You are not logged in.

Pages: 1

#1 2025-09-06 14:34:08

sleepyakari
Member
Registered: 2025-09-06
Posts: 3

Help recovering encrypted partition that was formatted by windows

Long story short, repair shop tech guy accidentally formatted the single encrypted btrfs partition on my nvme via windows' partition manager and now I need help to recover it.

My nvme looks like:

nvme0n1     259:0    0 931.5G  0 disk
└─nvme0n1p1 259:1    0    16M  0 part

nvme0n1p1 being a Microsoft reserved partition with the rest of the drive being unallocated

Also the hexdump of the start of the partition:

00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000c00  7b 22 6b 65 79 73 6c 6f  74 73 22 3a 7b 22 30 22  |{"keyslots":{"0"|
00000c10  3a 7b 22 74 79 70 65 22  3a 22 6c 75 6b 73 32 22  |:{"type":"luks2"|
00000c20  2c 22 6b 65 79 5f 73 69  7a 65 22 3a 36 34 2c 22  |,"key_size":64,"|
00000c30  61 66 22 3a 7b 22 74 79  70 65 22 3a 22 6c 75 6b  |af":{"type":"luk|
00000c40  73 31 22 2c 22 73 74 72  69 70 65 73 22 3a 34 30  |s1","stripes":40|
00000c50  30 30 2c 22 68 61 73 68  22 3a 22 73 68 61 32 35  |00,"hash":"sha25|
00000c60  36 22 7d 2c 22 61 72 65  61 22 3a 7b 22 74 79 70  |6"},"area":{"typ|
00000c70  65 22 3a 22 72 61 77 22  2c 22 6f 66 66 73 65 74  |e":"raw","offset|
00000c80  22 3a 22 33 32 37 36 38  22 2c 22 73 69 7a 65 22  |":"32768","size"|
00000c90  3a 22 32 35 38 30 34 38  22 2c 22 65 6e 63 72 79  |:"258048","encry|
00000ca0  70 74 69 6f 6e 22 3a 22  61 65 73 2d 78 74 73 2d  |ption":"aes-xts-|
00000cb0  70 6c 61 69 6e 36 34 22  2c 22 6b 65 79 5f 73 69  |plain64","key_si|
00000cc0  7a 65 22 3a 36 34 7d 2c  22 6b 64 66 22 3a 7b 22  |ze":64},"kdf":{"|
00000cd0  74 79 70 65 22 3a 22 61  72 67 6f 6e 32 69 64 22  |type":"argon2id"|
00000ce0  2c 22 74 69 6d 65 22 3a  31 31 2c 22 6d 65 6d 6f  |,"time":11,"memo|
00000cf0  72 79 22 3a 31 30 34 38  35 37 36 2c 22 63 70 75  |ry":1048576,"cpu|
00000d00  73 22 3a 34 2c 22 73 61  6c 74 22 3a 22 49 59 4a  |s":4,"salt":"IYJ|
00000d10  35 73 31 47 47 68 55 4a  4b 55 4f 50 4e 67 51 70  |5s1GGhUJKUOPNgQp|
00000d20  64 56 6b 38 7a 73 78 71  62 63 34 65 68 53 68 6a  |dVk8zsxqbc4ehShj|
00000d30  70 63 56 74 50 2b 58 30  3d 22 7d 7d 7d 2c 22 74  |pcVtP+X0="}}},"t|
