Recover damaged & luks-encrypted BTRFS partition

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Post Reply
Message
Author
LinuxUser576249
Posts: 1
Joined: 22 May 2024, 22:41

Recover damaged & luks-encrypted BTRFS partition

#1 Post by LinuxUser576249 »

Hello,

Here's my problem:

I have a Virtual Machine that I had to reset because the UI became very buggy after I tried to mount a hot-pluggable virtual disk image to copy some files.
Well that was actually premature, should not have done that - but shit sometimes happens.

The Virtual Disk is encrypted with luks1 and the file system used is btrfs.
I also have backed up the virtual disk in working state.
I made some changes to the certain files [a password db and my firefox profile &
some other documents] that are not in my last backup.
Therefore I would like to restore my btrfs partition

When I enter the password the following error appears (when I start up the vm):

--------------------------------------------------------------------------------

Enter passphrase for hd0,gpt2 (91188ec2-c31a-4812-a8c8-654cf5c793fb):
Attempting to decrypt master key...
Slot 0 opened
error: unknown filesystem
grub rescue>

================================================================================

I tried to restore the partition using a live-system
but the partition is not mountable

Since I backed up the corrupted virtual disk to a safe location.
I am capable to start over if something goes sideways.
Just need to copy the corrupted virtual disk from backup location to
working directory of the VM. So creating an image of my vm partition won't be necessary

GParted shows the follwing errors
when I open the information window for my btrfs partition.
So it does not recognize the filesystem.

--------------------------------------------------------------------------------

Encryption: luks
Path: /dev/mapper/sda2_crypt
UUID: 91188ec2-c31a-4812-a8c8-654cf5c793fb
Status: Open

Partition
Path /dev/sda2
1st Sector: 618496
Last Sector: 188731619
Total Sectors: 188113124

Warning:
Unable to detect file system! Possible reasons are:
- The file system is damaged
- The file system is unknown to GParted
- There is no file system available [unformatted]
- The device entry /dev/mapper/sda_crypt2 is missing

Screenshot:
https://i.sstatic.net/0kRE6LsC.png

--------------------------------------------------------------------------------

I used btrfs-tools and testdisk:

Command: btrfs rescue super-recover /dev/mapper/sda2_crypt
Output: No valid btrfs found on /dev/mapper/sda2_crypt

================================================================================

Additional Info's:

The ssd's of my host system and it's partitions are in healthy state - so no issues here!
The vm is an efi system & uses gpt as partition table!

The screenshots from GParted show the disk before the Data Corruption occurred:

Screenshot:
https://i.sstatic.net/oT3cvQlA.png

--------------------------------------------------------------------------------

dmesg shows an this error message when I attempt to mount the my btrfs partition
with this command: mount /dev/mapper/sda2_crypt or /dev/sda1

/dev/mapper/sda2_crypt: Can't open blockdev
/dev/sda1: Can't open blockdev

--------------------------------------------------------------------------------

Command:dmesg | tail

Output: systemd-gpt-auto-generator[3165]: (the boot loader did not set EFI variable LoaderDevicePartUUID.)
systemd-gpt-auto-generator[4398]: EFI loader partition unknown, exiting.

This output shows a few time with diffrent numbers between the [].

--------------------------------------------------------------------------------

Command: hexdump /dev/sda2 | grep LUKS

Output: 00000000 4c 55 4b 53 ba be 00 01 61 65 73 00 00 00 00 00 |LUKS....aes.....|

So I guess the luks header is still there!

--------------------------------------------------------------------------------

The testdisk results: see attached Code (testdisk log!)

I would like to restore the partition to working state.


Help would be appreciated


testdisk log:

https://pastebin.com/YcPNEcm9

recuperation
Posts: 2794
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Recover damaged & luks-encrypted BTRFS partition

#2 Post by recuperation »

You have three additional levels of complexity:

1. BTRFS
2. Virtualization
3. Encryption

You are starting backwards to remove them:

ad 3.
Remove the encryption layer. If on or more sectors of the partition are unreadable you might need to have to use a luks header backup.

ad 2.
Save the partition in an uncompressed form into a file.
That means that a 128 GB should partition should have a on-disk (file) representation of 128 GB not some say 5 GB in case of hardly used partition.

ad 1.
Run TestDisk hoping that your poblems are caused just by a broken BTFS bootsector.
TestDisk won't show the internals of your TestDisk partition nor repair anything within the BTRFS partition.

If that does not help, search third party software for BTRFS recovery or use the built-in BTRFS. Such software won't "repair" anything by writing on the oiginal source disk. Data recovery is mostlx data extraction and not "in situ repair".

The worst case would be using PhotoRec trying to recover data from your BTRFS partition.

Post Reply