deleted wrong partition (LUKS)

How to use TestDisk to recover lost partition
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Message
Author
User avatar
karenmcd
Posts: 19
Joined: 03 Aug 2022, 01:15

deleted wrong partition (LUKS)

#1 Post by karenmcd »

I was installing various OSs on my nvme drive, and I got too clicky and accidentally deleted the backup partition that has all my backups on it. It's too large for me to backup again (my next largest disk is 4tb, this one is 10), and I'm wondering if I can get help to recover the partition. Specifically I was at the "select partition" part of installing an OS, and I accidentally deleted the one that was automatically highlighted (for all the other OSs it was the nvme drive, this one selected my spinning backup drive). Once I realized what I had done, I stopped and rebooted into the last OS I had installed (this one Manjaro) and have been looking for pages and guidance to undo deleting a partition.

So yeah, I'm currently on Manjaro...

Code: Select all

sudo lsblk                                                                                                                                                                                          ✔ 

NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sda           8:0    0   9.1T  0 disk 
nvme0n1     259:0    0 465.8G  0 disk 
├─nvme0n1p1 259:1    0   300M  0 part /boot/efi
└─nvme0n1p2 259:2    0 465.5G  0 part /
nvme is the OS i'm on, and sda is the partition with the backups that I've used over many years across various OSs.

It's a LUKs encrypted drive.

Code: Select all

sudo hexdump -C /dev/sda | grep LUKS
00100000  4c 55 4b 53 ba be 00 02  00 00 00 00 00 00 40 00  |LUKS..........@.|
^C
I'm looking for step by step instructions on how to recover this but all the instructions I've been finding instruct how to recover boot partitions, windows, ntfs, fat, fat32 but not really on how to do just a stand alone LUKS drive and I'm confused. If it's possible to get copy paste guidance I'd appreciate that lots. I will do my due diligence, and read the documentation while I follow along the help I get to try and understand what I'm doing, but I'm pretty new at the whole recovery and manually mounting encrypted partitions stuff.

When I attempted to mount it as a loopback, I'm unable to find a "luks volume". I assume that's because the partition isn't there. Guessing I need to run testdisk to attempt recovery and write the table, then I should be able to mount the encrypted device and decrypt it and all should be well?

The original partition was approx. 90% full and was set to 6Tb of the 10 Tb disk

thanks in advance

User avatar
karenmcd
Posts: 19
Joined: 03 Aug 2022, 01:15

Re: deleted wrong partition (LUKS)

#2 Post by karenmcd »

Code: Select all

TestDisk 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org

Disk /dev/sda - 10000 GB / 9314 GiB - CHS 1215865 255 63
     Partition               Start        End    Size in sectors
>* Linux                    0  32 33 15066 217 63  242046976
 P FAT16 <32M           126625  72 24 345462 129 17 3515619990
 P FAT32 LBA            776411 133 61 1025559 190 25 4002566176

Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
Keys A: add partition, L: load backup, T: change type,
     Enter: to continue
LUKS 2 (Data size unknown), 123 GB / 115 GiB
This took SEVERAL hours to complete on a 10 TB HDD - sorry I didn't include it in the original post.

My understanding is that I press "a"dd, and put the LUKS logical volume end point to wherever it's supposed to end as this utility is able to find the start location but unable to find the end location. I just don't remember my hardware rules about cyl, heads etc... I haven't had to do that kind of thing since our IDE drives had jumpers, 386 DLC w/o a math-co-processor, and our CMOS-SETUPS demanded it, haha.

So this looks good comparing it to other Ubuntu, Arch and Manjaro users? This person said they had success, but they didn't detail that very well --> viewtopic.php?p=26149#p26149 I found that forum post linked from https://forum.manjaro.org/t/i-messed-up ... on/35362/4 here...

User avatar
karenmcd
Posts: 19
Joined: 03 Aug 2022, 01:15

Re: deleted wrong partition (LUKS)

#3 Post by karenmcd »

I've ordered a 10 TB backup.... backup drive. I'm going to dd this disk when it arrives to the backup drive that arrives in the mail and attempt to restore the partition and data.

viewtopic.php?t=8403 This thread seems to agree with what I said above and has a more detailed answer. I am posting this both for my own future reference and hopefully to give the post more visibility when other folks might run into this problem.

Thanks very much for this tool and forum/resource!

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: deleted wrong partition (LUKS)

#4 Post by recuperation »

Please post a complete Testdisk logfile using the most recent version 7.2-WIP.

