Page 1 of 1

How to Recover Deleted Files on a LUKS Encrypted System Drive?

Posted: 12 Jan 2019, 16:26
by hachiroku
Hello everyone,

I am trying to recover some photos and videos that I accidentally deleted, which were in /home/user/downloads and /home/user/ locations on my encrypted Linux system SSD.

As illustrated in the linked picture below there are a number of different media options to choose for the same drive in PhotoRec.

Image

I have tried every one of those media options, and I tried recovering from all of their presented partition options as well (including Unknown ... [Whole disk]). I also tried both [ ext2/ext3 ] and [ Other ] filesystem options for each. All of the attempted file recoveries were saved to /dev/sda HDD, with separate folders for each.

For all of the above I tried [Options ] set to "Keep corrupted files : Yes" with all else left at default, and for [File Opt] I chose various image and video file types for the first series of recovery attempts and then all file types for the second. None of these recovery attempts have returned any of the files I'm after, despite them only being deleted a few days ago (10+GB worth and very little has written to the SSD since AFAIK).

I should mention that I've also tried TestDisk as well with no luck, and I've tried Google'ing for hours in search of a solution. I'm at wit's end now. :(

Any help at all would be immensely appreciated. Thanks guys!

Re: How to Recover Deleted Files on a LUKS Encrypted System Drive?

Posted: 13 Jan 2019, 15:34
by cgrenier
There should be a /dev/mapper/XXX device corresponding to your unlocked LUKS volume. Run PhotoRec, select it, Search, Free...

Re: How to Recover Deleted Files on a LUKS Encrypted System Drive?

Posted: 14 Jan 2019, 10:56
by hachiroku
cgrenier wrote:
13 Jan 2019, 15:34
There should be a /dev/mapper/XXX device corresponding to your unlocked LUKS volume. Run PhotoRec, select it, Search, Free...

Hi cgrenier, thank you very much for the response! Impressive website too. :)

My apologies for messing up the image file post in the OP. Just to reiterate what I said in the OP more clearly, here's a link to that image showing all the media options I tired: https://imgur.com/DuZh3ug

Here's what I get in testdisk when I try to do: media "/dev/mapper/mint--vg-root" -> partition table type "None" -> "Avanced" filesystem utils -> "List" list & copy files: https://imgur.com/nPOvsmn (I tried copying a few of these files and saving them to folder on another drive but nothing seemed to appear on the drive).

A couple more screenshots of other folders in same scan results: https://imgur.com/XAYQac5 , https://imgur.com/qWBJrAg

And here are some screenshots from a data recovery program called "UFS Explorer": https://imgur.com/EXZASJP , https://imgur.com/ZIZitXG , https://imgur.com/aWj6fp4

After searching google for solutions and asking for help on freenode's ##linux, it seems that because I unwittingly opted for extra file-level ecryptfs encryption during Linux Mint install, I'm unable to access and recover files in the normal way using TestDisk, PhotoRec or similar software. Could you please advise how a clumsy linux noob like myself should go about accessing and recovering this data? :P Any help is very much appreciated! Cheers! ^_^

Re: How to Recover Deleted Files on a LUKS Encrypted System Drive?

Posted: 17 Jan 2019, 07:30
by cgrenier
Run PhotoRec, select /dev/mapper/sda5_crypt, Search.
Be careful to store the recovered files on another disk (not /home) to avoid overwritting your lost data.