7

I have(had) the following setup: Full disk encryption with LUKS and a separately encrypted /home partition. Made the mistake to delete my /root but caught early enough so only changes to the partition table where made. Now I'm left with the following:

sudo hexdump -C /dev/nvme0n1 |grep LUKS
3e900000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|

That means that LUKS header is still intact (phew)

Then I create a loop device on that offset

 sudo losetup -o 0x3e900000 -r -f /dev/nvme0n1

and mount it with 

 sudo cryptsetup luksOpen /dev/loop1 luksrecover

so far it works great, things get mounted properly I can see my files and with a few more commands I can get my separate /home back.

However, since I do have an operating system intact I'd like it back. Only problem as it seems, there is no grub to call the initial Xubuntu LUKS decrypter.

Now, since I see that there is a significant offset in my partitioning, I guess that's where grub used to live

So, what can I do about getting my OS back? As far as I understand I must somehow mark bytes 0 - $offset as grub and install grub there and the rest as something else. So I tried grub-install /dev/nvme0n1 and it complained about aufs 

grub-install: error: failed to get canonical path of `aufs'.

then tried the same in a chroot in the LUKS system that was mounted but it that filesystem is read-only and of course it never had grub to begin with.

So what can I do to get grub to sit in the empty space before LUKS and decrypt LUKS on start?

ndp
  • 211
  • 2
  • 9
  • 1
    The very first thing you do is take a backup of your important files before attempting any further recovery. You can currently access them, and a single mistake (accidentally destroying the LUKS header) means they're gone forever. – derobert May 10 '17 at 16:53
  • I've done that. Now Im trying to skip having to reinstall everything – ndp May 10 '17 at 17:01
  • 2
    Glad to hear you've already made the backup. You'd be surprised how often folks don't! Anyway, the steps are to restore/recreate the partition table, then worry about installing a bootloader. How exactly grub is marked in the partition table depends on if it was using a legacy DOS partition table or an EFI one—any idea? Also, depending on what you were doing, there may be an existing backup partition table located near the end of the disk... – derobert May 10 '17 at 17:07
  • It's an EFI system. It was pretty much a default xubuntu install with encryption. In case I find a table how do I put it back and where should it go? More important now that I know offsets how do I go about rewriting the table? – ndp May 10 '17 at 17:19
  • What were you doing that destroyed the partition table? – derobert May 10 '17 at 17:29
  • 1
    gparted->delete_partition->it was the wrong drive->reboot – ndp May 10 '17 at 17:49

2 Answers2

4

WARNING:

Make an image (backup) of the drive BEFORE you do all this.

Read the documentation (e.g., "man pages") for all commands, and make sure you understand what they do, before using them.

YOU HAVE BEEN WARNED

For future reference, here's the solution:

  1. Find where the LUKS partition starts.  All LUKS partitions have a plaintext header containing the word LUKS. So

    sudo hexdump -C /dev/<the disk>  | grep LUKS

  2. Note where LUKS was.  hexdump should list an offset where it found the start of this header.  Mount the partition as a loopback device starting where the offset you found the LUKS header is

    sudo losetup -o <offset> -r -f /dev/nvme0n1

    For reference, my offset, in Xubuntu with an Intel SSD and GRUB2, was 0x3e900000.

  3. Find out which device it got losetup'd as

    losetup -a

  4. Decrypt & mount

    sudo cryptsetup luksOpen /dev/loop1 luksrecover

    At this point the disk should have been mounted under /media/.  However: your /home should still be encrypted.  It's time to decrypt

  5.  cd /home/<yourusername>

 sudo ecryptfs-recover-private .Private/

    This should produce the following

    INFO: Found [.Private/].
Try to recover this directory? [Y/n]: Y
INFO: Found your wrapped-passphrase
Do you know your LOGIN passphrase? [Y/n] Y
INFO: Enter your LOGIN passphrase...
Passphrase: 
Inserted auth tok with sig [8c5d84b9d7f0cc5b] into the user session keyring
INFO: Success!  Private data mounted at [/tmp/ecryptfs.mxsowbiD].

    Plug in an external storage device (e.g., an HDD), save your /home, /opt and whatever else you need. Re-install and replace the /home with your own. Or just move the existing filesystem to a proper partition.

Crisis averted, and it took only a few hours.

G-Man Says 'Reinstate Monica'
  • 22,130
  • 27
  • 68
  • 117
ndp
  • 211
  • 2
  • 9
1

I would use the Linux Testdisk utility to recover the partition table. The last time I needed it, compiling it from source made a difference in what was recoverable.

bootbeast
  • 89
  • 3