 13 72 0c 81 fb  |TFSu..A..U..r...|
00000080  55 aa 75 06 f7 c1 01 00  75 03 e9 dd 00 1e 83 ec  |U.u.....u.......|
00000090  18 68 1a 00 b4 48 8a 16  0e 00 8b f4 16 1f cd 13  |.h...H..........|
000000a0  9f 83 c4 18 9e 58 1f 72  e1 3b 06 0b 00 75 db a3  |.....X.r.;...u..|
000000b0  0f 00 c1 2e 0f 00 04 1e  5a 33 db b9 00 20 2b c8  |........Z3... +.|
000000c0  66 ff 06 11 00 03 16 0f  00 8e c2 ff 06 16 00 e8  |f...............|
000000d0  4b 00 2b c8 77 ef b8 00  bb cd 1a 66 23 c0 75 2d  |K.+.w......f#.u-|
000000e0  66 81 fb 54 43 50 41 75  24 81 f9 02 01 72 1e 16  |f..TCPAu$....r..|
000000f0  68 07 bb 16 68 52 11 16  68 09 00 66 53 66 53 66  |h...hR..h..fSfSf|
00000100  55 16 16 16 68 b8 01 66  61 0e 07 cd 1a 33 c0 bf  |U...h..fa....3..|
00000110  0a 13 b9 f6 0c fc f3 aa  e9 fe 01 90 90 66 60 1e  |.............f`.|
00000120  06 66 a1 11 00 66 03 06  1c 00 1e 66 68 00 00 00  |.f...f.....fh...|
00000130  00 66 50 06 53 68 01 00  68 10 00 b4 42 8a 16 0e  |.fP.Sh..h...B...|
00000140  00 16 1f 8b f4 cd 13 66  59 5b 5a 66 59 66 59 1f  |.......fY[ZfYfY.|
00000150  0f 82 16 00 66 ff 06 11  00 03 16 0f 00 8e c2 ff  |....f...........|
00000160  0e 16 00 75 bc 07 1f 66  61 c3 a1 f6 01 e8 09 00  |...u...fa.......|
00000170  a1 fa 01 e8 03 00 f4 eb  fd 8b f0 ac 3c 00 74 09  |............<.t.|
00000180  b4 0e bb 07 00 cd 10 eb  f2 c3 0d 0a 41 20 64 69  |............A di|
00000190  73 6b 20 72 65 61 64 20  65 72 72 6f 72 20 6f 63  |sk read error oc|
000001a0  63 75 72 72 65 64 00 0d  0a 42 4f 4f 54 4d 47 52  |curred...BOOTMGR|
000001b0  20 69 73 20 63 6f 6d 70  72 65 73 73 65 64 00 0d  | is compressed..|
000001c0  0a 50 72 65 73 73 20 43  74 72 6c 2b 41 6c 74 2b  |.Press Ctrl+Alt+|
000001d0  44 65 6c 20 74 6f 20 72  65 73 74 61 72 74 0d 0a  |Del to restart..|
000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000001f0  00 00 00 00 00 00 8a 01  a7 01 bf 01 00 00 55 aa  |..............U.|
00000200
But then running sudo hexdump -C /dev/sdb4 | grep LUKS shows this:

Code: Select all

7d000200  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
I was wondering how I can use this information with testdisk to recover my LUKS container. Thanks again.

Locked