User avatar
karenmcd
Posts: 19
Joined: 03 Aug 2022, 01:15

Re: deleted wrong partition (LUKS)

#5 Post by karenmcd »

recuperation wrote: 04 Aug 2022, 09:40 Please post a complete Testdisk logfile using the most recent version 7.2-WIP.
Thanks for the reply. I am re-running testdisk now (7.2-WIP) beta as requested and will follow up when it's done in 6-13 hours... I didn't see this reply until today when I was about to follow up with the copy that i'd like to attempt the recovery on.

The new backup drive finally arrived. I've made a dd copy of the device, and am ready to attempt recovery on the copy.

First of all I've noticed that the startpoint was detected differently on this dd copy as:

Code: Select all

     Partition               Start        End    Size in sectors
>P Linux                    1   0  1 118187  63 32  242046976
The original disk as seen above was detected at:

Code: Select all

     Partition               Start        End    Size in sectors
>* Linux                    0  32 33 15066 217 63  242046976
I know that the new disk is a slightly different size and looks different aswell:

Code: Select all

Disk /dev/sda - 10000 GB / 9313 GiB - CHS 9537535 64 32
compared to the old disk

Code: Select all

Disk /dev/sda - 10000 GB / 9314 GiB - CHS 1215865 255 63
The 6 TB LUKS partition was the only thing on the original 10TB drive and the only data that matters to me. The 4TB that followed it on the original drive was not used, had no partition and was not formatted. I also don't know what exactly to do with the hexdump information located below this paragraph. I think I'm supposed to convert the information I'm seeing to CHS format for testdisk or fdisk.

I assume that I cannot just add or fdisk the Start 0 32 33 and the End 9537535 64 32?

I assume not because the geometry of the new disk seems different than the old one and as I understand it the hexdump information that is found below is supposed to tell me the "offset". I don't know what offset means. I think it means to say this is where the actual start location of the partition is, but unsure.

Anyway, perhaps not relevant, but here's the information that I get so far with the new dd backup i'm working with instead of the original. I've included everything I've seen in other links and posts that looked relevant.

Code: Select all

sudo sfdisk -d /dev/sda | tee ~/sfdisk.log

label: gpt
label-id: 01000000-0000-0000-4E41-433635323448
device: /dev/sda
unit: sectors
first-lba: 34
last-lba: 19532873694
sector-size: 512
I ran the HEX dump again, because I had lost the original information (forgot that I posted it here), but this time (accidentally) left it running for a while while I was re-running testdisk. It came up with a lot more LUKS enteries than the first one I had found originally probably because I left it running for over two hours when I forgot it was running. As stated above, I don't know which of these to use and what exactly I'm supposed to do with this information.

Code: Select all

sudo hexdump -C /dev/sda | grep LUKS                                          255 ✘  6s  
[sudo] password for karen: 
00100000  4c 55 4b 53 ba be 00 02  00 00 00 00 00 00 40 00  |LUKS..........@.|
200034b70  4c 55 4b 53 99 e5 dd 4c  75 60 62 36 19 64 0a d6  |LUKS...Lu`b6.d..|
2428ad030  b0 2c 7b 31 fa b6 b8 54  4c 55 4b 53 9e 10 2c 03  |.,{1...TLUKS..,.|
47367c9c0  ed 6a a9 2a 01 28 81 cd  4c 55 4b 53 a1 73 0e be  |.j.*.(..LUKS.s..|
6e1bd3820  4c 55 4b 53 ad 68 6b e2  f2 e1 1e 68 f2 df d7 e1  |LUKS.hk....h....|
814778750  c0 09 d0 76 aa 96 72 40  ce 4c 55 4b 53 78 0c c9  |...v..r@.LUKSx..|
82096a040  df 4c 55 4b 53 f7 9f 8f  46 1a 55 3b 70 e7 de 97  |.LUKS...F.U;p...|
b8a6749d0  de ad 5c 4c 55 4b 53 28  bc 46 7a 15 3c 51 73 38  |..\LUKS(.Fz.<Qs8|
cf6638cf0  4c 55 4b 53 76 85 9a c5  cd 5a 7b 57 99 9a 06 ed  |LUKSv....Z{W....|
d682a3730  35 3b 8e ac 45 b2 4c 55  4b 53 8e 8b c4 b0 d6 77  |5;..E.LUKS.....w|
f190ee230  df 32 e7 74 9f f4 9f 20  2f 3c 1e 05 4c 55 4b 53  |.2.t... /<..LUKS|
ff62ca3e0  6d 23 fc 2f da 76 7a 3e  9c 8d f2 7f 4c 55 4b 53  |m#./.vz>....LUKS|
1047d9a8e0  e5 e9 e2 90 b2 6d 4c 55  4b 53 09 9d d1 0a d3 8f  |.....mLUKS......|
^C
I also re-ran testdisk and it comes up with different information which I assume is related to the partition tables and format the new disk was in before I did the "dd" copy. As I said above, I'm re-running the beta software now and will post a follow-up when that's done.