00000d40  6f 6b 65 6e 73 22 3a 7b  7d 2c 22 73 65 67 6d 65  |okens":{},"segme|
00000d50  6e 74 73 22 3a 7b 22 30  22 3a 7b 22 74 79 70 65  |nts":{"0":{"type|
00000d60  22 3a 22 63 72 79 70 74  22 2c 22 6f 66 66 73 65  |":"crypt","offse|
00000d70  74 22 3a 22 31 36 37 37  37 32 31 36 22 2c 22 73  |t":"16777216","s|
00000d80  69 7a 65 22 3a 22 64 79  6e 61 6d 69 63 22 2c 22  |ize":"dynamic","|
00000d90  69 76 5f 74 77 65 61 6b  22 3a 22 30 22 2c 22 65  |iv_tweak":"0","e|
00000da0  6e 63 72 79 70 74 69 6f  6e 22 3a 22 61 65 73 2d  |ncryption":"aes-|
00000db0  78 74 73 2d 70 6c 61 69  6e 36 34 22 2c 22 73 65  |xts-plain64","se|
00000dc0  63 74 6f 72 5f 73 69 7a  65 22 3a 35 31 32 7d 7d  |ctor_size":512}}|
00000dd0  2c 22 64 69 67 65 73 74  73 22 3a 7b 22 30 22 3a  |,"digests":{"0":|
00000de0  7b 22 74 79 70 65 22 3a  22 70 62 6b 64 66 32 22  |{"type":"pbkdf2"|
00000df0  2c 22 6b 65 79 73 6c 6f  74 73 22 3a 5b 22 30 22  |,"keyslots":["0"|
00000e00  5d 2c 22 73 65 67 6d 65  6e 74 73 22 3a 5b 22 30  |],"segments":["0|
00000e10  22 5d 2c 22 68 61 73 68  22 3a 22 73 68 61 32 35  |"],"hash":"sha25|
00000e20  36 22 2c 22 69 74 65 72  61 74 69 6f 6e 73 22 3a  |6","iterations":|
00000e30  32 38 38 37 30 34 2c 22  73 61 6c 74 22 3a 22 72  |288704,"salt":"r|
00000e40  36 6a 54 78 59 63 35 6a  46 35 78 47 70 71 77 54  |6jTxYc5jF5xGpqwT|
00000e50  55 6a 31 44 51 4e 74 57  74 76 58 32 67 59 36 62  |Uj1DQNtWtvX2gY6b|
00000e60  50 74 62 49 54 30 4c 57  59 38 3d 22 2c 22 64 69  |PtbIT0LWY8=","di|
00000e70  67 65 73 74 22 3a 22 4a  53 33 42 7a 54 48 33 36  |gest":"JS3BzTH36|
00000e80  56 57 71 50 39 4f 32 65  56 79 69 54 6c 53 6a 44  |VWqP9O2eVyiTlSjD|
00000e90  77 4e 4c 79 77 73 2f 76  50 42 2f 79 51 4f 59 36  |wNLyws/vPB/yQOY6|
00000ea0  66 51 3d 22 7d 7d 2c 22  63 6f 6e 66 69 67 22 3a  |fQ="}},"config":|
00000eb0  7b 22 6a 73 6f 6e 5f 73  69 7a 65 22 3a 22 31 32  |{"json_size":"12|
00000ec0  32 38 38 22 2c 22 6b 65  79 73 6c 6f 74 73 5f 73  |288","keyslots_s|
00000ed0  69 7a 65 22 3a 22 31 36  37 34 34 34 34 38 22 7d  |ize":"16744448"}|
00000ee0  7d 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |}...............|
00000ef0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

