Decrypting Lost LUKS Partitions

Posted Monday 29 October 2018 by Urs Riggenbach.

Linux allows for block level filesystem encryption, via LUKS and the cryptsetup utility. When installing Linux, disk encryption is a recommended option as it ups your data security and protection. When encrypting external drives, the drives are unreadable on Mac and Windows computers, which will then ask you if you want to format the drives. If you’ve formatted a drive by accident, do not panic, just make sure you don’t write any new data to the drive and use below steps to get your data back.

 
1. Search hard-drive for LUKS (missing) partition.
Substitute sdc with your hard-drive, use for example gnome-disks to identify the hard-drive path):

hexdump -C /dev/{sdc} | grep LUKS

This will output something like:

hexdump -C /dev/{sdc} | grep LUKS
2e3b5040  65 73 73 20 64 65 6e 69  65 64 00 4c 55 4b 53 ba  |ess denied.LUKS.|
{{2f500000}}  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|

→ If you have multiple encrypted partitions on the drive, you will get more outputs. If you just have 1 partition, you can cancel the command once you have reached the first outputs.

 
2. Loopmount the found partition.
Add "0x" to the location descriptor (for example: 2f500000) outputted by GREP in previous step.

losetup -o 0x{{2f500000}} -r -f /dev/{sdc}

 
3. Decrypt the found partition.
With the following command, it will be mounted at /dev/mapper/decrypted_partition. You will be asked for your password.

cryptsetup luksOpen /dev/loop0 decrypted_partition

 
4. Access the decrypted partition
For regular partitions, such as ext4, btrfs, etc, you should now see the partition in your favorite file browser, or using gnome-disks software.

If the partition contains an LVM, run:

vgchange -ay

 

And then check your file browser or gnome-disks software for your hard-drive. De-panic and backup your data to another disk.


Previous Post →
Article (58) visits: 0; popularity: 0 Re-process this page *