Code: Select all

testdisk 7.1
https://www.cgsecurity.org

Disk /dev/sda - 10000 GB / 9313 GiB - CHS 9537535 64 32
     Partition               Start        End    Size in sectors
>P Linux                    1   0  1 118187  63 32  242046976
 D FAT16 <32M           993278  57 17 2709890  14  6 3515619990
 D FAT12                1542052  25 27 1740857  22  6  407152524
 D FAT32                3670250  48 31 3973571  18 20  621200438
 D HPFS - NTFS          3892833  32 11 4179465  32 24  587022350
 D FAT12                4196104  46 18 5542526  10 14 2757471101
 D FAT32 LBA            6090357   0 19 8044735   1 18 4002566176
 D FAT16 <32M           6185189  60 13 7012027  10  8 1693362620

Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
Keys A: add partition, L: load backup, T: change type,
     Enter: to continue
LUKS 2 (Data size unkno%
Thanks again.
Last edited by karenmcd on 11 Sep 2022, 04:13, edited 1 time in total.

User avatar
karenmcd
Posts: 19
Joined: 03 Aug 2022, 01:15

Re: deleted wrong partition (LUKS)

#6 Post by karenmcd »

recuperation wrote: 04 Aug 2022, 09:40 Please post a complete Testdisk logfile using the most recent version 7.2-WIP.
Okay, and here's the 7.2-WIP version.

Code: Select all

TestDisk 7.2-WIP, Data Recovery Utility, Novembre 2020
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org

Disk /dev/sda - 10000 GB / 9313 GiB - CHS 9537535 64 32
     Partition               Start        End    Size in sectors
>* Linux                    1   0  1 118187  63 32  242046976
 P FAT12                1542052  25 27 1740857  22  6  407152524
 P HPFS - NTFS          3892833  32 11 4179465  32 24  587022350
 L FAT32 LBA            6090357   0 19 8044735   1 18 4002566176

Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
Keys A: add partition, L: load backup, T: change type,
     Enter: to continue
LUKS 2 (Data size unknown), 123 GB / 115 GiB

User avatar
karenmcd
Posts: 19
Joined: 03 Aug 2022, 01:15

Re: deleted wrong partition (LUKS)

#7 Post by karenmcd »

Using the arrow keys, I changed it to look like the code below and am now running a deep scan on the P Linux partition.

Code: Select all

Disk /dev/sda - 10000 GB / 9313 GiB - CHS 9537535 64 32
     Partition               Start        End    Size in sectors
>P Linux                    1   0  1 118187  63 32  242046976
 D FAT12                1542052  25 27 1740857  22  6  407152524
 D HPFS - NTFS          3892833  32 11 4179465  32 24  587022350
 D FAT32 LBA            6090357   0 19 8044735   1 18 4002566176

User avatar
karenmcd
Posts: 19
Joined: 03 Aug 2022, 01:15

Re: deleted wrong partition (LUKS)

#8 Post by karenmcd »

Upon further reading here https://superuser.com/questions/861574/ ... n-recovery I found that someone ran this command to get more information to figure out their LUKS header information. Also, it seems it might have different sector size of 4096 instead of the 512 that I assumed it might be based on the return of the results of sudo sfdisk earlier.

Despite the garbage formatting there seems to be a lot more relevant information in this. For instance, "offest:32768", "offest:16777216" and "sector_size 4096". All this looks a lot more helpful (but not understandable to me) so I figured I'd include it with a more specific request:

What I am supposed to type to recover my LUKS partition given all this information? I'm just not understanding what to type in fdisk or how I would add a partition in TestDisk to recover my LUKS encrypted data.

