Page 1 of 1

Lost LUKS partition

Posted: 10 Sep 2019, 05:14
by pseudoconsistency
Hi All,

Trying to recover an external drive's partitions that were accidentally messed up by a boot drive creator program (WinToFlash) and would like advice on how to proceed. Details as follows.
- Western Digital 3TB My Passport
- 2 Partitions: (1) NTFS, (1) EXT4 (LUKS)

In the process of attempting to reformat the drive to turn it into a boot drive, a stupid mistake on my part, WinToFlash halted the process with an error. I can't remember the error message unfortunately, but the error occurred before the actual writing began.

This resulted in the partitions showing up as RAW/unallocated in the Disk Management. The NTFS partition is now RAW while the LUKS partition is "unallocated". For some reason Disk Management shows 3 partitions, and unless it's actually storage space I just never allocated, I'm not sure why that is.
Image

However in TestDisk, 2 partitions are discovered:
Image

The LUKS partition is currently unrecognized by Linux. Yet TestDisk indicates: LUKS 1 (Data size unknown), 2097 KB / 2048 KiB.

I believe the first step would be to image the drive? The only way I see to get an image of the entire drive is to set the partition table type to None. If I select EFI GPT as TestDisk recommends I see the partitions and can image them individually. I would like to image the entire drive in case the recovery process goes wrong, but is imaging the individual partitions sufficient?

Out of curiosity, I used TestDisk on the MS Data partition and it was able to recover all files/folder structure on that partition. I ran PhotoRec on the LUKS Partition for a bit: it found 10/10 headers and began recovering.. something.
Image

For the time being I've disconnected the drive to prevent any further complications. In my online investigation into how to restore a LUKS partition, people said the partition cannot be recovered without a backup of the LUKS header, which I unfortunately don't have as I created it before I knew to backup the header. Still, I'm hoping that the partition can be recovered as TestDisk is able to list it.

TestDisk/PhotoRec are being used on a Windows machine, and I have the necessary space to save an image of the drive.

I'm not too saavy with these programs, so any help will be greatly appreciated.

Re: Lost LUKS partition

Posted: 10 Sep 2019, 06:08
by cgrenier
Run TestDisk, select /dev/sdd, EFI GPT, Analyze, Quick Search, using the arrow keys, switch the small Linux partition to D(eleted).
Use 'a' to manually add a Linux partition starting at the same location (2929690624) and using the remaining of the disk.
Set this partition to P(rimary).
On next screen, choose Write, confirm, Quit
Restart your computer
At this stage, you should be able to access your NTFS partition and unlock/mount your LUKS partition.
Good luck

Re: Lost LUKS partition

Posted: 10 Sep 2019, 18:20
by pseudoconsistency
Thank you! Will report back when I'm able.

Re: Lost LUKS partition

Posted: 12 Sep 2019, 00:42
by pseudoconsistency
Hi C, I'd like to confirm I've followed the steps correctly before I continue.

Image

Image


For type, I selected Linux filesys. data, then Linux LUKS.
Image

Image

Image


The value for end sector was auto-populated as 5860466687.
Image

Image

Image

Re: Lost LUKS partition - Success!

Posted: 13 Sep 2019, 23:51
by pseudoconsistency
I decided to backup the partition table before I wrote the changes, and I noticed it recorded two unknown partitions that were not shown in the first partition listing - AND they started at the same sectors as the "broken" partitions:

Image

I followed the instructions as described in the previous posts, but for the Linux Partition I set the end sector to 5860466654 instead. I wrote the changes, restarted, and everything was restored!

I was lucky that WinToFlash didn't get further than it did. I tested the process of writing a new partition table using a flashdrive a few times before performing it on the drive. I created multiple partitions, deleted them, restored them. Out of curiosity I put a few 8GB files to see if they would be restored with TestDisk. And to my surprise they were restored each time. Every other data recovery software I've used prior has had zero success restoring files larger than 4GB. I don't know if TestDisk is able to properly create an image of a drive with a broken table and deleted partitions - still have to test that.

Anyway, thank you so much for the help; saved me a TON of work and embarassment.