Offline

#2 2025-09-06 14:42:50

frostschutz
Member
Registered: 2013-11-15
Posts: 1,640

Re: Help recovering encrypted partition that was formatted by windows

It seems your LUKS2 metadata is intact, if the key material is also intact, you can rebuild the header. Then it will depend on what else was actually overwritten, ...

I posted two repair guides over at unix stackexchange, you can try your luck:

cryptsetup repair, magic bytes recovery

cryptsetup repair, full header recovery

You'll also have to fix the partition size/offset. 16M partition won't get you anywhere, unless that was a dedicated partition for an external luks header or something (very unusual).

Do check whether the remainder of the drive has non-zero data at all. On SSD, formatting usually also means discarding data... then there's nothing you can do.

Any edits to the partition table should be done with a pure partitioning program that does not format or discard data. If in doubt, full ddrescue image first.

Last edited by frostschutz (2025-09-06 14:49:06)

Online

#3 2025-09-06 14:50:01

nichts
Member
Registered: 2020-11-14
Posts: 35

Re: Help recovering encrypted partition that was formatted by windows

Do you have a backup of the previous partition table, or written down boundaries of the partitions, and a backup of the LUKS header? If so, restore the partition layout and write back the header.

If possible, create an image of the entire ssd before you try.

english is not my first language. If you find a mistake in this post, please mention it in your reply – this way I can learn.  TIA

Offline

#4 2025-09-06 18:07:24

sleepyakari
Member
Registered: 2025-09-06
Posts: 3

Re: Help recovering encrypted partition that was formatted by windows

frostschutz wrote:

It seems your LUKS2 metadata is intact, if the key material is also intact, you can rebuild the header. Then it will depend on what else was actually overwritten, ...
I posted two repair guides over at unix stackexchange, you can try your luck:
cryptsetup repair, magic bytes recovery
cryptsetup repair, full header recovery
You'll also have to fix the partition size/offset. 16M partition won't get you anywhere, unless that was a dedicated partition for an external luks header or something (very unusual).
Do check whether the remainder of the drive has non-zero data at all. On SSD, formatting usually also means discarding data... then there's nothing you can do.
Any edits to the partition table should be done with a pure partitioning program that does not format or discard data. If in doubt, full ddrescue image first.

Your header recovery guide worked, thank you!!!!!
For anyone that ever face this specific scenario, I adapted the commands in that guide and did these steps:

# stdbuf -oL strings -n 64 -t d /dev/nvme0n1 | grep '"keyslots":'
# partition=0
# offset=32768
# size=258048
# dd bs=1 skip=$((partition+offset)) count=$((size)) if=/dev/nvme0n1 of=header.$((offset))
# truncate -s 16M luks.recovery
# cryptsetup luksFormat --type luks2 luks.recovery
# cryptsetup luksErase luks.recovery
# printf "%s\0" "$(jq -c < header.json)" | dd conv=notrunc bs=1 seek=4096 of=luks.recovery
# printf "%s\0" "$(jq -c < header.json)" | dd conv=notrunc bs=1 seek=20480 of=luks.recovery
# dd conv=notrunc bs=1 seek=32768 if=header.32768 of=luks.recovery
# cryptsetup luksDump --debug luks.recovery
# echo {hex strings} | xxd -r -p | hexdump -C // twice for on-disk, twice for in-memory
# hexdump -C luks.recovery | grep '{converted on-disk hex}' // twice
# echo {converted in-memory hex} | xxd -r -p | dd conv=notrunc bs=1 seek=$(({memaddress of on-disk hex)) of=luks.recovery // twice
# cryptsetup repair luks.recovery
# cryptsetup luksDump luks.recovery
# losetup --find --show --read-only --offset 0 /dev/nvme0n1
# cryptsetup open --readonly --header luks.recovery /dev/loop2 luksrecovery

Note: I truncated some of the steps because they're just repeating a command multiple times
My method is also a bit riskier because I interacted directly with the nvme device (I don't have any spare devices to store a 1TB disk clone, but if you can you should!)

Looking at Frostschutz's guide would give the proper context for these commands anyhow (Thank you again!)

Offline

#5 2025-09-06 18:11:11

sleepyakari
Member
Registered: 2025-09-06
Posts: 3

Re: Help recovering encrypted partition that was formatted by windows

nichts wrote:

Do you have a backup of the previous partition table, or written down boundaries of the partitions, and a backup of the LUKS header? If so, restore the partition layout and write back the header.
If possible, create an image of the entire ssd before you try.

manage to recover the partition via frostschutz's guide
The one time I wasn't vigilant with backing up my data, that's when it bites me haha

Offline

#6 2025-09-06 19:03:29

topcat01
Member
Registered: 2019-09-17
Posts: 283

Re: Help recovering encrypted partition that was formatted by windows

This is a great success story. I'm going to bookmark this thread. Thank you for the info.

Offline

Pages: 1

Board footer

Powered by FluxBB