You are not logged in.

#1 2020-01-30 19:03:32

Registered: 2014-04-08
Posts: 13

Dual boot - Encrypted partition not accessible after windows update

A few days ago I booted up windows after a long time and also let it do some updates. It rebooted several times while doing updates. When I next tried to boot my arch system again I was greeted by grub rescue. That is the smallest problem however. After booting from a live system I was not able to access my encrypted root partition anymore. I then made full clone of the drive with ddrescue, before doing some more analysis.

Here is what my partition layout looks like (now):

GNU Parted 3.2
Using /dev/loop0
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p                                                                
Model: Loopback device (loopback)
Disk /dev/loop0: 1000GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name                          Flags
 1      1049kB  524MB   523MB   ntfs         Basic data partition          hidden, diag
 2      524MB   628MB   104MB   fat32        EFI system partition          boot, esp
 3      628MB   645MB   16.8MB               Microsoft reserved partition  msftres
 4      645MB   161GB   160GB                Basic data partition          msftdata
 5      161GB   161GB   707MB   ntfs                                       hidden, diag
 6      161GB   162GB   210MB                bootArch                      msftdata
 7      162GB   1000GB  839GB                rootArch

First of all what is msftdata? This should be my boot partition. My best guess is that windows modified the boot partition and wrote even further, damaging my encrypted root. The root was encrypted using LUKS. Unfortunately I don't have a backup file of my LUKS header. I once installed a new laptop by just cloning my whole disk, then resizing it, this didn't harm the encrypted root. However if I remember correctly for my current laptop I chose to do a fresh installation, so I can't just take the header from my old laptop. I tried just in case (maybe I did clone it after all).

sudo cryptsetup -v --header backupLuksHeader open /dev/loop0p7  test             
Enter passphrase for /dev/loop0p7: 
Key slot 0 unlocked.
Command successful.

sudo mount /dev/mapper/test testMnt 
mount: wrong fs type, bad option, bad superblock on /dev/mapper/test,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try

I believe that the unlocking works just means, that I have the correct password for the header? Thus If I use the header to unlock an arbitrary device it will work, but of course I'll decrypt garbage ... Is that correct? I plan to run some tool looking for files on the opened device anyway.

Also I believe it is vital that the partition table is still correct, even if the partitions are damaged. Is it safe to assume that windows update did not change the locations of the partitions? The sizes and labels seem right to me.

I also tried a scan of my whole drive for a luks header

LANG=C grep -obUaP "\x4C\x55\x4B\x53\xBA\xBE" /dev/sda

but it did't find anything. If it is safe to assume that the partition locations are not changed I just have to copy the start of my encrypted partition, this should be the header, correct?

I believe there is no way to recover my partition, but asking doesn't harm. Any advice? Thanks in advance!


Board footer

Powered by FluxBB