Code: Select all

sudo LC_ALL=C grep -a -b -P 'LUKS\xba\xbe' /dev/sda                                    30 s ✘ 
[sudo] password for karen: 
23725:U�RRaArrAaA'U����������LUKS��@sha256mW����=ߴ%RlOBx�k�wd���@�����
                                                                      �p��u"K����#�\K�H;�v^�e5ab7af58-ffaf-408d-b97f-34039eeec2e4�iS���'*�:��
                                                                                                                                             ���HP>��?f-{"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offset":"32768","size":"258048","encryption":"aes-xts-plain64","key_size":64},"kdf":{"type":"argon2id","time":6,"memory":1048576,"cpus":4,"salt":"ll4EHehBIn/g4mIaC+1BYTownXlZREGMZv9Bezh3Ph0="}}},"tokens":{},"segments":{"0":{"type":"crypt","offset":"16777216","size":"dynamic","iv_tweak":"0","encryption":"aes-xts-plain64","sector_size":4096}},"digests":{"0":{"type":"pbkdf2","keyslots":["0"],"segments":["0"],"hash":"sha256","iterations":179550,"salt":"xShUJBPIvoeiG3LBKEhS8xFVCnvEYVUqBFkhnU2RTDg=","digest":"idsBN92QTEVT38EuX2BhWiYUWZUrl4XnCbs707J5cqE="}},"config":{"json_size":"12288","keyslots_size":"16744448"}}SKUL��@sha256V��� ϙ3�سV�6Q-]����*����oa���d���P�C�I�r���vH���0y��5ab7af58-ffaf-408d-b97f-34039eeec2e4@J���1��n=S*I�{A
                                                                                                ��k�����\�&�{"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offset":"32768","size":"258048","encryption":"aes-xts-plain64","key_size":64},"kdf":{"type":"argon2id","time":6,"memory":1048576,"cpus":4,"salt":"ll4EHehBIn/g4mIaC+1BYTownXlZREGMZv9Bezh3Ph0="}}},"tokens":{},"segments":{"0":{"type":"crypt","offset":"16777216","size":"dynamic","iv_tweak":"0","encryption":"aes-xts-plain64","sector_size":4096}},"digests":{"0":{"type":"pbkdf2","keyslots":["0"],"segments":["0"],"hash":"sha256","iterations":179550,"salt":"xShUJBPIvoeiG3LBKEhS8xFVCnvEYVUqBFkhnU2RTDg=","digest":"idsBN92QTEVT38EuX2BhWiYUWZUrl4XnCbs707J5cqE="}},"config":{"json_size":"12288","keyslots_size":"16744448"}}d{a�G�������يp����TPOul�.�o�*訞��u!@;xw��S��bq���ÝR������7�v�+�"f���7ӺV��<*o3_�E�W�Y�o�5�n��	�j�Co���
                                        M'���ZU��"����
^C

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: deleted wrong partition (LUKS)

#9 Post by recuperation »


User avatar
karenmcd
Posts: 19
Joined: 03 Aug 2022, 01:15

Re: deleted wrong partition (LUKS)

#10 Post by karenmcd »

Here's the log finally. Sorry it took so long. I'm re-reading the step by step to see if I missed something about LUKS and offset. I didn't see anything about that the first read though.

Sat Sep 10 14:28:09 2022
Command line: TestDisk

TestDisk 7.2-WIP, Data Recovery Utility, Novembre 2020
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
OS: Linux, kernel 5.15.60-1-MANJARO (#1 SMP PREEMPT Thu Aug 11 13:14:05 UTC 2022) x86_64
Compiler: GCC 4.4
ext2fs lib: 1.42.8, ntfs lib: libntfs-3g, reiserfs lib: 0.3.1-rc8, ewf lib: 20120504, curses lib: ncurses 5.7
Warning: can't get size for Disk /dev/mapper/control - 0 B - 0 sectors, sector size=512
Warning: can't get size for Disk /dev/loop2 - 0 B - 0 sectors, sector size=512
Warning: can't get size for Disk /dev/loop3 - 0 B - 0 sectors, sector size=512
Warning: can't get size for Disk /dev/loop4 - 0 B - 0 sectors, sector size=512
Warning: can't get size for Disk /dev/loop5 - 0 B - 0 sectors, sector size=512
Warning: can't get size for Disk /dev/loop6 - 0 B - 0 sectors, sector size=512
Warning: can't get size for Disk /dev/loop7 - 0 B - 0 sectors, sector size=512
Hard disk list
Disk /dev/sda - 10000 GB / 9313 GiB - CHS 9537535 64 32, sector size=512 - Seagate Expansion HDD, FW:1801
Disk /dev/loop0 - 119 MB / 113 MiB - 233240 sectors (RO), sector size=512
Disk /dev/loop1 - 119 MB / 113 MiB - 233448 sectors (RO), sector size=512
Disk /dev/nvme0n1 - 1000 GB / 931 GiB - CHS 953869 64 32, sector size=512

Partition table type (auto): Intel
Disk /dev/sda - 10000 GB / 9313 GiB - Seagate Expansion HDD
Partition table type: Intel

