Linux - accidentally used dd on a LUKS encrypted drive, is there a way to recover?
I accidentally ran dd bs=4M if=image.iso of=/dev/sda oflag=sync when creating a bootable drive instead of targeting the USB stick.
I am fairly certain most of the files would be fine - the iso is only ~330mb, while the drive is 500gb.
The problem is, that /dev/sda was encrypted during the installation of manjaro, so tools like photorec and the likes cannot access the files. I am also unsure how the drive being encrypted would interfere with the data being overwritten by dd.
lsblk's output shows the new partition table:
sda 8:0 0 465.8G 0 disk
├─sda1 8:1 0 336M 0 part
└─sda2 8:2 0 2.4M 0 part
fdisk -l shows the same thing:
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 0 688127 688128 336M 0 Empty
/dev/sda2 3820 8747 4928 2.4M ef EFI (FAT-12/16/32)
/dev/mapper/ has only control in it, no sign of the luks partition:
lubuntu@lubuntu:/dev/mapper$ ls
control
Unfortunately, I don't know for sure what the old partition table was. I know that I had 12gb of swap at the end of the drive, I only used a single partition for / and didn't manually separate anything else, /dev/sda3/ was mounted to /, and I'm somewhat certain that /boot was separate by default, but that's about all that I know.
I've tried using TestDisk, but the output of deep search didn't seem to line up with what I had, and I didn't want to make things worse:
Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63
Partition Start End Size in sectors
>* FAT12 0 60 41 0 138 54 4928 [NO NAME]
D Linux 38 127 26 60801 15 14 976150528
D Linux Swap 59317 172 56 60801 80 15 23834624
The output of head -c 1G /dev/sda | hexdump -C | grep LUKS is:
# head -c 1G /dev/sda | hexdump -C | grep LUKS
00011110 0a 4c 55 4b 53 2e 4d 4f 44 3b 31 00 50 58 24 01 |.LUKS.MOD;1.PX$.|
004346a0 64 65 6e 69 65 64 00 4c 55 4b 53 ba be 00 25 73 |denied.LUKS...%s|
00b394a0 64 65 6e 69 65 64 00 4c 55 4b 53 ba be 00 25 73 |denied.LUKS...%s|
Is there any hope of recovering the data?
Solution 1:
There is no hope in recovering LUKS container if there is no LUKS header backup.
Frankly, the answer is contained in the first sentence, but I can provide more information to explain the situation. LUKS encryption explaining simply works the following way: some initial MB (actual size depends on LUKS version and configuration) of partition are allocated for LUKS header, and the rest of the partition - for the data (root partition, or home partition, etc). The LUKS header 'contains' the 'master' password which is used to encrypt the data. This master password is generated by LUKS (to be 'big' and 'strong') when partition is encrypted at first time. The master password is 'protected' by 'key slot password' - password which user actually types to decrypt the drive. In short, LUKS header contains master password which is protected by 'user' password. So, if LUKS header is gone, the master password is also gone, so there is no way to decrypt the data - even if you still know 'user' password.
Regarding 'LUKS.mod' output from grep - this looks like the name of grub LUKS.mod module stored in the FAT table of EFI partition. This output shows that the boot partition (which is usually unencrypted) happens to be in the first 1G of disk which you query with the command head -c 1G /dev/sda | hexdump -C | grep LUKS. This information does not help to solve the problem.