Recover data from formatted LVM (Luks, Ext3) after Ubuntu installed over it

partitioning encryption data-recovery lvm
5,577

Solution 1

Unfortunately, per man cryptsetup

LUKS header: If the header of a LUKS volume gets damaged, all data is permanently lost unless you have a header-backup. If a key-slot is damaged, it can only be restored from a header-backup or if another active key-slot with known passphrase is undamaged. Damaging the LUKS header is something people manage to do with surprising frequency. This risk is the result of a trade-off between security and safety, as LUKS is designed for fast and secure wiping by just overwriting header and key-slot area.”

And per your comment (11 hours ago),

Thanks for your answer! Unfortunatly no, I haven't. I don't have a back-up of the key nor the one of the LUKS header.

I think your disks have been (effectively) securely erased; that is the sectors are (at least in theory) indistinguishable from random data.

Solution 2

You are not guaranteed that you will recover all your files. If you have anything precious in deleted files then the next worth giving it a try.

You are recommended to unmount this partiton frist. Yoo are not recommended to write on partition any more in order to keep data chains at the drive as they are. In other words avoid overwriting. Stop using this drive immediately!

Boot from Live CD or even better from the different drive with installed OS.

Then you should run the software which find and recovers files/data from your physical storage. It is possible still although Operating Systems can not see deleted files due to their references were deleted from File Table, or File Table was corrupted.

Scalpel

This is a filesystem-independent recovery tool for Linux. The latest version is 2.0. Install it in Ubuntu with

sudo apt-get install scalpel

Next is some text editing — the configuration file is /etc/scalpel/scalpel.conf. You will find that everything has been commented out — uncomment the specific file format that you want to recover. For example, if I want to recover a deleted zip file, I will uncomment the .zip file section in scalpel.conf

Next, in a terminal, run:

sudo scalpel  [device/directory/file name] -o [output directory]

The output directory, in which you want to store recovered files, should be empty before running Scalpel; otherwise, you will get an error.

Photorec

This is the fastest utility of the three. It’s installed by the testdisk utility package. If you don’t want to mess with the command-line, this is the best utility for you. Just run photorecas the root user in a terminal, and you will see a nice ncurses-based UI.

Select the device to search, and it will ask you for the partition table type. Select yours; in my case, it’s Intel. Next, you have to select the filesystem or partition of the device disk. Next, it prompts you to choose the file system.

Last, it will ask for an output folder in which to store recovered files. After making a selection, press y to proceed.

Note: The above utilities will not recover replaced files, because in the case of replacement you are replacing the inode itself, so it’s not possible to recover it.

Share:
5,577

Related videos on Youtube

Denys Vitali
Author by

Denys Vitali

DevOps Engineer at Swisscom. I like to be fascinated everyday by the technology and its power. I develop by keeping in mind that what I'm writing would be a start point for a new experience. I'm a Linux fan, I work on a daily basis with the popular Arch Linux distro. My favorite programming languages are Go and Rust.

Updated on September 18, 2022

Comments

  • Denys Vitali
    Denys Vitali over 1 year

    I have a 1TB HDD and some days ago I did a mess

    That disk had:

    • One EXT3 partition ( / )
    • One EXT3 partition ( /boot )
    • One LUKS LVM which had a EXT3 partition of about 200 GB

    I wanted to replace Linux Mint 14 with Ubuntu 14.04, so I booted Ubuntu 14.04 from USB and did the installation wizard. The wizard asked me "Replace Linux Mint 14 with Ubuntu 14.04", so I did, I also checked to add LVM and to crypt user directory. I set up a password and I installed it.

    The installation blocked itself almost at end, and by rebooting via USB i noticed that the HDD was formatted and there was just the /boot and the / (my LUKS LVM was formatted and replaced with those two partitions)

    I have

    • The disk itself
    • The dd image of the disk after the disaster (a 1TB img)
    • The passphrase to unlock both the LVM: the oldest one (which I want to recover) and the newest one (to unlock the root partition)

    Question
    How can I recover my precious data?

    • Ruslan Gerasimov
      Ruslan Gerasimov almost 10 years
      continue: Recover data from inaccessible partition, hard drive, USB drive, floppy disk, etc. Recover data from FAT/NTFS/EXT2/EXT3 partition Restrive data from reformatted volumes or devices Recover data from RAW partition or when no files can be read from RAW disk, RAW USB drive, RAW SD card, etc. Recover data after an MBR corruption Recover data from improper or other partition errors
    • Denys Vitali
      Denys Vitali almost 10 years
      @RuslanGerasimov The promises are really good, the problem is that they don't mention "LUKS" , "LVM" nor disk encryption. That's the problem
    • Elliott Frisch
      Elliott Frisch almost 10 years
      When you encrypted it, did you make a back-up copy of the key and LUKS header? Or after?
    • Denys Vitali
      Denys Vitali almost 10 years
      @ElliottFrisch Thanks for your answer! Unfortunatly no, I haven't. I don't have a back-up of the key nor the one of the LUKS header.
  • Denys Vitali
    Denys Vitali almost 10 years
    Thanks for the good answer, I already stopped writing on it (and I made a dd image to not touch the HDD). The actual problem is that the data won't be recoverable without the master key (the key to unlock the LVM drive which was deleted) even if I have the master password (the one to "unlock the master key" and to have access to the ext3 partition) How can scalpel find my files if they were encrypted and I lost the key on the HDD? I'm a bit skeptic about it. Any idea?
  • Denys Vitali
    Denys Vitali almost 10 years
    I mounted the image with sudo kpartx -l /media/user/drive/backup/sdd.img but sudo gpart /dev/loop0 gives me *** Fatal error: ioctl(HDIO_GETGEO) failed: Inappropriate ioctl for device. Anyway the disk is recognized by gparted and system as normal (with the new partition table, the one that was written over the one i lost)
  • Denys Vitali
    Denys Vitali almost 10 years
    Thank you for your answer! Next time I'll think twice before formatting a LUKS disk.
  • Xen2050
    Xen2050 over 8 years
    True, you won't recover files with photorec unless the partition is decrypted. But testdisk or photorec might be able to find the LUKS header, allowing you to decrypt & attempt further recovery

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Install Ubuntu 15.04 with full disk encryption, but without swap partition
How to expand an encrypted ubuntu partition with LVM
How does LUKS work?
How to migrate an encrypted LVM install to a new disk
Increase Swap in Ubuntu 18.04 Under Lvm and Encrypted File System
Encrypted LVM in Debian Install - Is whole disk encrypted?
Recovering overwritten LVM metadata
Mount LVM encrypted partition on external HDD - Device /dev/sdc5 is not a valid LUKS device
Unable to free up space on vg-root
"insufficient free space" error when trying to create new logical volume?