Recover your data from a LUKS encrypted disk

cbertram
   9 years ago
  5
<style type="text/css"> p { margin-bottom: 0.1in; line-height: 120%; }code.cjk { font-family: "Courier New",monospace; }a:link { }</style>

The other day I messed up my system, and needed to find a way to recover my data on the drive.  I had encrypted the drive during install, as well as encrypted my Home drive.  This tutorial will show you how to recover from both using a live CD.  This is only to recover your data, in the end I reinstalled the OS after I got the data I needed.

To recover the whole disk

LM uses LUKS for the disk encryption as of the writing of this tutorial.

Step 1, Boot up the machine you want to recover data from with a live CD or USB, this of course assumes that the physical hardware is still working.

Step 2, open system settings and then users and groups create a user that has admin priveledge, preferably the same user name as was on the system before it went down.

Step 3, log off , then log on as your new user.  DO NOT SHUT DOWN You will have to start over if you do.

Step 4, open a terminal and type:

sudo su  , enter your password. 

WARNING: This will put you in super user mode and allow you to run all the following commands, it will also allow you to do bad things to your system so use carefully.  If you do not want to do this, put sudo in front of each command.

Step 5, in the same terminal type:

cat /proc/partitions/

This will give you output similar to this:

# cat /proc/partitions
major minor  #blocks  name

   1        0      65536 ram0
   1        1      65536 ram1
   1        2      65536 ram2
   1        3      65536 ram3
   1        4      65536 ram4
   1        5      65536 ram5
   1        6      65536 ram6
   1        7      65536 ram7
   1        8      65536 ram8
   1        9      65536 ram9
   1       10      65536 ram10
   1       11      65536 ram11
   1       12      65536 ram12
   1       13      65536 ram13
   1       14      65536 ram14
   1       15      65536 ram15
   8        0  244198584 sda
   8        1     248832 sda1
   8        2          1 sda2
   8        5  243947520 sda5
  11        0    1048575 sr0
 252        0  239894528 dm-0
 252        1    4046848 dm-1
  11        1    1048575 sr1

What you will be looking for is what is highlighted, in my case I only had one disk, so mine was sda.

Step 6, in the terminal again type:

fdisk -l /dev/sda/

Your output should be like this

Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000bfee0

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *        2048      499711      248832   83  Linux
/dev/sda2          501758   488396799   243947521    5  Extended
/dev/sda5          501760   488396799   243947520   8e  Linux LVM

Step 7, determine which partion is encrypted, I have three partions on this disk, so I will run the command three times, you may not have as many partitions.  In the terminal type:

cryptsetup -v luksDump /dev/sda#  -- # is the number of each partition, in my case 1, 2, 5

If the partition is not encrypted your output will look like this:

Device /dev/sda# is not a valid LUKS device.  --# is the number of the partition you used
Command failed with code 22: Device /dev/sda1 is not a valid LUKS device.

If the partition is encrypted the output should look like this:

LUKS header information for /dev/sda5

Version:        1

Cipher name:    aes

Cipher mode:    xts-plain64

Hash spec:      sha1

Payload offset: 4096

MK bits:        512

MK digest:      21 84 3e c0 3e 9e 23 1e 34 9b 39 05 8f b9 47 61 89 a6 2a 81

MK salt:        fc ac 3d 4f 1e 3d d4 ce 66 6b d3 90 ba f4 79 a8

                d9 c9 38 a0 c2 79 bc 47 71 c6 8f 49 23 46 f1 6b

MK iterations:  22500

UUID:           2c8d56ec-749f-4d95-ab39-4ea17edb4c01


 

Key Slot 0: ENABLED

    Iterations:             90067

    Salt:                   e4 25 ae 7c 5d 62 81 5e ea 37 95 0f 59 7b c8 7f

                            13 4f bc 15 70 4e 82 e1 41 db 1d 4b 65 7a de 5c

    Key material offset:    8

    AF stripes:             4000

Key Slot 1: DISABLED

Key Slot 2: DISABLED

Key Slot 3: DISABLED

Key Slot 4: DISABLED

Key Slot 5: DISABLED

Key Slot 6: DISABLED

Key Slot 7: DISABLED

Command successful.

Step 8, Now that you know which partition to work with you can un-encrypt it.

WARNING - you need to know the pass-phrase that was used when the disk was encrypted if you do not know this, then you are out of luck.  that is of course why it was encrypted in the first place.

In the terminal type:

cryptsetup -v luksOpen /dev/sda#/ sda#_crypt  -- # is the number of the partition

You will need to enter the pass-phrase, and if successful it will output this:

Key slot 0 unlocked.

Command successful

Step 9, LVM (Logical Volume Management)  you will need to see if your data is on a volume so you know which one to mount.  in the terminal type:

lvdisplay

If this is being used you will see something like this:

--- Logical volume ---
  LV Path                /dev/mint-vg/root
  LV Name                root
  VG Name                mint-vg
  LV UUID                C4po3E-t1oZ-cAD4-I8WM-ZbWA-mbPC-n3gYKN
  LV Write Access        read/write
  LV Creation host, time mint, 2015-08-24 18:35:41 -0700
  LV Status              available
  # open                 1
  LV Size                228.78 GiB
  Current LE             58568
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           252:0
   
  --- Logical volume ---
  LV Path                /dev/mint-vg/swap_1
  LV Name                swap_1
  VG Name                mint-vg
  LV UUID                4dOwi6-XW2t-BFZa-68Or-Kjeg-jMi6-Wl7fGp
  LV Write Access        read/write
  LV Creation host, time mint, 2015-08-24 18:35:42 -0700
  LV Status              available
  # open                 2
  LV Size                3.86 GiB
  Current LE             988
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           252:1

You want the VG name, in my case it is mint-vg

Step 10, Enable the volume groups, in the terminal type:

vgchange -a y mint-vg

your output should be like this:

2 logical volume(s) in volume group "mint-vg" now active

Step 11, mount the /dev/mint-vg/root volume, byt typing this in the terminal:

mkdir /tmp/disk

mount /dev/mint-vg/root/ /tmp/disk

Step 12, browse to /tmp/disk and view or move your data etc.

WARNING - if you also encrypted your home directory, there is one more step

Step 12a, if you have encrypted your Home directory and you need access to those files as well, then this is why I had you create a user of the same name and password as the original user.  In the terminal type:

ecryptfs-recover-private --rw

This will check the whole machine for an encrypted directory, if it finds one you will be asked for the pass-phrase for it.

You can read more about this at:

manpages.ubuntu.com/manpages/vivid/en/man1/ecryptfs-recover-private.1.html

Once you finish you can unmount the partiton and close the encryption back, by using these command in the terminal:

umount /tmp/disk
cryptsetup luksClose /dev/mapper/sda5_crypt

I just restarted the machine and did not worry about this because I was going to re-image the machine again any way.


 

Comments
crimsonmane 9 years ago

Thanks cbertram. We just finished following this guide in #linuxmint-help for a user who had upgrade to 17.2 which caused him to get locked out of his system.