Ploughed luks lvm, is it recoverable ?

Al.Piotrowicz · 2019-04-04 19:49:37

Hi community. Like mentioned in the title I messed up my luks LVM lv by accidentaly turning it into swap space by passing rd.luks.options=swap on the kernel command line. Please dont't ask me why I've done it (happened during testing a systemd hooks in the initcpio). The case is - is it somekind recoverable without a luks header backup of that container?. Help appreciated.

Output of the hexdump of the block device (header has gone, but something still left) : hexdump

Thank you.

Last edited by Al.Piotrowicz (2019-04-06 05:28:14)

jamespharvey20 · 2019-04-04 21:38:35

Wait for a while to make sure no one says I'm wrong before deleting/overwriting it, but it's my understanding if you don't have a backup of the luks header and overwrite it, that it's irrecoverable. Unfortunately, you'd need "LUKS" followed by bytes of "ba" and "be", which I'm not seeing. On average, you'd expect to see the string "LUKS" on purely random data about once in every 4.3 GB. As your disk is at least 114.6GB, we'd expect to see the string on average 27 times in that much data. It comes up 32 times in your data, due to statistical variance. So, unfortunately none of those "LUKS" strings mean they're actually related to luks, other than that it was the result of luks encryption.

frostschutz · 2019-04-04 22:00:30

Unclear what happened, rd.luks is boolean so it can only be yes or no, setting it to swap has no meaning?

Your hexdump is not useful.

Either way, mkswap destroys a LUKS1 header (MK digest, salt, etc.), it can not be recovered. You'd need the intakt LUKS header, or the master key (if container still open).

Maybe a LUKS2 header has some hope of surviving. I'm not sure.

# strings -t d -n 64 /dev/thing | grep '"luks2"'
  20480 {"keyslots":{"0":{"type":"luks2","key_size":64,"af":{"type":"luks1","stripes":4000,"hash":"sha256"},"area":{"type":"raw","offset":"32768","size":"258048","encryption":"aes-xts-plain64","key_size":64},"kdf":{"type":"argon2i","time":5,"memory":1048576,"cpus":4,"salt":"/h+3tH4JxI6rIaKmD8F7KFGPhnhhXiyGEQxaHo6nn68="}}},"tokens":{},"segments":{"0":{"type":"crypt","offset":"16777216","iv_tweak":"0","size":"dynamic","encryption":"aes-xts-plain64","sector_size":512}},"digests":{"0":{"type":"pbkdf2","keyslots":["0"],"segments":["0"],"hash":"sha256","iterations":125307,"salt":"1YXu/7ciBdTYt8D4bnoYBrKhDqgVo1gpV0VcZrpGh1U=","digest":"HZAY8KRALr9TmI47hYsXIgf1h2xyxaJ50Yo5jPwVlD0="}},"config":{"json_size":"12288","keyslots_size":"16744448"}}

LUKS2 is the default in ArchLinux so if you created it very recently... maybe...

Last edited by frostschutz (2019-04-04 22:01:48)

Al.Piotrowicz · 2019-04-06 05:30:41

Fixed the initial post folks. Forgot about the "options" phrase. Unfortunately it weren't a luks2 header.

Arch Linux

#1 2019-04-04 19:49:37

Ploughed luks lvm, is it recoverable ?

#2 2019-04-04 21:38:35

Re: Ploughed luks lvm, is it recoverable ?

#3 2019-04-04 22:00:30

Re: Ploughed luks lvm, is it recoverable ?

#4 2019-04-06 05:30:41

Re: Ploughed luks lvm, is it recoverable ?

Board footer