Analyse Disk /dev/sda - 10000 GB / 9313 GiB - CHS 9537535 64 32
Geometry from i386 MBR: head=255 sector=63
check_part_i386 1 type EE: no test
Current partition structure:
1 P EFI GPT 0 0 2 2097151 63 32 4294967295

Warning: Bad ending sector (CHS and LBA don't match)
No partition is bootable

search_part()
Disk /dev/sda - 10000 GB / 9313 GiB - CHS 9537535 64 32

Linux 1 0 1 118187 60 22 242046870
LUKS 2 (Data size unknown), 123 GB / 115 GiB
BAD_RS LBA=3158123322 2056013
check_part_i386 failed for partition type 01
FAT12 1542052 25 27 1740857 22 6 407152524
BAD_RS LBA=3677555722 1184239
check_part_i386 failed for partition type 07
HPFS - NTFS 3892833 32 11 4179465 32 24 587022350
BAD_RS LBA=3883116562 835297
check_part_i386 failed for partition type 0C
FAT32 LBA 6090357 0 19 8044735 1 18 4002566176
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1

Results
* Linux 1 0 1 118187 63 32 242046976
LUKS 2 (Data size unknown), 123 GB / 115 GiB
P FAT12 1542052 25 27 1740857 22 6 407152524
P HPFS - NTFS 3892833 32 11 4179465 32 24 587022350
L FAT32 LBA 6090357 0 19 8044735 1 18 4002566176

Hint for advanced users: dmsetup may be used if you prefer to avoid rewriting the partition table for the moment:
echo "0 242046976 linear /dev/sda 2048" | dmsetup create test0
echo "0 407152524 linear /dev/sda 3158123322" | dmsetup create test1
echo "0 587022350 linear /dev/sda 7972523018" | dmsetup create test2
echo "0 4002566176 linear /dev/sda 12473051154" | dmsetup create test3

interface_write()
1 P Linux 1 0 1 118187 63 32 242046976

search_part()
Disk /dev/sda - 10000 GB / 9313 GiB - CHS 9537535 64 32

Linux 1 0 1 118187 60 22 242046870
LUKS 2 (Data size unknown), 123 GB / 115 GiB
BAD_RS LBA=3158123322 2056013
check_part_i386 failed for partition type 01
FAT12 1542052 25 27 1740857 22 6 407152524
BAD_RS LBA=2034235184 311705
check_part_i386 failed for partition type 04
FAT16 <32M 993278 57 17 2709890 14 6 3515619990
BAD_RS LBA=3221706270 1244471
check_part_i386 failed for partition type 0B
FAT32 3670250 48 31 3973571 18 20 621200438
BAD_RS LBA=3687889 817867
check_part_i386 failed for partition type 01
FAT12 4196104 46 18 5542526 10 14 2757471101
BAD_RS LBA=3677555722 1184239
check_part_i386 failed for partition type 07
HPFS - NTFS 3892833 32 11 4179465 32 24 587022350
BAD_RS LBA=3883116562 835297
check_part_i386 failed for partition type 0C
FAT32 LBA 6090357 0 19 8044735 1 18 4002566176
BAD_RS LBA=4077334412 70118
check_part_i386 failed for partition type 04
FAT16 <32M 6185189 60 13 7012027 10 8 1693362620
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1

Results
* Linux 1 0 1 118187 63 32 242046976
LUKS 2 (Data size unknown), 123 GB / 115 GiB
FAT16 <32M 993278 57 17 2709890 14 6 3515619990
FAT12 1542052 25 27 1740857 22 6 407152524
FAT32 3670250 48 31 3973571 18 20 621200438
HPFS - NTFS 3892833 32 11 4179465 32 24 587022350
P FAT12 4196104 46 18 5542526 10 14 2757471101
FAT32 LBA 6090357 0 19 8044735 1 18 4002566176
FAT16 <32M 6185189 60 13 7012027 10 8 1693362620

Hint for advanced users: dmsetup may be used if you prefer to avoid rewriting the partition table for the moment:
echo "0 242046976 linear /dev/sda 2048" | dmsetup create test0
echo "0 3515619990 linear /dev/sda 2034235184" | dmsetup create test1
echo "0 407152524 linear /dev/sda 3158123322" | dmsetup create test2
echo "0 621200438 linear /dev/sda 7516673566" | dmsetup create test3
echo "0 587022350 linear /dev/sda 7972523018" | dmsetup create test4
echo "0 2757471101 linear /dev/sda 8593622481" | dmsetup create test5
echo "0 4002566176 linear /dev/sda 12473051154" | dmsetup create test6
echo "0 1693362620 linear /dev/sda 12667269004" | dmsetup create test7

Locked